Three major changes to Colorado data privacy laws became effective September 1, 2018. These affect virtually all business collecting personally identifying information (PII)[1] from Colorado residents:

1. First, the law that provides for disposal of PII now requires businesses to adopt a written policy governing the disposal of both paper and electronic records containing PII of Colorado residents.[2]

Action Required: Businesses with Colorado resident PII should revisit or adopt document retention policies to ensure that they address the destruction of paper and electronic documents containing PII. Management should provide oversight and governance for implementation of the document retention and destruction policies. Larger and more complex organizations may want to conduct internal audits to ensure policy compliance.

2. Second, a new law requires covered persons and entities to take reasonable steps to protect PII.

Action Required: Implement reasonable measures to protect PII from data breaches. Review agreements with third-party service providers to ensure that service providers have reasonable procedures to protect the security of PII provided to them.

Recommended Action: Adopt a written policy regarding protection of PII and implement practices to comply with the new policy. Ensure implementation of policy.

3. Third, the law that requires notification of data security breaches[3] now requires detailed notice to consumers and, in certain circumstances, notice to the Colorado Attorney General. A much broader definition of “personal information” applies to security breaches.[4]

Action Required: In the event of a breach or disclosure of PII involving Colorado residents, notice must be provided to such affected residents within 30 days of discovery.[5] Additionally, businesses should consider updating incident response or business continuity plans in light of the new requirements. If businesses become aware that a security breach may have occurred, they must conduct a prompt, good faith investigation to determine the likelihood that personal information has been or will be misused. Unless the investigation determines that the information has not been misused and is not reasonably likely to be misused, notice must be provided to the affected Colorado residents.