On May 29, 2018, Colorado Governor John Hickenlooper signed House Bill 18-1128 (the “Consumer Privacy Law”) which expanded protections of consumer data and placed additional requirements on covered and governmental entities that maintain, own, or license personal identifiable information. The Consumer Privacy Law’s new requirements will take effect on September 1, 2018.

The Consumer Privacy Law has unique requirements for covered entities and governmental entities. A general discussion of how the law impacts governmental entities follows.

Data Disposal and Security Policies for Governmental Entities

The Consumer Privacy Law creates investigation and notification requirements for all “governmental entities,” defined as the state and any state agency or institution, including the judicial department, county, city and county, incorporated city or town, school district, special improvement district, authority, and every other kind of district, instrumentality, or political subdivision of the state, including entities covered by home rule charters. Political subdivisions include metropolitan districts, water and sanitation district, business improvement districts, general improvement districts, among others.

Governmental entities that maintain paper or electronic documents containing personal identifiable information (“PII”, as defined below) are now required to develop a written policy for the destruction or proper disposal of those papers and electronic documents.

The Consumer Privacy Law defines PII as:

  • social security number (SSN);
  • personal identification number;
  • password or passcode;
  • driver’s license number or ID card number;
  • passport number;
  • biometric data;
  • employer, student, or military ID number; or
  • financial transaction devices.

In order to protect PII from unauthorized access, use, modification, disclosure, or destruction, a governmental entity that maintains, owns, or licenses PII is required to implement and maintain reasonable security procedures and practices that are appropriate to the nature of the PII and the nature and size of the governmental entity.

If a governmental entity engages a third-party service provider to provide security protection of PII, and does not provide its own security protection of such PII, the governmental entity shall require that the third-party service provider implement and maintain reasonable security procedures and practices to safeguard the PII.

Notification of Security Breach for Governmental Entities

If a governmental entity becomes aware that a security breach of PII may have occurred after a good-faith and prompt investigation, it must notify the affected Colorado residents no later than thirty (30) days after determination that a breach occurred. However, no notification is required if the investigation determines that the misuse of information about a Colorado resident has not occurred and is not reasonably likely to occur.

The Consumer Privacy Law requires specific information in the notice:

  • the date, estimated date, or estimated date range of the breach;
  • a description of PII acquired or reasonably believed to have been acquired;
  • contact information of the governmental entity;
  • contact information of consumer reporting agencies and the FTC; and
  • a statement that residents may obtain information from credit reporting agencies and the FTC about fraud alerts and security freezes.

Additional notice requirements may be required to assist Colorado residents in protecting the integrity of their accounts and log-in credentials. If the data breach affected more than one thousand (1,000) Colorado residents, then consumer reporting agencies must be notified. The governmental entity must also notify the Attorney General’s office within thirty (30) days if the breach affected more than five hundred (500) Colorado residents. Violations of the Consumer Privacy Law may result in the Attorney General’s office bringing an action for injunctive relief.

Prior to September 1, 2018, in order to ensure compliance, government entities must:

  • Determine if they maintain, own, or license any PII as defined by the Consumer Privacy Law;
  • Review and update their security breach procedures and policies, along with those of any third-party service providers;
  • Review and update their data destruction policies concerning PII; and
  • Prepare for providing proper notice to Colorado residents in the event of a security breach.