Hot on the heels of California passing their California Consumer Protection Act (CCPA) which is actually a consumer data protection law, and on the slightly more distant heels of the passage and enactment of the General Data Protection Regulation (GDPR), Colorado has both passed and enacted the Colorado Consumer Data Protection Act (CCDPA).
GDPR is by far the furthest reaching of these laws, giving anyone “in the EU” (they may not have to be be a resident of the EU, or even a citizen of the EU – GDPR just says “in the EU”) the most comprehensive set of rights with respect to how their personally identifying information (PII) is collected, used, stored, secured, and deleted. Rights that, says GDPR, may be enforced anywhere in the world.
GDPR also has strict (and many) requirements about what businesses must do in the event of a data breach, and how they must do it.
GDPR came into effect in May of 2018.
Then along came the California Consumer Privacy Act of 2018, which was passed in June of 2018, and goes into effect on January 1, 2020.
While many experts agree that U.S.-based businesses need to comply with GDPR, some U.S. businesses have been choosing to look the other way, their reasoning being basically “let the EU try to come after me here in the U.S.”, even though GDPR explicitly states that it will be enforced against anyone, anywhere, that violates the law with respect to an individual ‘in the EU’. However, there is no question that with the CCPA, all U.S. businesses need to comply, because CCPA covers any and all transactions involving the personal data of a California resident (although it is limited to companies of above a certain size or type). And, because California is the state with the highest population, at 39,144,818 people according to the 2015 census, the odds of a U.S. business collecting personal data from someone who turns out to be a California resident are extremely high.
Then, all of a sudden, and seemingly out of the blue, Colorado announced that they had amended the Colorado data breach law, and added data security requirements to Colorado law.
And while it wasn’t really out of the blue, the bill was introduced, passed, and became law in a remarkably short time. In fact it all occurred within 2018, with the bill’s introduction happening in January of 2018, it being signed into law by Colorado Governor Hickenlooper at the end of May, 2018, and it becoming effective on September 1, 2018. That is a remarkably short turnaround by any measure.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
The new law both amends existing Colorado law, and add new sections to Colorado law.
What Colorado’s New Consumer Data Protection Act Requires
Colorado’s new data protection law (link to the full law is at the end of this article) first defines exactly what constitutes the covered personal information (PI) of a Colorado resident.
The Following are Considered Personal Information (PI) for the Purpose of Being Covered Under the New Colorado Law
A Colorado resident’s first name coupled with their last name
A Colorado resident’s first initial coupled with their last name
IF stored – whether in written (i.e. paper) form or electronic form – along with any of the following additional pieces of data as relates to that Colorado resident and IF those pieces of data are not encrypted or otherwise somehow rendered unusable or even just unreadable: social security number; personal identification number; a password; pass code; driver’s license or identification card number; passport number; biometric data; an employer, student, or military identification number; a financial transaction device; medical information; or health insurance identification number.
It also includes a Colorado resident’s email address and/or username for an online account IF it is stored along with that person’s password or the answers to security questions.
And it includes a Colorado resident’s account number or card number if stored along with the password, access code, and/or security code which would allow someone to access the associated account.
Still with us? Ok, so now that you know what is considered personal information under the new law, what are the requirements for handling it?
What the New Colorado Law Requires for Handling, Storage, and Disposal of Personal Information
If a business experiences a data breach involving the personal information of a Colorado resident, they must a) inform any affected Colorado resident within 30 days, and b) if it involves the personal information of more than 500 Colorado residents, they must also inform the Colorado Attorney General (AG).
The notice to those Colorado residents who are affected by the breach must include:
1. The date of the breach, or a best estimate
2. Description of the data that was breached, or a best estimate
3. The contact information of the organization that experienced the breach
4. Information for contacting consumer credit reporting agencies and the Federal Trade Commission, along with
5. Instructions saying that the affected Colorado resident can sign up for security freezes and fraud alerts from those credit reporting agencies and the FTC.
The new law also requires that businesses must create a written statement of policy detailing their document destruction and/or disposal policy in a way that ensures that any personal data that is no longer needed is properly destroyed or disposed of.
[NOTE: Our parent company, the Institute for Social Internet Public Policy has long advocated for written document retention disposal policies, and can help you write one that passes legal muster. You can find them at http://www.isipp.com.
In terms of what entities are required to comply with the new Colorado law, the law says that it applies to any person “that maintains, owns, or licenses personal identifying information in the course of the person’s business, vocation, or occupation.”
In other words, just about everyone.
This has of course been a very brief overview of the new Colorado data security law. You can read the new law [Page no longer available – we have linked to the archive.org version instead].