Highlights

Covered Entities: A person that maintains, owns, or licenses personal information in the course of the person’s business, vocation, or occupation. “Covered entity” does not include a person acting as a third-party service provider.

Consumer Notification: A covered entity that maintains, owns, or licenses computerized data that includes personal information about a resident of Colorado shall, when it becomes aware that a security breach may have occurred, conduct in good faith a prompt investigation to determine the likelihood that personal information has been or will be misused. The covered entity shall give notice to the affected Colorado residents.

Regulatory Notification: Notification must be provided to the Colorado Attorney General where the breach is reasonably believed to have affected “500 Colorado residents or more.” Notice must be made in the most expedient time possible and without unreasonable delay, but not later than 30 days after the date of determination that a security breach occurred.

Notification Timeline: Notification must be provided in the “most expedient time possible and without unreasonable delay, but not later than 30 days after the date of determination that a security breach occurred . . .”

Data Format: Computerized.

Citations: Colo. Rev. Stat. § 6-1-716.

More Details

Definitions:

• Breach: Unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information.
• Personal Information (PI):
  • A Colorado resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable:
    • Social security number;
    • student, military, or passport identification number;
    • driver’s license number or identification card number;
    • medical information;
    • health insurance identification number; or
    • biometric data;
  • A Colorado resident’s username or e-mail address, in combination with a password or security questions and answers, that would permit access to an online account; or
  • A Colorado resident’s account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.
• Medical Information: Medical information or biometric data
• Health Insurance Information: Health insurance identification number 

Safe Harbors:

• Encryption: Notification is not required where the potentially impacted PI was encrypted, so long as the confidential process, encryption key, or other means to decipher the information not also acquired or was reasonably believed to have been acquired.
• Good Faith: Good faith acquisition of personal information by an employee or agent of a covered entity for the covered entity’s business purposes is not a security breach if the personal information is not used for a purpose unrelated to the lawful operation of the business or is not subject to further unauthorized disclosure.
• Risk of Harm: The covered entity is not required to give notice if the investigation determines that the misuse of information about a Colorado resident has not occurred and is not reasonably likely to occur.
• Law Enforcement Delay: Notice may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation and the law enforcement agency has notified the covered entity not to send notice required by this section. Notice must be made in good faith, in the most expedient time possible and without unreasonable delay, but not later than thirty days after the law enforcement agency determines that notification will no longer impede the investigation and has notified the covered entity that conducts business in Colorado that it is appropriate to send the notice required by this section.

Direct Notice:

• Timing: In the most expedient time possible and without unreasonable delay, but not later than 30 after the date of determination that a security breach occurred, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system
• Format: N/A
• Content: Notice should include:
  • The date, estimated date, or estimated date range of the security breach;
  • A description of the personal information that was acquired or reasonably believed to have been acquired as part of the security breach;
  • Information that the resident can use to contact the covered entity to inquire about the security breach;
  • The toll-free numbers, addresses, and websites for consumer reporting agencies;
  • The toll-free number, address, and website for the federal trade commission; and

A statement that the resident can obtain information from the federal trade commission and the credit reporting agencies about fraud alerts and security freezes.

If credentials were impacted, the notice should:

• Direct the person whose personal information has been breached to promptly change his or her password and security question or answer, as applicable, or to take other steps appropriate to protect the online account with the covered entity and all other online accounts for which the person whose personal information has been breached uses the same username or e-mail address and password or security question or answer.
• For log-in credentials of an e-mail account furnished by the covered entity, the covered entity shall not comply with this section by providing the security breach notification to that e-mail address, but may instead comply with this section by providing notice through other methods, as defined in subsection (1)(f) of this section, or by clear and conspicuous notice delivered to the resident online when the resident is connected to the online account from an internet protocol address or online location from which the covered entity knows the resident customarily accesses the account.
• Method: Written notice; telephonic notice; or electronic notice, if a primary means of communication by the covered entity with a Colorado resident is by electronic means or the notice provided is consistent with ESIGN.

Substitute Notice:

If the covered entity required to provide notice demonstrates that the cost of providing notice will exceed two hundred fifty thousand dollars, the affected class of persons to be notified exceeds two hundred fifty thousand Colorado residents, or the covered entity does not have sufficient contact information to provide notice. Substitute notice consists of all of the following:

• E-mail notice if the covered entity has e-mail addresses for the members of the affected class of Colorado residents;
• Conspicuous posting of the notice on the website page of the covered entity if the covered entity maintains one; and
• Notification to major statewide media.

Remediation Services:

N/A 

Regulatory Notice:

Notification must be provided to the Colorado Attorney General where “500 or more Colorado residents” are affected. 

Credit Reporting Agencies Notice:

If a covered entity is required to notify more than 1,000 Colorado residents of a security breach, the covered entity shall also notify, in the most expedient time possible and without unreasonable delay, all consumer reporting agencies.

Third-Party Notice:

If a covered entity uses a third-party service provider to maintain computerized data that includes personal information, then the third-party service provider shall give notice to and cooperate with the covered entity in the event of a security breach that compromises such computerized data, including notifying the covered entity of any security breach in the most expedient time possible, and without unreasonable delay following discovery of a security breach, if misuse of personal information about a Colorado resident occurred or is likely to occur.

HIPAA:

A covered entity that is regulated by state or federal law and that maintains procedures for a security breach pursuant to the laws, rules, regulations, guidances, or guidelines established by its state or federal regulator is in compliance with this section; except that notice to the attorney general is still required.

Private Action:

N/A

Associated Regulations:

N/A

Colorado Privacy Act

COLO. REV. STAT. ANN. §§ 6-1-1301 to 6-1-1313

Highlights

Applicability:

Controllers that conduct business in Colorado or produce or deliver commercial products or services intentionally targeted to Colorado residents and that control or process Personal Data of:

• 100,000 Consumers or more during a calendar year; or
• 25,000 or more Consumers and derive revenue or receive a discount on the price of goods or services from Personal Data sales.

The CPA does not apply to employment-related data; data maintained for noncommercial purposes by state and local government and judicial entities; data maintained by state institutions of higher learning; data regulated by or created pursuant to compliance with the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), the Children’s Online Privacy Protection Act of 1998 (COPPA), and/or the Family Educational Rights and Privacy Act of 1974 (FERPA). The CPA also excludes personal data collected and used in a commercial (business-to-business) or employment context. However, the CPA does not exclude from applicability non-profit or other similar entities.

Controller and Processor Obligations:

• Make transparent and comprehensive disclosures to Consumers through privacy notices about the collection, use, and sharing of Personal Data (including categories of Personal Data collected and the purpose for which categories of Personal Data are processed). Additionally, privacy notices must disclose Consumer data rights (including how Consumers may exercise data rights, the right to appeal a Controller’s action regarding a request, and the right to opt out of the sale of Personal Data or targeted advertising). Privacy notices must be easily accessible, written clearly, and with sufficient detail to provide Consumers with a meaningful understanding of the entity’s data practices. In addition to privacy notices, a Controller that processes Personal Data for purposes of targeted advertising or the sale of Personal Data must also disclose this information to Consumers in a clear, conspicuous, and readily accessible location outside the privacy notice.
• Notify Consumers of material changes to a privacy notice.
• If applicable, provide disclosures regarding Bona Fide Loyalty Programs.
• If applicable, provide disclosures regarding uses of Personal Data for Profiling.
• Specify the exact purpose for which Personal Data is collected.
• Avoid processing Personal Data for purposes that are not reasonably necessary to or compatible with the specified purposes for which Personal Data are processed.
• Limit data collection and retention of data that is adequate, relevant, and reasonably necessary in relation to the purposes for which Personal Data is processed.
• Obtain Consumers’ prior consent to process Sensitive Personal Data, including Sensitive Data Inferences.
• Obtain prior consent from parent or lawful guardian to process Personal Data concerning a known child.
• Respond in a timely manner to verified Consumer requests regarding the processing of Personal Data and Sensitive Data, including requests related to: access, correction, deletion, data portability, and/or to opt out of Personal Data sales, targeted advertising, and Profiling for decisions producing legal or other significant effects.
• Controllers that process Personal Data for purposes of Targeted Advertising or the Sale of Personal Data must allow consumers to exercise the right to opt-out of one or both such processing activities via an approved Universal Opt-Out Mechanism. The Colorado Department of Law will publish and thereafter maintain an approved list of Universal Opt-Out Mechanisms no later than January 1, 2024.
• Implement reasonable measures, appropriate to volume, scope, and nature of processing, to secure Personal Data during storage and use from unauthorized acquisition.
• Do not process Personal Data in violation of state and federal laws that prohibit unlawful discrimination against Consumers.
• Draft Data Protection Assessments for data processing activities that present heightened risk of Consumer harm, including: (i) targeted advertising; (ii) selling Personal Data; (iii) processing Sensitive Data; and (iv) Profiling that presents a foreseeable risk of:
  
  • unfair or deceptive treatment or disparate impact on Consumers;
  • financial or physical injury;
  • privacy concerns; or
  • other substantial Consumer injury.
• Do not process Personal Data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the Personal Data was initially processed without first obtaining the Consumer’s consent.
• Execute agreements with Processors that include required provisions, including processing instructions, duration of processing and requirement to return/destroy Personal Data, the right of the Controller to request documentation of compliance and to audit the Processor.
• Obtain Consumer’s prior consent to sell Personal Data, process Personal Data for targeted advertising, or to process Personal Data for Profiling in furtherance of decisions that produce legal or similarly significant effects, after the Consumer has opted out either via a Universal Opt-Out Mechanism or other method.
• Maintain records of all Consumer data rights requests for at least 24 months.

Consumer Rights:

Businesses must respond without undue delay and within 45 days to verified Consumer requests regarding the processing of Personal Data and Sensitive Data, including Consumers’:

• Right to confirm whether a Controller is processing Personal Data concerning the Consumer and to access that Personal Data;
• Right to request deletion of Personal Data;
• Right to correct inaccurate Personal Data;
• Right to obtain Personal Data in a format that is generally portable, readily usable, and transmittable; and
• Right to opt out of Personal Data sales, targeting advertising, and profiling for decisions producing legal or other significant effects.

More Details

Definitions:

• Consumer: An individual who is a Colorado resident acting only in an individual or household context; this definition does not include individuals acting as a job applicant or beneficiary of someone in an employment context.
• Controller: A person that, alone or jointly with others, determines the purposes and means for processing Personal Data.
• Personal Data: Information linked to or reasonably linkable to an identified or identifiable individual. Personal Data excludes: de-identified data and publicly available data (defined as information lawfully made available from federal, state, or local government records, and information that a Controller has a reasonable basis to believe the consumer has lawfully made available to the general public).
• Profiling: Any form of automated processing of Personal Data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
• Sale of Personal Data: The exchange of Personal Data for monetary or other valuable consideration by the Controller to a third party. The CPA excludes the following disclosures from this definition: (i) disclosure of Personal Data to a Processor that processes the Personal Data on behalf of a Controller; (ii) disclosures to a third party to fulfil a request made by a Consumer; (iii) disclosures to an affiliate of the Controller; (iv) a disclosure or transfer as an asset in a merger or other transaction in which the third party assumes control of all or part of the Controller’s assets; (v) disclosure as directed by a Consumer to a third party; and (vi) disclosures made by a Consumer to the general public via mass media.
• Sensitive Data: Personal Data revealing: racial or ethnic origin, religious beliefs, mental/physical health condition or diagnosis, sex life/sexual orientation, or citizenship/citizenship status, as well as genetic and biometric data and Personal Data from a known child.
• Sensitive Data Inferences: Inferences made by a Controller based on Personal Data, alone or in combination with other data, which are used to indicate an individual’s racial or ethnic origin; religious beliefs; mental or physical health condition or diagnosis; sex life or sexual orientation; or citizenship or citizenship status.
• Universal Opt-Out Mechanism: A mechanism that can be utilized by a Consumer to clearly communicate the Consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of Personal Data for purposes of targeted advertising or the Sale of Personal Data to multiple websites and/or digital applications.

Penalties:

Violations of the CPA constitute an unfair trade practice and may be enforced by the Colorado Attorney General or District Attorney. The maximum civil penalty for violations is $20,000 per violation or $50,000 for violations committed against an elderly person.

Private Action:

No

Associated Regulations:

• Colorado Privacy Act Rules, 4 CCR 904-3

Effective Date:

July 1, 2023. Universal opt-out mechanism requirement effective on July 1, 2024.

Enforcement:

60-Day Cure Period by Attorney General. Cure period only provided until January 1, 2025.

Highlights

Covered Entities: Any individual or commercial entity (“Entity”) that conducts business in Colorado and that owns, licenses, or maintains computerized data that includes PI.

First Party Security Standard: A covered entity that maintains, owns, or licenses personal identifying information of an individual residing in the state shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.

Third Party Security Standard: A business that discloses personal information about a Colorado resident pursuant to a contract with a non-affiliated third party that is not subject to the requirements above shall require by contract that the third party implement and maintain reasonable security procedures and practices to protect the personal information (1) that are appropriate to the nature of the personal identifying information disclosed to the third-party service provider and (2) reasonably designed to help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction.

Disposal/Destruction Standard: Each public and private entity in the state that uses documents during the course of business that contain personal identifying information shall develop a policy for the destruction or proper disposal of paper documents containing personal identifying information.

Unless an entity specifically contracts with a recycler or disposal firm for destruction of documents that contain personal identifying information, nothing herein shall require a recycler or disposal firm to verify that the documents contained in the products it receives for disposal or recycling have been properly destroyed or disposed of.

Data Format: Electronic and physical.

Citations: Colo. Rev. Stat. § 6-1-713 & 6-1-713.5

More Details

Definitions:

• Personal Information (PI): An individual’s first name / first initial and last name in combination with one (1) or more of the following data elements:
  
  • Social Security number;
  • Driver’s license number or identification card number;
  • Tax identification number, passport number, military identification number, or other unique government-issued identification number used to verify identity;
  • Student identification number;
  • Military identification number;
  • Passport number;
  • Medical information;
  • Health insurance identification number; or
  • Biometric data.

A username or email address in combination with a password or security question and answer that would permit access to an online account.

A financial account or payment card number plus any required security code, access code, or password that would permit access to an individual’s financial account.

PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Methods of Compliance:

The statute does not define methods of compliance.

Exclusions:

• Health Care: N/A
• Financial: N/A
• Other: N/A

Enforcement/Penalties:

A Colorado resident may not bring a civil action for a violation of these requirements.

Associated Regulations:

N/A