Exterro's Legal GRC Breakdown

Get your daily dose of news, best practices, and technology from Exterro's e-discovery, privacy, and digital forensics experts here.


Colorado Data Privacy Law

Created on August 19, 2020

Demand Generation Manager, Exterro

Why This Privacy Law is Important: On September 1, 2018, the Colorado Protections for Consumer Data Privacy law went into effect. The new Privacy Law provisions are part of the Colorado Consumer Protection Act (“CCPA”), in a continued effort to protect personal data.

Overview/Status of Bill: This bill went into effect September 1, 2018

Need to Know Information:

  1. Who it Applies To: Any person, commercial entity, or governmental entity that maintains, owns, or licenses personal identifying information (“PII”) of Colorado residents in the course of its business, vocation, or occupation.
  1. What is Covered: The law that requires disposal of PII now requires written policies governing the disposal of both paper and electronic records containing PII. The law also requires that notification of data security breaches now requires detailed notice to consumers and, in certain circumstances, notice to the Attorney General. The law defines Personal Identifiable Information (PII) for Colorado residents as a first and last name with any one or more of these other PII:
  • Social Security Number
  • Student, Military, or Passport ID number
  • Driver’s License Number
  • Medical Information
  • Health Insurance ID number
  • Biometric data
  • Username or email address with password and/or security questions and answers
  • Credit Card number with PIN, access code, and password

How to Comply:

  • Develop reasonable data security procedures and practices
  • Develop written destruction policies for materials (paper as well as electronic) that contain personal identifying information (PII)
  • Investigate suspected data breaches promptly
  • Provide notice of data breaches to affected Colorado residents as well as to the state attorney general and consumer reporting agencies in certain circumstances