Consumer Data Privacy - Amendment to Colorado's Law, Effective September 1, 2018

  • Posted by: Karen Booher |
  • 9/19/18 |
  • 8:00 AM
  • 361 Views
Consumer Data Privacy - Amendment to Colorado's Law, Effective September 1, 2018

J. Kent Staffing is pleased to share this white paper authored by LaRona Mondt, Esq., corporate attorney with Messner Reeves LLP.  Messner Reeves is a Denver-based full service business law firm.

Colorado recently amended its consumer data privacy law. Effective September 1, 2018, all businesses that collect personal identifying information of consumers in Colorado must implement security procedures for the protection of consumers’ data, dispose of unneeded data, and provide notice of data breaches to consumers.

Data Security Procedures

Employers must implement and maintain reasonable security procedures and practices to protect personal identifying information of Colorado residents from unauthorized access or disclosure and must require their third-party service providers to do the same.

  • “Personal identifying information” means a Social Security number; a personal identification number; a password; a pass code; an official state or government-issued driver's license or identification card number; a government passport number; biometric data; an employer, student, or military identification number; or a financial transaction device.

Destruction of Unneeded Data: Employers must develop a written policy for the destruction of paper and electronic documents containing personal identifying information when such documents are no longer needed.

Data Breach

When an employer becomes aware that a security breach of personal information may have occurred, the employer must: (i) conduct a good faith, prompt investigation to determine whether the personal information will be misused and (ii) provide notice to the affected Colorado residents within 30 days unless the investigation determines that a misuse of information has not occurred and is not reasonably likely to occur.

“Personal information” means a Colorado resident’s:

  • First and last name in combination with any other identifying data, such as a social security number, a student ID number, a passport ID number, a driver’s license number, medical information, or biometric data;
  • Username and password or security question combination that would permit access to the account; and
  • Account or credit card number and security code or password combination that would permit access to the account.

The notice must contain specific information required by the statute, including the date of breach, description of personal information acquired, and contact information for consumer reporting agencies and the FTC. Employees’ right to receive notice cannot be waived.

If the breach affects 500 Colorado residents or more, employers must notify the Colorado attorney general within 30 days of determining that the breach occurred. If the breach affects 1,000 Colorado residents or more, employers must notify all consumer reporting agencies as defined in the Fair Credit Reporting Act.

  • Share/Bookmark
0 Responses to "Consumer Data Privacy - Amendment to Colorado's Law, Effective September 1, 2018"

Share Your Thoughts

* Required