J. Kent's Blog - Articles for Employers and Job Seekers

Consumer Data Privacy – Amendment to Colorado’s Law, Effective September 1, 2018

Posted by: Emma Berdanier on September 19th, 2018

J. Kent Staffing is pleased to share this white paper authored by LaRona Mondt, Esq., corporate attorney with Messner Reeves LLP.  Messner Reeves is a Denver-based full-service business law firm.


Colorado recently amended its consumer data privacy law. Effective September 1, 2018, all businesses that collect personal identifying information of consumers in Colorado must implement security procedures for the protection of consumers’ data, dispose of unneeded data, and provide notice of data breaches to consumers.

Data Security Procedures

Employers must implement and maintain reasonable security procedures and practices to protect personal identifying information of Colorado residents from unauthorized access or disclosure and must require their third-party service providers to do the same.

Destruction of Unneeded Data: Employers must develop a written policy for the destruction of paper and electronic documents containing personal identifying information when such documents are no longer needed.

Data Breach

When an employer becomes aware that a security breach of personal information may have occurred, the employer must: (i) conduct a good faith, prompt investigation to determine whether the personal information will be misused and (ii) provide notice to the affected Colorado residents within 30 days unless the investigation determines that a misuse of information has not occurred and is not reasonably likely to occur.

“Personal information” means Colorado residents:

The notice must contain specific information required by the statute, including the date of the breach, description of personal information acquired, and contact information for consumer reporting agencies and the FTC. Employees’ right to receive notice cannot be waived.

If the breach affects 500 Colorado residents or more, employers must notify the Colorado attorney general within 30 days of determining that the breach occurred. If the breach affects 1,000 Colorado residents or more, employers must notify all consumer reporting agencies as defined in the Fair Credit Reporting Act.