Global Data Privacy Guide |
|
USA, Colorado |
|
(United States)
Firm
Davis Graham
Contributors
Trent Martinet |
|
What is the key legislation? | Colorado’s key legislation includes its data security law (CRS 6-1-713.5), data disposal law (CRS 6-1-713), and data breach notification law (CRS 6-1-716). |
What data is protected? | Colorado’s data security law (CRS 6-1-713.5) and data disposal law (CRS 6-1-713) protect “personal identifying information,” which includes social security numbers, personal identification numbers, passwords, passcodes, official state or government-issued driver's license or identification card numbers, government passport numbers, biometric data, employer, student, or military identification numbers, and financial transaction devices, including financial account numbers. Colorado’s data breach notification law (CRS 6-1-716) applies to “personal information,” which includes: (i) a Colorado resident's first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable: (a) Social security number; (b) student, military, or passport identification number; (c) driver's license number or identification card number; (d) medical information; (e) health insurance identification number; or (f) biometric data; (ii) a Colorado resident's username or e-mail address, in combination with a password or security questions and answers, that would permit access to an online account; or (iii) a Colorado resident's account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account. |
Who is subject to privacy obligations? | Colorado’s data security law (CRS 6-1-713.5), data disposal law (CRS 6-1-713), and data breach notification law (CRS 6-1-716) apply to “covered entities,” defined as any individual or legal or commercial entity that maintains, owns, or licenses personal identifying information in the course of the person's or entity’s business, vocation, or occupation. “Covered entity” does not include a person or entity acting as a third-party service provider (i.e. an entity contracted to maintain, store, or process personal information for a covered entity). Specifically, Colorado’s data security law (CRS 6-1-713.5) applies to covered entities that maintain, own, or license personal identifying information of a Colorado resident, Colorado’s data disposal law (CRS 6-1-713) applies to covered entities that maintain paper or electronic documents during the course of business that contains personal identifying information, and Colorado’s data breach notification law (CRS 6-1-716) applies to covered entities that maintain, own, or license computerized data that includes personal information about a Colorado resident. |
What are the principles applicable to personal data processing? | There are no specific requirements with respect to the collection of personal data. |
How is the processing of personal data regulated? | There are no specific requirements with respect to the collection of personal data. |
How are storage, security and retention of personal data regulated? | Colorado’s data disposal law (CRS 6-1-713) requires covered entities develop a written policy for the destruction or proper disposal of paper and electronic documents containing personal identifying information. Colorado’s data security law (CRS 6-1-713.5) requires covered entities implement and maintain reasonable security procedures and practices to protect personal identifying information from unauthorized access, use, modification, disclosure, or destruction. Such procedures and practices should be appropriate to the nature of the personal identifying information and the nature and size of the business and its operations. Subject to certain exceptions, the covered entity must also require its third-party service providers implement and maintain reasonable security procedures and practices with respect to any personal identifying information disclosed. |
What are the data subjects' rights? | Colorado law does not specifically provide such rights. |
Are there restrictions on cross-border data transfers? | N/A |
Are there any notification requirements for data breaches? | Under Colorado’s data breach notification law (CRS 6-1-716), a covered entity must, when it becomes aware that a security breach may have occurred, conduct in good faith a prompt investigation to determine the likelihood that personal information has been or will be misused. The covered entity must give notice to affected Colorado residents unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not reasonably likely to occur. The notice must be made in the most expedient time possible and without unreasonable delay, but no later than 30 days after the date of determination that a security breach occurred. |
Who is the privacy regulator? | The Colorado Attorney General. |
What are the consequences of a privacy breach? | The Colorado Attorney General may bring actions to address violations. |
How is electronic marketing regulated? | CRS 6-1-702.5 (the “Spam Reduction Act of 2008”) makes it a deceptive practice to send certain misleading or deceptive electronic messages. |
Are there any recent developments or expected reforms? | There are no recent developments or expected reforms. |
Global Data Privacy Guide
Colorado’s key legislation includes its data security law (CRS 6-1-713.5), data disposal law (CRS 6-1-713), and data breach notification law (CRS 6-1-716).
Colorado’s data security law (CRS 6-1-713.5) and data disposal law (CRS 6-1-713) protect “personal identifying information,” which includes social security numbers, personal identification numbers, passwords, passcodes, official state or government-issued driver's license or identification card numbers, government passport numbers, biometric data, employer, student, or military identification numbers, and financial transaction devices, including financial account numbers.
Colorado’s data breach notification law (CRS 6-1-716) applies to “personal information,” which includes: (i) a Colorado resident's first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable: (a) Social security number; (b) student, military, or passport identification number; (c) driver's license number or identification card number; (d) medical information; (e) health insurance identification number; or (f) biometric data; (ii) a Colorado resident's username or e-mail address, in combination with a password or security questions and answers, that would permit access to an online account; or (iii) a Colorado resident's account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.
Colorado’s data security law (CRS 6-1-713.5), data disposal law (CRS 6-1-713), and data breach notification law (CRS 6-1-716) apply to “covered entities,” defined as any individual or legal or commercial entity that maintains, owns, or licenses personal identifying information in the course of the person's or entity’s business, vocation, or occupation. “Covered entity” does not include a person or entity acting as a third-party service provider (i.e. an entity contracted to maintain, store, or process personal information for a covered entity).
Specifically, Colorado’s data security law (CRS 6-1-713.5) applies to covered entities that maintain, own, or license personal identifying information of a Colorado resident, Colorado’s data disposal law (CRS 6-1-713) applies to covered entities that maintain paper or electronic documents during the course of business that contains personal identifying information, and Colorado’s data breach notification law (CRS 6-1-716) applies to covered entities that maintain, own, or license computerized data that includes personal information about a Colorado resident.
There are no specific requirements with respect to the collection of personal data.
There are no specific requirements with respect to the collection of personal data.
Colorado’s data disposal law (CRS 6-1-713) requires covered entities develop a written policy for the destruction or proper disposal of paper and electronic documents containing personal identifying information.
Colorado’s data security law (CRS 6-1-713.5) requires covered entities implement and maintain reasonable security procedures and practices to protect personal identifying information from unauthorized access, use, modification, disclosure, or destruction. Such procedures and practices should be appropriate to the nature of the personal identifying information and the nature and size of the business and its operations. Subject to certain exceptions, the covered entity must also require its third-party service providers implement and maintain reasonable security procedures and practices with respect to any personal identifying information disclosed.
Colorado law does not specifically provide such rights.
N/A
Under Colorado’s data breach notification law (CRS 6-1-716), a covered entity must, when it becomes aware that a security breach may have occurred, conduct in good faith a prompt investigation to determine the likelihood that personal information has been or will be misused. The covered entity must give notice to affected Colorado residents unless the investigation determines that the misuse of information about a Colorado resident has not occurred and is not reasonably likely to occur. The notice must be made in the most expedient time possible and without unreasonable delay, but no later than 30 days after the date of determination that a security breach occurred.
The Colorado Attorney General.
The Colorado Attorney General may bring actions to address violations.
CRS 6-1-702.5 (the “Spam Reduction Act of 2008”) makes it a deceptive practice to send certain misleading or deceptive electronic messages.
There are no recent developments or expected reforms.