top of page
  • Ball Barry

Colorado Enacts New Data Privacy and Data Breach Laws

Colorado has enacted stronger data privacy protections for customers and clients, putting new requirements on how businesses safeguard the personal information they collect from people.

It seems that every time we turn on the news, there is another report about data privacy and a major company having its customers’ personal data hacked. The notices and subsequent apologies come fast and furious, but because only the large data breaches get news coverage, you may be left wondering what your business has to do to protect your customers’ personal and private information.

New Colorado Data Protection Laws

Recently, Colorado enacted stronger data privacy protections for customers and clients, putting new requirements on how businesses safeguard the personal information they collect from their customers and clients.

The new law requires that every company that collects such information (called personally identifiable information, or PII), have a written policy about how the company will dispose of the information when it is no longer needed.

PII includes, but is not limited to, social security numbers, driver’s license information, passwords and pin numbers, health insurance information, student or military ID numbers, biometric data, and account numbers of financial institutions.

Companies subject to this new legislation must take steps to protect PII, and they must report any suspected data breach to consumers who could have been affected within 30 days.

The law does say that the nature of protection of PII (what is “reasonable”) will depend on the information collected. So, for example, a business that collects social security numbers may have a larger duty to protect and safeguard information than a company that just collects passwords.

Reporting of Breaches

When a company does provide a report to their customers that their PII may have been compromised, the report must contain information on how those customers can reach the credit reporting agencies. The report must describe the personal information that may have been compromised, and it must provide contact information for the customers to reach the breaching company with questions about the data breach.

If the breach affects more than 500 customers, then the company must also notify the Colorado Attorney General.

The law even applies to non-Colorado businesses that do business in Colorado. Previously, the law only applied to Colorado businesses.

HIPAA Regulated Entities

Companies that are regulated under HIPAA (generally medical offices or companies that handle medical records) will not have to comply with the new law, because HIPAA standards are generally more stringent. However, HIPAA allows for 60 days for notice to potentially affected customers, and Colorado’s new law only allows for 30 days. This means that HIPAA covered entities will have a shorter period to provide these notifications. HIPAA covered businesses also still must report breaches over 500 customers to the Attorney General.

Small companies are subject to this new compliance law, and they often overlook this area of compliance. Larger companies with preexisting written policies, should examine those policies under the new law for necessary change to remain complaint.

If you own a Colorado business or an out of state company that conducts business in Colorado, make sure your business’ policies and procedures are up to date and compliant with this new law. The Colorado employment and business law attorneys at Ball & Barry law are here to answer any questions you may have.


bottom of page