Client Alert:  Colorado’s New Data Protection Bill Goes Into Effect September 1

Client Alert: Colorado’s New Data Protection Bill Goes Into Effect September 1

By Rudy E. Verner and Jacob Scarr 


Colorado is one of the latest states to pass updates strengthening its consumer privacy regulations. Colorado’s new data protection law, C.R.S. § 6-1-713, includes changes to the state’s breach notification requirements, data protection standards, and data disposal standards.  The regulations, which go into effect September 1, 2018, require companies doing business in Colorado to comply with:

Breach Notification. Colorado’s new data breach notification standards impose more stringent requirements on companies following a breach. First, companies must now begin conducting an investigation as soon as they become aware that a breach may have occurred, rather than when the existence of a breach is actually confirmed. Companies must notify impacted Colorado residents without unreasonable delay, and no later than thirty days after determining that the breach occurred.  The law requires such notices to include specific information to assist consumers in protecting their sensitive data and mitigating any potential losses. Generally, companies will also be required to notify the Colorado Attorney General when state residents are implicated in a data breach.

Data Protection Standards. The new law requires that companies implement reasonable security procedures “appropriate to the nature of the personal identifying information and the nature and size of the business and its operation.” Notably, Colorado’s new bill also mandates that businesses processing personal information require that their third-party service providers implement and maintain security practices appropriate to the nature of the personal information disclosed.

Data Disposal Standards. Companies will now need to have written policies detailing their data destruction procedures. Those polices will need to require that the company dispose of or arrange for the destruction of paper and electronic documents when they are no longer needed. The new law requires that destruction occur through shredding, erasing, or otherwise modifying the information to make the personal information unreadable or indecipherable.

Criminal Penalties. Finally, the new regulation expands the sanctions available for violations.   In addition to civil penalties, the law gives the Attorney General the authority to prosecute criminal violations of the section upon either a request from the governor or the approval of the district attorney in the appropriate judicial district.

If you have any questions regarding Colorado’s new law, please contact Rudy E. Verner at BHGR Law at 303-402-1600.  You can find the text of HB 1128 at

This article is intended to provide general information and, therefore, should not be treated as legal advice. If you have questions about a specific legal issue, you should seek the advice of a qualified attorney.