Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • Limited methods of notification delivery
  • Data owners are responsible for breach reporting and notifications
  • Notification required to the consumer reporting agencies
  • Attorney general can bring action for violations and recover damages
  • Laws also cover data protection, data disposal, and record retention
  • Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply

Who Me?


Colorado breach and notification laws may apply if you are an individual or commercial entity that:

  • Conducts business in Colorado and owns or licenses data that includes computerized PII of a CO resident
  • Maintains computerized data that contains PII that you do not own or license 

 There are exemptions.

What is PII?


PII in Colorado include a person's name plus one or more of the following:

  • Social Security Number
  • Driver license or identification number
  • Account number or credit  or debit card number in combination any security code, access code or password, etc. permitting access to the person's account
  • Additional PII: passport number; biometric data; employer, student, or military ID; or a financial transaction device



Title 6. Consumer And Commercial Affairs / Fair Trade And Restraint Of Trade / Article 1. Colorado Consumer Protection Act / Part 7. Specific Provisions / C.R.S. 6-1-716. Notification of security breach


  • Title 6. Consumer And Commercial Affairs / Fair Trade And Restraint Of Trade / Article 1 / Part 7 / 6-1-711, 6-1-713, 6-1-715
  • Title 6. Consumer And Commercial Affairs / Records Retention / Article 17 / 6-17-101 through 6-17-106



The attorney general may bring an action in law to address violations to ensure compliance and/or recover direct economic damages.



When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached
  • If the data was computerized
  • If the data was encrypted or redacted
  • If it was acquired by an unauthorized person
  • The likelihood that the personal information will be misused
  • If there is a material risk of identity theft or other fraud


Depending on impact and type of breach there may be specific entities to report to and specific time limits to report a breach. All notifications must be made in the most expedient manner possible and without unreasonable delay, unless law enforcement advises the person it will interfere with an investigation.


Requires detailed information and potential provision of services

Notification may be required to the consumer reporting agencies.

Disclosure may only be made by written notice or electronically, with stipulations. A substitute notice, with specific requirements, may be sent if the cost of providing the notice exceeds $250,000 or the persons notified exceeds 250,000 or they do not have sufficient contact information.

Contact the Privacy Experts at CSR