Colorado
Privacy Laws
Overview
BREACH NOTIFICATION – Mandated Timeframe
Within 30 days
FINES & PENALTIES – Violations
Action for compliance and/or economic damages
Regulation Levels
-
Breach Reporting
-
Consumer Notification
-
Vendor Management
-
Vendor Contract Required
PRIVACY AND SECURITY LAWS
Laws related to personal information and privacy and security.
Breach Reporting
Required
Vendor Obligations
Required
Consumer Notification
Required
Vendor Contracts
Required
Vendor Notification
Required
Privacy Program
Required
QUICK FACTS
Colorado Privacy Law Information
Organizations must contract with Vendors to whom the Organization discloses personal information. Colorado’s data disposal law covers paper and electronic documents. Colorado’s data disposal law requires entities to develop a written policy for the protection of and disposal of documents containing personal identifying information. If an organization contracts with a Vendor for the disposal of documents containing personal information, the Vendor will have the responsibility for proper disposal of the documents. If the Organization does not enter into a contract with the Vendor, the Organization will retain the responsibility for proper disposal of the documents.
Breach reporting to the Colorado Attorney General is required when a breach involves 500 or more Colorado residents. Breach reporting to all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis is required when a breach involved 1,000 or more Colorado residents.
There are specified requirements for consumer notification. If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
A vendor discovering a breach or suspected breach must notify the organization. The organization is responsible for reporting to the regulator and consumer notification. Vendors under contract with whom an organization shares personal information must implement and maintain appropriate security procedures and practices.
The Attorney General may bring an action in law or equity to address violations, and for other relief that is appropriate to ensure compliance or to recover direct economic damages, or both. Organizations may be fined or penalized for Vendor violations.
Colorado Statutes and Laws
Restrictions on Credit Card Receipts
Disposal of Personal Identifying Information
Protection of Personal Identifying Information
Confidentiality of Social Security Numbers
Notification of Security Breach
Uniform records retention act
Student data transparency and security act
DISCLAIMER
The information provided is not legal guidance or recommendations and are for informational purposes only.