The Colorado governor has recently signed into law bill HB-18-1128, “Protections for Consumer Data Privacy”, positioning the state to join the group of U.S. states moving towards more stringent data privacy protections. New regulations modeled after the EU’s General Data Protection Regulation (the “GDPR”) are likely to pop up throughout the U.S., as a new benchmark of data security has been set with the GDPR.
The new Colorado regulation, going into effect on September 1, 2018, greatly expands the definition of “personally identifying information” and implements a 30-day period to alert consumers of a data breach. Moreover, the law requires creation of a written policy outlining the procedure for destruction of documents holding personal information.
Breach notifications must include:
- The date of the breach
- A description of the type of personal information acquired in the breach
- Contact information for inquiries regarding the breach, consumer reporting agencies, and the Federal Trade Commission (the “FTC”)
Many states have implemented new data breach notification laws, only 2 U.S. states remain without data breach notification laws – Alabama and South Dakota.  The Colorado law is more stringent than others, setting the 30-day period for notification, whereas other states have opted for longer periods, or have not defined a time period. In the wake of major breaches (like the Equifax disaster last summer) and implementation of the GDPR, many states are eager to streamline their consumer data protection laws.
Although state level initiative for stricter data protection laws is high, it will likely look like a much less seamless process than what occurred in the EU with GDPR. State level interests are highly differentiated, and it will likely be a long battle before uniform regulations are adopted.
Expanded data protection is likely to be an ongoing theme, and these newly passed laws underscore the importance of taking a proactive approach to complying with developments in data security laws.