The first entry of this new year looks back at a significant legal development of the last. As a part of a larger trend in 2018, Colorado updated its Consumer Protection Act (C.R.S. § 6-1-713) in order to strengthen protections for consumer data privacy. The law imposes new and significant requirements on businesses, both large and small. The Denver Post called Colorado's data privacy law "among the most demanding in the country."FN1
Colorado's data privacy law applies to any person who "maintains, owns, or licenses personal identifying information in the course of the person's business, vocation, or occupation" on Colorado residents, whether the information is in paper or digital form.FN2 Under the Act, a 'person' is defined broadly to include not only natural persons, but also any "legal or commercial entity."FN3 It is not important whether you are an owner of a business entity or simply a sole proprietor; what matters is the collection and maintenance of personal identifying information (PII) on Colorado residents.
So what is PII? Under Colorado's law, PII includes four categories of information:
Government-Issued or other Official Identification Numbers - which includes social security numbers, driver's license or identification card numbers, government passport numbers, as well as "employer, student, or military identification number[s];"FN4
Credit Card or other Financial Account Information - this category can include pretty much any credit card or other financial information that can be used to obtain cash or make payments - but "checks" are specifically excepted; FN5
Passwords or Personal Identification Numbers (PINs); or
Biometric Data - meaning "unique biometric data generated from measurements or analysis of human body characteristics for the purpose of authenticating the individual when he or she accesses an online account." FN6
As a result, any business that collects any of the above on Colorado residents is required by law to have a written policy that governs the disposal or destruction of such information and to have reasonable security procedures and practices in place wherever the information is in any other way collected, accessed, used, stored, or discarded. But the law does recognize that the reasonableness of the procedures and practices will depend upon "the nature of the personal identifying information and the nature and size of the business and its operations."FN7 As a result, the law respects the fact that smaller businesses have more limited resources when it comes to developing and implementing security policies and procedures.
Regardless of the size of the business, the law is clear that obligations related to the disposal and security of PII cannot be delegated or eliminated by simply hiring someone...
Fortunately, technological advances have made it possible to implement a variety of security measures that won't break the bank. These days, it's not too difficult or costly to encrypt information stored electronically, or to use virtual private networks (VPNs) or two factor authentication when accessing or transmitting information online.
Regardless of the size of the business, the law is clear that obligations related to the disposal and security of PII cannot be delegated or eliminated by simply hiring someone, like a shredding company, to perform a task related to the disposal, maintenance, or security of PII. As a result, business owners and operators should examine carefully those they consider hiring to make sure they are compliant with the Act's requirements.
The law also requires that PII maintained by a business be destroyed or otherwise disposed of once the information is no longer needed. Thus, policies and procedures should be updated to require the prompt disposal of PII, and employee training should reflect these updates.
Finally, the law also requires that businesses notify consumers - and sometimes the Colorado attorney general - when certain information has been improperly accessed or disclosed. (More on this in future articles.)
It is simply prudent to have a disposal and security policies for information collected in the course of operating a business, even if the information is not clearly PII. Such policies will only help to protect the financial wellbeing of the business and its customers.
Additional information can be found on the Colorado attorney general's website - the FAQ is here.