What is the Colorado Privacy Law?

On September 1, 2018, the Colorado Protections for Consumer Data Privacy law, HB 18-1128, goes into effect. A bi-partisan group introduced HB 18-1128 in January, and after the usual negotiations,...
Michael Buckbee
2 min read
Last updated October 22, 2021

On September 1, 2018, the Colorado Protections for Consumer Data Privacy law, HB 18-1128, goes into effect. A bi-partisan group introduced HB 18-1128 in January, and after the usual negotiations, the Legislature passed it unanimously. The new Privacy Law provisions are part of the Colorado Consumer Protection Act (“CCPA”), in a continued effort to protect personal data.

Colorado is getting the message. Data privacy and security are important – and companies need to be held accountable.

What Data Does HB 18-1128 Protect?

The new Colorado legislation specifies exactly what kind of personal data companies need to track regarding Colorado residents. HB 18-1128 defines Personal Identifiable Information (PII) for Colorado residents as a first and last name with any one or more of these other PII:

  • Social Security Number
  • Student, Military, or Passport ID number
  • Driver’s License Number
  • Medical Information
  • Health Insurance ID number
  • Biometric data
  • Username or email address with password and/or security questions and answers
  • Credit Card number with PIN/ access code/ password

HB 18-1128 applies to Colorado residents, but any company that manages PII for Colorado residents need to be aware of this new legislation.

How Long Do I Have to Report a Data Breach?

HB 18-1128 requires organizations to notify Colorado residents within 30 days of the discovery of a data breach where their PII was involved.

If there are more than 500 Colorado residents involved, companies have to notify the Colorado State Attorney General’s office. The law enables the Attorney General to prosecute violations of the new law.

What Else Does the Bill Say?

HB 18-1128 requires organizations to implement reasonable controls and safeguards to protect PII. If that sounds familiar, the EU GDPR, California, and Massachusetts have also used similar language to articulate that same idea – data security, especially on personal information, is super important.

What Can I Do To Comply With the New Colorado Privacy Law?

First, ask yourself about your company’s overall preparedness level to deal with a cyberattack.

Second, review best practices and recommended data security strategies outlined in resources like NIST and SANS – and determine how your company can apply these security principles.

Third, review your data breach procedures, and make sure you’ve got solutions in place to help identify PII, protect sensitive data, and detect potential security breaches.

The Varonis Data Security platform is the core of an effective data security strategy to protect your company from data breaches. Varonis discovers, identifies, and monitors PII on your core data stores, and detects (and alerts on) any abnormal or unlawful access to that data.

Get a 1:1 demo and learn how to discover where your Colorado related PII lives and how to meet the new privacy laws – get a head start on compliance with HB 18-1128 and protect your data wherever it lives.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

nys-shield-act:-updates-to-pii,-data-security,-and-breach-notification- 
NYS SHIELD Act: Updates to PII, Data Security, and Breach Notification  
After the devastating Equifax incident, the New York State legislature introduced the Stop Hacks and Improve Electronic Data Security or SHIELD Act in order to update the  existing  breach rules....
understanding-canada:-ontario’s-new-medical-breach-notification-provision-(and-other-canadian-data-privacy-facts)
Understanding Canada: Ontario’s New Medical Breach Notification Provision (and Other Canadian Data Privacy Facts)
Remember Canada’s profusion of data privacy laws? The Personal Information Protection and Electronic Documents Act (PIPEDA) is the law that covers all commercial organizations across Canada. Canadian federal government agencies,...
illinois-privacy-law-compliance:-what-you-need-to-know
Illinois Privacy Law Compliance: What You Need to Know
The Illinois Personal Information Protection Act (PIPA) is designed to safeguard the personal data of Illinois residents. Learn what PIPA is, who it affects, and how to maintain compliance.
canada’s-pipeda-breach-notification-regulations-are-finalized!
Canada’s PIPEDA Breach Notification Regulations Are Finalized!
While the US — post-Target, post-Sony, post-OPM, post-Equifax — still doesn’t have a national data security law, things are different north of the border. Canada, like the rest of the...