Colorado Data Breach Notification Law

Notification deadline: 30 days from determination that breach occurred

Enforcement: Colorado Attorney General

Overview

Colorado requires notification within 30 days of determining a breach occurred. The Colorado Privacy Act (effective 2023) adds significant new privacy rights and security requirements for businesses handling Colorado residents' data.

Who Must Be Notified

• • Affected Colorado residents
• • Colorado Attorney General (if 500+ residents affected)

Covered Data Types

Social Security number, Driver's license or ID card number, Passport number, Military ID number, Financial account number with access code, Biometric data, Medical information, Health insurance ID number, Username with password

Notification Requirements

• • Written, telephonic, or electronic notice within 30 days
• • Include date/estimated date of breach
• • Description of personal information involved
• • Contact information for the business
• • Toll-free numbers for credit bureaus
• • Submit notice to AG if 500+ Colorado residents affected

Exemptions

• • Encrypted data (if key not compromised)
• • Truncated or redacted data
• • Entities in compliance with HIPAA, GLBA

Penalties

Civil penalties under Consumer Protection Act. AG can seek injunctions and penalties. Colorado Privacy Act violations can result in $20,000 per violation after cure period.