The Weekly Breach Breakdown: Rocky Mountain High – Attorney General Issues Proposed Colorado Privacy Law Rules

• The Colorado privacy law will go into effect in 2023. The state Attorney General (AG) released the proposed rules, which fundamentally differ from other state privacy laws.
• Colorado is proposing to structure required privacy notices around the reason or purpose of collecting and using information. Other states require notices to be built around the type of information collected and used.
• The drafted regulations create a new category of sensitive personal information known as “Sensitive Data Inferences.” (Using data to infer the racial or ethnic origin, religious beliefs; mental or physical health condition or diagnosis; sex life or sexual orientation; or citizenship status” of a person.)
• One section requires organizations to follow good data minimization practices. If approved, those subject to the law will be required to create data retention and deletion schedules to ensure they do not collect more information than is needed and that it is not kept longer than necessary.
• To learn about data compromises, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) improved data breach tracking tool, notified.
• If you believe you are the victim of an identity crime, contact the ITRC. Call toll-free at 888.400.5530 or live-chat on the company website idtheftcenter.org.

Rocky Mountain High

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for October 7, 2022. Each week, we look at the most recent events and trends related to data security and privacy. This week, we discuss the proposed regulations supporting a new state privacy law – in a state that isn’t named California. It is the Colorado privacy law.

The Golden State started the trend of adopting strict state privacy laws in the absence of a national law protecting consumer information. The California Consumer Privacy Act (CCPA) was passed in 2018 and later upgraded by voters in 2020 to the California Privacy Rights Act (CPRA). That law will go into effect in 2023.

New Colorado Privacy Law

However, California isn’t the only state that starts with C that has passed a state privacy law that gives consumers more say over how their personal information is collected and used. So has Colorado, whose law also goes into effect in the middle of the new year.

Proposed Rules to Comply with Colorado Privacy Law

As is typical when a legislature passes a law, that is not the end of the story. Regulations are needed to make the new law operable in many cases. That is the case in Colorado, where the Attorney General (AG) has released proposed rules that businesses must follow to comply with the Colorado privacy law. Three key areas stand out as being fundamentally different from the approaches taken in other states:

1. Colorado is proposing to structure required privacy notices around the reason or purpose of collecting and using information. Other states – California, for example – require notices to be built around the type of information collected and used.
2. The drafted regulations create a new category of sensitive personal information known as “Sensitive Data Inferences.” That means using data to infer a person’s racial or ethnic origin, religious beliefs; mental or physical health condition or diagnosis; sex life or sexual orientation; or citizenship status”. Sensitive Data Inferences can only be used in limited circumstances and must be deleted within 12 hours of collection under the proposed rules.
3. The third area that makes these proposed regulations interesting is a specific section that requires organizations to follow good data minimization practices. If approved, businesses and other groups subject to the law will be required to create data retention and deletion schedules to ensure they do not collect more information than is needed and that it is not kept longer than necessary. This is a key component to reducing identity compromises: you can’t lose control of the information you don’t have.

How Colorado Residents Can Learn More and Get Involved

Residents of Colorado and other interested parties have until November 7 to submit written comments about the proposed regulations in the Colorado privacy law. You can also attend one of three virtual meetings on November 10, 15 or 17. If you want to review the regulations or find out how to provide feedback on the Colorado privacy law, visit the Colorado AG’s website at COAG.gov and search for the Colorado Privacy Act.

Contact the ITRC

If you want to learn how to protect your personal information or think you have been the victim of an identity crime, visit our website www.idtheftcenter.org. You can also speak with an expert advisor on the phone (888.400.5530), chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PST). 

Next week, we will release the analysis of the data breaches reported in the third quarter of this year. There is some interesting information buried in that data, and we’ll dig it out and serve it to you on the next episode of the Weekly Breach Breakdown.