How will the new Colorado Data Destruction law affect your business?

GDPR isn't just a tick-box exercise, its changing the way we think about information governance for the better.

In the wake of GDPR and on the heels of the new Consumer Privacy Act in California, more and more states are starting to enact stringent data security requirements. Recently, Colorado’s governor signed into law House Bill 18-1128. This bill “concerning strengthening protections for consumer data privacy” went into effect September 1, 2018.

Similar to GDPR, the law extends outside the state’s borders, applying to any and all organizations doing business there, regardless of where they are located.

The new law which requires "covered entities" to comply with new rules regarding the security and disposal of "personal identifying information" (PII) also provides an expanded definition of "personal information" and more stringent notification standards in the event of a security breach involving personal information.

With over 23 years of expertise in the records management industry, Peter Foy, Quality & Compliance Manager for Crown Records Management says companies will need to be more vigil of new laws, “We are beginning to see the introduction of more extraterritorial jurisdiction laws like this.  Compliance to these laws can be very difficult, especially for small businesses that may not have the resources to keep abreast of them and any similar new developments.”  The good news is that many of the laws that will be overlapping state lines have very similar requirements. 

“With that in mind we always recommend that our customers take a worst case approach by implementing robust data privacy, records retention and destruction policies that are not aimed to address an individual law, but will comply across the board,” Foy goes on to say.  The reality is this approach is both beneficial to the organization as well as their customers.

The new rules impose the following obligations:

  1. Security Procedures. Covered entities must implement and maintain reasonable security procedures and practices that are appropriate to the nature of the PII and the nature and size of the business and its operations.

  2. Third-Party Service Provider Controls. Covered entities must take measures to protect PII disclosed to third party service providers. Third-party service providers must promptly notify covered entities of any data breaches, share information regarding the breach, and cooperate with the covered entity to resolve the breach.

  3. Document Disposal. Covered entities must develop and/or maintain a written policy for the destruction of any electronic or paper documents containing PII. Unless otherwise required by law, the policy must require that, when such documents are no longer needed, the covered entity shall destroy or arrange for the destruction of such documents within its custody or control that contain PII by shredding, erasing or otherwise modifying the PII in the documents to make the PII unreadable or indecipherable through any means.

  4. Breach Notification Regarding Personal Information. Covered entities must notify affected individuals in the most expedient time possible and without unreasonable delay, but not later than 30 days after the date of "determination that a security breach occurred".

How does House Bill 18-1128 apply to my business?

  • If your business maintains, owns or licenses personal information of Colorado residents, you need to comply. Keep in mind that personal information is broadly defined to include first initial and last name in combination with unencrypted identification numbers (SSN, passport number, driver's license, etc). It also includes an email address combined with a password or security questions and answers and account or debit/credit card numbers combined with access codes or passwords.

What does my business need to do to comply?

  • Implement appropriate security procedures to protect PII.

  • Make sure that your vendors who handle PII have appropriate security procedures in place and are required to notify you of data breaches and assist you with remediation.

  • Maintain a written policy for document destruction when PII is no longer needed.

  • Implement a data breach notification policy with notice provided to individuals no later than 30 days after determination that a breach occurred. The notification requires significant detail and additional notification to the Colorado Attorney General's office and credit reporting agencies if certain thresholds are met.


How can I learn more about this new law?

You can review a summary and text, along with detailed definitions and requirements here:



Protections For Consumer Data Privacy


Our knowledge, experience, and people transform the way you manage your information; freeing up your time and resources and helping you to become a high-performance business. To help you navigate these new laws contact one of our Records Management experts here.