Colorado Data Disposal Law
C.R.S. § 6-1-713, et seq.
Colorado Revised Statutes Annotated
Title 6. Consumer and Commercial Affairs (§§ 6-1-101 — 6-26-101)
Fair Trade and Restraint of Trade (Arts. 1 — 6.5)
Article 1. Colorado Consumer Protection Act (Pts. 1 — 13)
Part 7. Specific Provisions (§§ 6-1-701 — 6-1-732)
6-1-713. Disposal of personal identifying information - policy - definitions.
6-1-713.5. Protection of personal identifying information - definition.
6-1-713. Disposal of personal identifying information - policy - definitions.
(1) Each covered entity in the state that maintains paper or electronic documents during the course of business that contain personal identifying information shall develop a written policy for the destruction or proper disposal of those paper and electronic documents containing personal identifying information. Unless otherwise required by state or federal law or regulation, the written policy must require that, when such paper or electronic documents are no longer needed, the covered entity shall destroy or arrange for the destruction of such paper and electronic documents within its custody or control that contain personal identifying information by shredding, erasing, or otherwise modifying the personal identifying information in the paper or electronic documents to make the personal identifying information unreadable or indecipherable through any means.
(2) For the purposes of this section and section 6-1-713.5:
(a) “Covered entity” means a person, as defined in section 6-1-102 (6), that maintains, owns, or licenses personal identifying information in the course of the person’s business, vocation, or occupation. “Covered entity” does not include a person acting as a third-party service provider as defined in section 6-1-713.5.
(b) “Personal identifying information” means a social security number; a personal identification number; a password; a pass code; an official state or government-issued driver’s license or identification card number; a government passport number; biometric data, as defined in section 6-1-716 (1)(a); an employer, student, or military identification number; or a financial transaction device, as defined in section 18-5-701 (3).
(3) A covered entity that is regulated by state or federal law and that maintains procedures for disposal of personal identifying information pursuant to the laws, rules, regulations, guidances, or guidelines established by its state or federal regulator is in compliance with this section.
(4) Unless an entity specifically contracts with a recycler or disposal firm for destruction of documents that contain personal identifying information, nothing herein shall require a recycler or disposal firm to verify that the documents contained in the products it receives for disposal or recycling have been properly destroyed or disposed of as required by this section.
History
Source: L. 2004: Entire section added, p. 1959, § 2, effective August 4. L. 2018:(1), (2), and (3) amended,(HB 18-1128), ch. 266, p. 1632, § 1, effective September 1.
6-1-713.5. Protection of personal identifying information - definition.
(1) To protect personal identifying information, as defined in section 6-1-713 (2), from unauthorized access, use, modification, disclosure, or destruction, a covered entity that maintains, owns, or licenses personal identifying information of an individual residing in the state shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.
(2) Unless a covered entity agrees to provide its own security protection for the information it discloses to a third-party service provider, the covered entity shall require that the third-party service provider implement and maintain reasonable security procedures and practices that are:
(a) Appropriate to the nature of the personal identifying information disclosed to the third-party service provider; and
(b) Reasonably designed to help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction.
(3) For the purposes of subsection (2) of this section, a disclosure of personal identifying information does not include disclosure of information to a third party under circumstances where the covered entity retains primary responsibility for implementing and maintaining reasonable security procedures and practices appropriate to the nature of the personal identifying information and the covered entity implements and maintains technical controls that are reasonably designed to:
(a) Help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction; or
(b) Effectively eliminate the third party’s ability to access the personal identifying information, notwithstanding the third party’s physical possession of the personal identifying information.
(4) A covered entity that is regulated by state or federal law and that maintains procedures for protection of personal identifying information pursuant to the laws, rules, regulations, guidances, or guidelines established by its state or federal regulator is in compliance with this section.
(5) For the purposes of this section, “third-party service provider” means an entity that has been contracted to maintain, store, or process personal identifying information on behalf of a covered entity.
History
Source: L. 2018: Entire section added,(HB 18-1128), ch. 266, p. 1633, § 2, effective September 1.
For more information, see here: https://leg.colorado.gov/colorado-revised-statutes
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.