Colorado Enacts Consumer Privacy Law Effective September 1, 2018; Federal Action on Privacy Issues

The following is an email message posted to the IAJGS Public Records Access Alert mailing list by Jan Meisels Allen, Chairperson, IAJGS Public Records Access Monitoring Committee. It is republished here with the permission of the author:

Colorado joins the states taking on consumer privacy protections by enacting House Bill 18-1128, signed by Governor Hickenlooper on May 29, 2018 and which becomes effective September 1, 2018. To read the summary see:, and for full text see: The bill requires entities to implement and maintain reasonable security procedures, proper disposal of documents that contain confidential information, ensure that confidential information is protected when transferred to third parties, and notify affected individuals of data breaches in the shortest time frame in the country.

Covered entities are those that “maintain, own or license personal identifying information (PII) of a Colorado resident”. PII is defined to include: a social security number; personal identification number; password; passcode; official state or government-issued driver’s license or identification card number; government passport number; biometric data; employer, student, or military identification number; or financial transaction device.

Data breaches notification law was strengthened and that covered entities must notify the affected individuals within 30 days after determining that a security breach occurred that resulted in, or is likely to result in, misuse of personal information. The 30-day notification is currently the shortest of any state. The law does not provide for exemptions for those subject to federal requirements, and if there is a conflict between the 30-day time period of the Colorado law and a time period in another federal or state law the law with the shortest time frame for providing notice controls.

Personal information which can trigger a data breach notification if compromised is defined in the new law as: a Colorado resident’s first name or first initial and last name in combination with any of the following data elements: social security number; student, military or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; or biometric data. The definition also includes a Colorado resident’s username or e-mail address in combination with a password or security questions and answers that would permit access to an online account or a Colorado resident’s account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.

The Attorney General’s office, which spearheaded the legislation, is authorized to enforce these new requirements and may bring an action in law or equity to ensure compliance or recover direct economic damages resulting from a violation.

California and Vermont have also enacted laws affecting consumer privacy which have been reported on previously in the IAJGS Records Access Alert.

But what is a happening from the federal government? As previously report the CONSENT Act (S. 2639/ H.R.5815) would give consumers the right to know about what data companies collect on them and to opt out . A second bill, Social Media Privacy Protection and Consumer Rights Act of 2018 (S-2728) similarly has had not hearings or actions. The House of Representatives has two bills, Balancing the Rights of Web Surfers Equally and Responsibly Act (HR 2520) and Secure and Protect Americans’ Data Act (HR 3896). Both bills are sitting in committee. The White House is exploring a voluntary alternative to the GDPR.

However, Senator Mark Warner(D-VA) released a document outlining a list of policy options for national legislation on data security and privacy. One of the options is a ” comprehensive GDPR-like data protection legislation,” a reference to the European Union’s General Data Protection Regulation (GDPR)”. The IAJGS Records Access Alert has reported numerous times on the GDPR. Senator Warner’s report which may be read at: He says: ” The US could adopt rules mirroring GDPR, with key features like data portability, the right to be forgotten, 72-hour data breach notification, 1st party consent, and other major data protections. Business processes that handle personal data would be built with data protection by design and by default, meaning personal data must be stored using pseudonymisation or full anonymization.”

To read the previous IAJGS Records Access Alert postings about the California and Vermont Privacy laws, Trump Administration Voluntary Alternative to GDPR, European Union’s security and privacy issues and more go to: You must be registered to access the archives. To register go to: and follow the instructions to enter your email address, full name and which genealogical organization with whom you are affiliated You will receive an email response that you have to reply to or the subscription will not be finalized.

Jan Meisels Allen
Chairperson, IAJGS Public Records Access Monitoring Committee

Leave a Reply

Name and email address are required. Your email address will not be published.

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <pre> <q cite=""> <s> <strike> <strong> 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: