Privacy Basics for Colorado Lawyers: The Colorado Consumer Data Privacy Act and the California Consumer Privacy Act, 0919 COBJ, Vol. 48, No. 8 Pg. 26

• Author: BY JENIFER MCINTOSH
• Position: Vol. 48, 8 [Page 26]

48 Colo.Law. 26

Privacy Basics for Colorado Lawyers: The Colorado Consumer Data Privacy Act and the California Consumer Privacy Act

Vol. 48, No. 8 [Page 26]

Colorado Lawyer

September, 2019

August, 2019

TECHNOLOGY IN THE LAW PRACTICE

BY JENIFER MCINTOSH

In this world of ever-proliferating acronyms, it can be difficult to determine which ones to pay attention to, particularly in the legal community, and even more so when working with clients in technology. Most of us know what HIPAA, USPTO, and COPPA stand for and what effect they have, if any, on our particular practice areas. But public outcry and growing privacy concerns have spawned two significant laws that may not be on every Colorado attorney's radar: California's looming Consumer Privacy Act^[1] (CCPA² ), and Colorado's recently enacted Consumer Data Privacy Act³ (CDPA⁴ ). Many of our clients—large and small—have casually shrugged off any privacy compliance or assessment efforts regarding exposure under the EU's General Data Protection Regulation (GDPR), and some rightfully so, given the lack of customers, marketing, or presence in the EU or European Economic Areas. The CCPA and CDPA, however, hit closer to home, and will likely have an impact—wanted or not. While this article focuses on the basic provisions of Colorado's lesser-known CDPA, it also discusses how California's legislation will impact Colorado lawyers when it goes into effect January 1, 2020.⁵

CDPA: The Brass Tacks

The CDPA became effective on September 1, 2018, and requires entities collecting or monetizing data to use reasonable and appropriate measures to protect Colorado residents' "personally identifiable information" (PII). The law has two basic components. The first part governs how "covered entities" safeguard the PII they maintain, own, or license. The second part governs when those entities must report a breach of "personal information" (PI) to the respective Colorado residents, including when and what they must disclose when such a breach has occurred.

If your client is a person, commercial entity, or governmental entity that collects, uses, licenses, or owns information gathered from Colorado residents, your client has a statutory responsibility to protect this personal information and to report any breach of the data collected.⁶ One quirk in Colorado's data breach law is that covered entities have an obligation to protect all information, whether in hard copy or electronic form. However, when a breach of said information occurs, the entity only has to disclose the breach of unencrypted, computerized PI, which is different and separate from PII.⁷

The CDPA defines PII, for security purposes, as

■ a social security number,

■ a personal ID number,

■ a password or pass code,

■ a government and/or state-issued ID number,

■ a passport number,

■ biometric data,

■ an employer, student, or military ID number, or

■ financial transaction device information (credit card number, etc.).⁸

Under the data security portion of the CDPA, companies must develop written policies documenting their destruction policy for both written and electronic PII records.⁹ This part of the law also requires covered entities to have "reasonable security procedures and practices," appropriate to the nature of the PII and the nature and size of the business, to protect the PII collected, used, or both.^[10] Covered entities are required to make sure third-party service providers also comply with the CDPA and employ these same protective measures.¹¹ This means if your client CrossGym owns a workout app that collects activity and health data, and CrossGym uses a third party to store the data it is collecting and analyzing, CrossGym is ultimately responsible to the Colorado government and to Colorado citizens for the security of that data, regardless of who has it or where it is stored (yes, there is a flourishing cybersecurity insurance industry).

Although the law also requires CrossGym to create and implement policies ensuring the PII is destroyed when it is no longer needed, it does not appear necessary for CrossGym to also require the same of its third-party vendor. However, the third-party vendor, as one who "maintains" the PII of Colorado residents on behalf of a covered entity, will have to comply with the CDPA requirements as well.

PI (again, separate from PII), for purposes of the breach notification obligations of the CDPA, includes a separate and unique combination of information. A breach of PI that is neither encrypted nor redacted occurs when there is an unauthorized taking of

1. the first name or first initial and last name of the Colorado resident, plus one of the following:

■ social security number,

■ employer, student, or military ID number,

■ passport number,

■ driver's license or government/ state-issued ID number,

■ medical information,

■ biometric data,

■ health insurance ID number; or

2. the username or email with password/ security question (with answer); or

3. the account number or credit/debit card number with security code, access code, or password.¹²

An unauthorized acquisition of unencrypted, computerized PI is a "security breach" under the CDPA.^[13] Investigation of any such breach must be prompt and performed in good faith.¹⁴ If an investigation determines no misuse occurred or is not "reasonably likely" to occur, notice of the...