Hot on the heels of the General Data Protection Regulation (or GDPR, on which we reported in our July Bulletin) that went into effect in the European Union on May 25, 2018, the states of Colorado and California have enacted new data privacy regulations in a similar vein which will impose new obligations on employers, including with respect to their human resources functions.
Colorado’s H.B. 18-1128 (Protections for Consumer Data Privacy)
The “Protections for Consumer Data Privacy” go into effect on September 1, 2018, so employers will want to take action as soon as possible to implement compliant policies. Employers Council plans on publishing an “FYI” on the topic, along with germane samples, in the coming weeks.
The most important concepts in this law relate to “covered entities” and “personal information.” Government entities and special districts may have additional obligations and should consult with legal counsel prior to implementing a new security breach notification framework.
To be a “covered entity,” an organization must simply “maintain, own, or license personal information.” In turn, “personal information” is given an expansive definition. It includes a “Colorado resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident when those data elements are not encrypted, redacted, or otherwise secured: medical information; health insurance identification number; biometric data; social security number; student, military, or passport identification number; or driver’s license number or identification card.”
“Personal information” also includes a Colorado resident’s username or email address, in combination with a password or security questions and answers that would permit access to an online account or a Colorado resident’s account number, and a credit or debit card number in combination with an access code or password that would permit access to that account.
The law also includes specific definitions for “medical information” and “biometric data.” “Medical information” means any information about a Colorado resident’s medical or mental health treatment or diagnosis by a health care professional. “Biometric data” means unique biometric data generated from measurements or analysis of human body characteristics for the purpose of authenticating the individual when he or she accesses an online account.
For any entity that “maintains, owns, or licenses” such “personal information,” the law requires implementation of a policy that accomplishes all of the following three objectives:
- To notify affected employees and, if more than 500 Colorado residents are affected, the Colorado Attorney General, of a security breach within 30 days;
- To effectuate data disposal; and
- To implement “reasonable security procedures and practices” to safeguard personal information.
Once in effect, Colorado’s data privacy law will go on record for having the shortest, exception-less timeframe within which to provide notification of such a breach.
California’s A.B. 375 (Consumer Privacy Act of 2018)
Employers subject to California’s new law will have a longer period of time to consider their new policies as the law does not go into effect until January 1, 2020. Whereas Colorado’s new law has a virtually all-inclusive definition of a “covered entity,” California’s new law defines a “covered business” in a more restricted manner.
Briefly a “covered business” includes any organization that does business in California and (1) has annual gross revenue in excess of $25,000,000; (2) annually buys, receives for the business’s commercial purposes, sells, or shares for commercial purposes the personal information of 50,000 or more consumers, households, or devices, alone or in combination; or (3) derives 50 percent or more of its annual revenue from selling consumers’ personal information. In addition, it includes any entity that “controls or is controlled by” a “covered business.”
With respect to covered businesses, the California law imposes “five rights” with respect to “personal information.” These rights are (1) the right to know, (2) the right to access, (3) the right to deletion, (4) the right to opt out, and (5) the right to equal service.
“Personal information” is defined far more expansively than under the new Colorado law and eschews a more-or-less specific listing of items. Broadly worded, the definition includes any information that “identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Exclusions exist, however, for so-called “aggregate consumer information,” which is defined as data that is “not linked or reasonably linkable to any consumer or household, including via a device,” as well as information that is publicly available from federal, state, or local government records.
Next Steps in Colorado and/or California
Employers Council attorneys and human resources professionals are working on detailed guidance for employers related to both laws. Look for upcoming features in our September Bulletin publication, as well as notices in our Hot Topics related to sample documents. For initial, preliminary guidance, employers may wish to review the suggested measures in the July “GDPR” article, hyperlinked above, to be well-prepared.