Questions and Answers: Colorado Data Privacy Law for Private Employers

Due to the complexity of Colorado’s new data privacy law, Employers Council has put together this Q&A briefing. Members in other states may wish to get a “head start” on similar legislation that may spring up at home. Since September 1, 2018, Colorado has a new law (i.e., HB 18-1128) that impacts many Colorado companies, including from the perspective of workforce compliance. This article is intended to provide a quick overview of key considerations and to provide practical HR guidance; however, it is essential to carefully review the in-depth FYI guide available to Employers Council members (FYI Colorado: The Colorado Consumer Data Privacy Law-Private Employers) for complete and detailed information, as well as specific definitions. For instance, this Q&A uses the terms “PI” and “PII”, which stand for “personal information” and “personal identifying information,” respectively. The definition for these terms can be found in Q&A Item 10; however, the FYI guidance document provides additional useful information for your consideration and comprehension.

Initial considerations:

  • The law applies to records that employers have of “consumers”; this includes customers and employees. Employers Council offers guidance for employees only.
  • This article addresses private sector employers only. Requirements for public sector employers are similar and in many cases, virtually identical. Employers Council maintains a separate FYI for members as the law relates to public employers.

Q1: What’s the point of this law?

A1: The law expands an existing consumer protection law; it is not an employment law, per se. The law seeks to protect and notify Colorado consumers, including employees or applicants for employment who have provided personal information to their current or potential employers. Employers must implement and maintain two policies (i.e., Data Disposal and Information Security) and give employees specific information (i.e., Security Breach Notice) when their computerized data has been accessed and is likely to be misused (or has been misused) by an unauthorized party. The law requires employers whose consumer (including employee) data has been accessed to conduct investigations into such access and the potential for misuse.

Q2: When does this law take effect?

A2: September 1, 2018.

Q3: What employers are impacted by this law?

A3: All “covered entities,” which includes private and public sector employers, are impacted by this law, regardless of employee count, if the hold certain types of data related to Colorado residents.

Q4: What records are covered?

A4: Paper and electronic records are covered and both are subject to disposal policy requirements, but only computerized data records are subject to Security Breach Notice. The following commonly held employee records are likely covered because they usually contain employee data covered by this law (see Q10 for a full description of covered data):

  • Employment applications.
  • Copies made of identity documents for I-9 compliance.
  • Payroll records.
  • Benefits enrollment forms.
  • Background check reports.
  • Education transcripts.
  • Unemployment claim forms.
  • Records that contain information for fingerprint/ eye recognition or similar.

Q5: What must employers do to comply with this law?

A5: The law requires employers to take these steps to comply:

  • Draft a policy that addresses proper disposal of employee PII.
  • Draft a policy that defines Information Security protocols.
  • Verify that any third party providers used for employee computerized records (e.g., management/ storage/ destruction services) maintain reasonable security procedures in compliance with the law.
  • Understand and draft procedures to investigate security breaches and to notify* employees of a security breach of computerized data within 30 days of the breach having been identified.

*Notification requirements vary based on the number of impacted Colorado residents (may be a combination of employees/ non-employees). In addition, timing of notice may be delayed at the behest of law enforcement.

  • 1+: notify impacted Colorado residents;
  • 500+: the above, plus notify the Colorado Attorney General;
  • 1,000+: the above, plus notify national consumer reporting agencies

Q6: What else should employers do to comply?

A6: Take pro-active steps to comply, including:

  • Self-audit to identify where covered records (those containing PI, PII) are stored in both paper and electronic form.
  • Evaluate current recordkeeping practices and information handling processes to identify changes needed (if any). Identify all points of entry for employee information (emails, mail, fax, papers, etc.) and draft a chain of custody of them; analyze for gaps or areas of risk exposure.
  • Train anyone who may handle covered records (e.g. Managers, Supervisors, etc.) on their role in complying with this law.
  • Evaluate any other laws that may cover these records and verify compliance.
  • HR and IT professionals must partner to define procedures for computerized data records, including protocols for identifying/ investigating/ responding to breaches.
  • Contact any third party vendors that are used to determine if their practices comply and to identify any changes necessary to comply. Whenever possible, arrange for an on-site visitation to visually witness and verify vendor practices/ facilities, etc. Common products and services include: cloud HRIS/ ATS/ Payroll/ Benefits service providers, document storage/ disposal services, software vendors, pre-employment screening services, etc.

Q7: How can Employers Council help members comply with this law?

A7:  Employers Council can help members as follows:

  • Data Disposal policy: “FYI- RECORDKEEPING Identity Theft-Overview and Document Disposal Requirements” intended for internal operations, provides guidance on this topic and a sample policy that can be customized.
  • Information Security policy: a sample policy is not available due to the law’s requirement of “reasonable” measures commensurate with employer size and nature. This means that more sophisticated safety protocols can be expected of a larger employer than a smaller employer. Contact your staff representative for assistance.
  • Third Party Verification: Consult “FYI- RECORDKEEPING Identity Theft-Overview and Document Disposal Requirements” for guidance.
  • Notification of Security Breach: a sample breach notice is included in the “FYI Colorado: The Colorado Consumer Data Privacy Law-Private Employers”. Members are encouraged to customize this sample to create a template that can quickly be used to send to employees should a breach occur.
  • Essential detailed information is available in the “FYI Colorado: The Colorado Consumer Data Privacy Law-Private Employers”
  • Employee Handbook policy: “Data Disposal Policy” can educate employees on employer practices, found in the Employer Handbook Planning Guide.
  • Individual guidance: contact our Attorneys and HR professionals for assistance.

Q8: Which state agency enforces this law?

A8: Colorado Office of the Attorney General Consumer Protection Section, as well as other district attorneys.

Q9: What are the risks of non-compliance with this law?

A9: The Colorado Attorney General’s office may investigate and press charges; civil penalties may reach $2,000 per affected person, $500,000 per incident. Employers may be held liable by the employees harmed by violations.*

Q10: What is PI/PII, and what’s the difference between them?

A10: The law does not apply to all information or data held by employers; it only applies to PI and PII. In practical operational terms, it may be impossible to parse out these differences and an employer may be better off taking a risk-averse approach with most employee data in their recordkeeping and breach notification practices.

See chart for an overview of the differences; for complete guidance, refer to the FYI:

For member assistance, contact Employers Council.