Skip to main content


Click here to review text of state statute (see Col. Rev. Stat. Title 6, Article 1, §6-1-716).

Return to Index of States

Click here to download a print-version of the Mintz Matrix

Information Covered / Important Definitions

Information covered:

Personal information of Colorado residents.

Definition includes (i) student, military, or passport identification number; (ii) medical information; (iii) health insurance identification number; (iv) biometric data; (v) a Colorado resident's username or e-mail address, in combination with a password or security questions and answers, that would permit access to an online account

Important definitions:

“Security Breach” means the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a covered entity.

Covered Entities* / Third Party Recipients

Subject to statute:

A person that maintains, owns, or licenses personal information in the course of the person's business, vocation, or occupation.

Third party recipients:

If a covered entity uses a third-party service provider, meaning an entity that has been contracted to maintain, store, or process personal information on behalf of a covered entity, to maintain computerized data that includes personal information the covered entity in the event of a security breach that compromises such computerized data, including notifying the covered entity of any security breach in the most expedient time possible, and without unreasonable delay following discovery of a security breach, if misuse of personal information about a Colorado resident occurred or is likely to occur.

Notice Procedures & Timing / Other Obligations

Written, electronic, or telephonic notice must be provided to victims in the most expedient time possible and without unreasonable delay, but not later than thirty (30) days after the date of determination that a security breach occurred, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.

  • Substitute notice is available by means prescribed in the statute if costs to exceed $250,000, affected class exceeds 250,000 persons, or covered entity has insufficient contact information.
  • Notice not required if investigation determines that the misuse of information about a resident has not occurred and is not reasonably likely to occur.

Other obligations:

Any covered entity that must notify more than 1,000 persons at one time of a security breach is also required to notify in the most expedient time possible and without unreasonable delay all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined by the federal “Fair Credit Reporting Act", 15 U.S.C. sec. 1681a (p).

Encryption Safe Harbor / Other Exemptions

Encryption Safe Harbor:

Statute not applicable if the personal data that was lost, stolen, or accessed by an unauthorized individual is encrypted, redacted, or secured by any other method rendering it unreadable or unusable.

Other exemptions:

Exemption for good faith acquisition of personal information by an employee or agent of covered entity so long as personal information not used for a purpose unrelated to the lawful operation of the business or is not subject to further unauthorized disclosure.

Entities regulated by state or federal law that maintain and comply with procedures for addressing security breaches pursuant to those laws are exempt; except that notice to the attorney general is still required.

Entities subject to the provisions of the GLBA are exempt.

Any covered entity that maintains its own notification procedures as part of an information security policy for the treatment of personal information that is otherwise consistent with timing requirements of statute is deemed to be in compliance with Colorado statute; except that notice to the Attorney General is still required.

Notification to Regulator / Waiver

A determination of no likelihood of harm:

Does not require notification to attorney general.

If the security breach is reasonably believed to have affected 500 Colorado residents or more the covered entity must provide notice of any security breach to the Colorado attorney general in the most expedient time possible and without unreasonable delay, but not later than thirty (30) days after the date of determination that a security breach occurred.


Attorney general may bring actions in law or equity to seek relief, including direct economic damages resulting from a violation.

With either a request from the governor to prosecute a particular case or with the approval of the district attorney with jurisdiction to prosecute cases in the judicial district where a case could be brought, the attorney general has the authority to prosecute any criminal violations of section 18-5.5-102.

Private Cause of Action / Enforcement

Private Cause of Action: No.

Enforcement by attorney general only.


Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive.  Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.

Click here to review text of state statute (see Col. Rev. Stat. Title 6, Article 1, §6-1-716).

Return to Index of States

Click here to download a print-version of the Mintz Matrix

Subscribe To Viewpoints