On May 18, 2018, the Colorado legislature sent HB 18-1128, an Act Concerning Strengthening Protections for Consumer Data Privacy, to the governor’s desk for execution. The bill is one of a number of recent efforts by states to respond to a slew of high profile breaches announced this year, including Equifax, Facebook, Panera Bread, Under Armour and – well, you get it.
The bill mimics a trend of inching toward the heightened and more specific standards employed by the EU’s General Data Protection Regulation. For example, HB-18-1128 replaces an ‘as soon as practicable’ breach notification requirement with a deadline of not later than 30 days from the date a breach is determined to have occurred. That’s more latitude than GDPR’s seemingly impossible 72-hour time limit (where feasible, of course), but it is another indication of regulators’ insistence on firm, identifiable timelines.
Also like the GDPR, the Colorado bill explicitly mandates that data is maintained “no longer than needed,” an example of the growing trend toward data minimization. With respect to security measures themselves, the bill requires “reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations,” a ‘commercially reasonable’ standard of sorts that also mirrors the GDPR (appropriate technical and organizational measures in light of a host of factors). Want one more similarity? The bill requires covered entities to mandate implementation of reasonable security measures by third party service providers, another trend reflected both in the GDPR and newer legislation being passed or proposed around the country.