There is a newer version of this Section
2022
2021
2020 (you are here)
2019
2018
Other previous versions
View our newest version here

2020 Colorado Revised Statutes
Title 6 - Consumer And Commercial Affairs
Article 1. Colorado Consumer Protection Act
Section 6-1-713.5. Protection of personal identifying information - definition.

Universal Citation: CO Rev Stat § 6-1-713.5 (2020)
Previous Next

(1) To protect personal identifying information, as defined in section 6-1-713 (2), from unauthorized access, use, modification, disclosure, or destruction, a covered entity that maintains, owns, or licenses personal identifying information of an individual residing in the state shall implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal identifying information and the nature and size of the business and its operations.

(2) Unless a covered entity agrees to provide its own security protection for the information it discloses to a third-party service provider, the covered entity shall require that the third-party service provider implement and maintain reasonable security procedures and practices that are:

  1. Appropriate to the nature of the personal identifying information disclosed to thethird-party service provider; and

  2. Reasonably designed to help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction.

(3) For the purposes of subsection (2) of this section, a disclosure of personal identifying information does not include disclosure of information to a third party under circumstances where the covered entity retains primary responsibility for implementing and maintaining reasonable security procedures and practices appropriate to the nature of the personal identifying information and the covered entity implements and maintains technical controls that are reasonably designed to:

  1. Help protect the personal identifying information from unauthorized access, use, modification, disclosure, or destruction; or

  2. Effectively eliminate the third party's ability to access the personal identifying information, notwithstanding the third party's physical possession of the personal identifying information.

  1. A covered entity that is regulated by state or federal law and that maintains procedures for protection of personal identifying information pursuant to the laws, rules, regulations, guidances, or guidelines established by its state or federal regulator is in compliance with this section.

  2. For the purposes of this section, "third-party service provider" means an entity thathas been contracted to maintain, store, or process personal identifying information on behalf of a covered entity.

Source: L. 2018: Entire section added, (HB 18-1128), ch. 266, p. 1633, § 2, effective September 1.

Previous Next
Disclaimer: These codes may not be the most recent version. Colorado may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.