Effective Sept. 1, 2018, Colorado will require all entities that process or store certain personal information of Colorado residents, regardless of whether the entity is located within or outside of Colorado, to have formal data security and data disposal programs. This is the result of the adoption of Bill 18-1128 “Concerning Strengthening Provisions for Consumer Data Privacy,”  signed into law at the end of May 2018, to amend and supplement existing law ….  Previously, the definition of “personal identifying information” under the Colorado law was limited to a resident’s first name or initial and last name in combination with the individual’s Social Security, driver’s license, or identification card number, or a credit or debit card or bank account number, combined with a password or access code. The new definition includes additional forms of identification, such as student, military, passport, and health insurance identification number, as well as other types of information, such as medical information or biometric data. It also includes username or e-email address in combination with a password or security question answers that would permit access to an online account …. Organizations that collect personal identifying information of Colorado residents and that do not yet have the written programs necessary to formalize their data protection practices urgently need to focus on compliance. — Francoise Gilbert, Greenberg Traurig

Francoise Gilbert, a partner at Greenberg Traurig, is the author of the two volume treatise “Global Privacy and Security Law” (Wolters Kluwer Publishing), covering 68 countries. Her practice has focused on information privacy and security for more than 25 years. She advises clients on the entire spectrum of domestic and international privacy and cyber security issues legal issues, such as Internet of Things, smart cities, artificial intelligence, analytics, digital advertising and other cutting-edge developments that rely on the extensive use of personal data.

She is one of the featured speakers at the Privacy+Security Forum which takes place Oct. 3-5, 2018, in Washington, DC.