Ask Reggi Your Question Now

Reggi is the free generative AI assistance for regulatory compliance
Ask a Question

Can I ensure that my company is compliant with expanding privacy protections in Colorado? What are the requirements?

Requirements for Ensuring Compliance with Expanding Privacy Protections in Colorado

To ensure compliance with expanding privacy protections in Colorado, companies must adhere to the following requirements:

  1. Creation of a Privacy Policy: Each governmental entity of the state must create a privacy policy for the purpose of standardizing within such governmental entity the collection, storage, transfer, and use of personally identifiable information by such governmental entity. The policy of each governmental entity shall address, but shall not be limited to, the following [2.1]:
  2. A general statement declaring support for the protection of individual privacy;
  3. A provision for the minimization of the collection of personally identifiable information to the least amount of information required to complete a particular transaction;
  4. Clear notice of the applicability of the “Colorado Open Records Act” pursuant to part 2 of this article;
  5. A method for feedback from the public on compliance with the privacy policy; and
  6. A statement that the policy extends to the collection of all personally identifiable information, regardless of the source or medium.
  7. Initial Privacy Notice to Consumers: A licensee shall provide a clear and conspicuous initial notice that accurately reflects its privacy policies and practices to [1.5]:
  8. Customer. An individual who becomes the licensee’s customer, not later than when the licensee establishes a customer relationship, except as provided in Section 5.E. of this section; and
  9. Consumer. A consumer, before the licensee discloses any nonpublic personal financial information about the consumer to any nonaffiliated third party, if the licensee makes a disclosure other than as authorized by Sections 16 and 17.
  10. Information to be Included in Privacy Notices: The initial, annual and revised privacy notices that a licensee provides shall include each of the following items of information, in addition to any other information the licensee wishes to provide, that applies to the licensee and to the consumers to whom the licensee sends its privacy notice [1.6]:
  11. The categories of nonpublic personal financial information that the licensee collects;
  12. The categories of nonpublic personal financial information that the licensee discloses;
  13. The categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information, other than those parties to whom the licensee discloses information under Sections 16 and 17;
  14. The categories of nonpublic personal financial information about the licensee’s former customers that the licensee discloses and the categories of affiliates and nonaffiliated third parties to whom the licensee discloses nonpublic personal financial information about the licensee’s former customers, other than those parties to whom the licensee discloses information under Sections 16 and 17;
  15. If a licensee discloses nonpublic personal financial information to a nonaffiliated third party under Section 15, a separate description of the categories of information the licensee discloses and the categories of third parties with whom the licensee has contracted;
  16. An explanation of the consumer’s right under Section 12.A. to opt out of the disclosure of nonpublic personal financial information to nonaffiliated third parties, including the methods by which the consumer may exercise that right at that time;
  17. Any disclosures that the licensee makes under Section 603(d)(2)(A)(iii) of the federal Fair Credit Reporting Act (15 U.S.C. 1681a(d)(2)(A)(iii)) (that is, notices regarding the ability to opt out of disclosures of information among affiliates);
  18. The licensee’s policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; and
  19. Any disclosure that the licensee makes under Section 6.B. of this section.
  20. Revised Privacy Notices: A licensee shall provide a clear and conspicuous revised notice that accurately describes its policies and practices to a consumer before disclosing any nonpublic personal financial information about the consumer to a nonaffiliated third party other than as described in the initial notice that the licensee provided to that consumer under Section 5, unless [1.2]:
  21. The licensee has provided to the consumer a new opt-out notice;
  22. The licensee has given the consumer a reasonable opportunity, before the licensee discloses the information to the nonaffiliated third party, to opt out of the disclosure; and
  23. The consumer does not opt out.
  24. Privacy Notices to Group Policyholders: A licensee shall provide initial, annual and revised notices to the plan sponsor, group or blanket insurance policyholder or group annuity contractholder, or workers’ compensation policyholder, in the manner described in Sections 5 through 9 of this regulation, describing the licensee’s privacy practices with respect to nonpublic personal information about individuals covered under the policies, contracts or plans [1.3].
  25. Annual Privacy Notice to Customers Required: A licensee shall provide a clear and conspicuous notice to customers that accurately reflects its privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of twelve (12) consecutive months during which that relationship exists. A licensee may define the twelve-consecutive-month period, but the licensee shall apply it to the customer on a consistent basis [1.4].

Companies must ensure that they comply with the above requirements to ensure compliance with expanding privacy protections in Colorado.

Source(s):
Jurisdiction

Colorado