Can I store personal information about my customers in Colorado? What are the requirements?

Storing Personal Information of Customers in Colorado

Yes, you can store personal information about your customers in Colorado, but you must comply with the Colorado Consumer Protection Act (CCPA) and the Colorado Code of Regulations (CCR) ^[1.1].

Notice and Opt-Out Requirements

Under the CCPA, you must provide an initial notice to customers that accurately reflects your privacy policies and practices. You must also provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the continuation of the customer relationship ^[1.1].

Additionally, under the CCR, you must provide an initial, annual, and revised privacy notice that includes the categories of nonpublic personal financial information that you collect, the categories of nonpublic personal financial information that you disclose, the categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal financial information, and the categories of nonpublic personal financial information about your former customers that you disclose ^[1.9].

Furthermore, you must comply with the limits on disclosure of nonpublic personal financial information to nonaffiliated third parties, which requires obtaining authorization from the consumer or customer whose nonpublic personal health information is sought to be disclosed ^[1.7][1.8].

Exceptions to Notice and Opt-Out Requirements

There are exceptions to the notice and opt-out requirements for disclosure of nonpublic personal financial information. These exceptions include:

• With the consent or at the direction of the consumer, provided that the consumer has not revoked the consent or direction ^[1.2].
• For licensee and consumer protection, such as to protect the confidentiality or security of a licensee’s records pertaining to the consumer, service, product or transaction, to protect against or prevent actual or potential fraud or unauthorized transactions, for required institutional risk control or for resolving consumer disputes or inquiries, to persons holding a legal or beneficial interest relating to the consumer, or to persons acting in a fiduciary or representative capacity on behalf of the consumer ^[1.2].
• To provide information to insurance rate advisory organizations, guaranty funds or agencies, agencies that are rating a licensee, persons that are assessing the licensee’s compliance with industry standards, and the licensee’s attorneys, accountants and auditors ^[1.2].
• To comply with federal, state or local laws, rules and other applicable legal requirements, to comply with a properly authorized civil, criminal or regulatory investigation, or subpoena or summons by federal, state or local authorities, or to respond to judicial process or government regulatory authorities having jurisdiction over a licensee for examination, compliance or other purposes as authorized by law ^[1.2][1.5].
• For purposes related to the replacement of a group benefit plan, a group health plan, a group welfare plan or a workers’ compensation plan ^[1.2].
• To a consumer reporting agency in accordance with the federal Fair Credit Reporting Act (15 U.S.C. 1681 et seq.), or from a consumer report reported by a consumer reporting agency ^[1.2][1.4].
• As necessary to effect, administer or enforce a transaction that a consumer requests or authorizes, or in connection with servicing or processing an insurance product or service that a consumer requests or authorizes, maintaining or servicing the consumer’s account with a licensee, or with another entity as part of a private label credit card program or other extension of credit on behalf of such entity, a proposed or actual securitization, secondary market sale (including sales of servicing rights) or similar transaction related to a transaction of the consumer, or reinsurance or stop loss or excess loss insurance ^[1.5].

If you comply with these regulations and exceptions, you can store personal information about your customers in Colorado.

Conclusion

To store personal information about your customers in Colorado, you must comply with the CCPA and the CCR. You must provide an initial notice and an annual notice to customers that accurately reflects your privacy policies and practices. You must also provide an initial, annual, and revised privacy notice that includes the categories of nonpublic personal financial information that you collect, disclose, and categories of affiliates and nonaffiliated third parties to whom you disclose nonpublic personal financial information. Additionally, you must obtain authorization from the consumer or customer whose nonpublic personal health information is sought to be disclosed. There are exceptions to the notice and opt-out requirements for disclosure of nonpublic personal financial information.

Source(s):

• [1.1] Annual Privacy Notice to Customers Required
• [1.2] Other Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information
• [1.4] Exception to Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Service Providers and Joint Marketing
• [1.5] Exceptions to Notice and Opt Out Requirements for Disclosure of Nonpublic Personal Financial Information for Processing and Servicing Transactions
• [1.7] Limits on Disclosure of Nonpublic Personal Financial Information to Nonaffiliated Third Parties
• [1.8] When Authorization is Required for Disclosure of Nonpublic Personal Health Information
• [1.9] Information to be Included in Privacy Notices

Jurisdiction

Colorado

• Privacy