Legal Seminar, Denver, CO

protections and restrictions on third parties. The Act grants enforcement responsibilities to the California Attorney General. [Effective January 1, 2020] Colorado (H.B. 1128) Significantly expands the state’s consumer data protection laws. Among other things, the law requires “covered” and governmental entities in Colorado that maintain paper or electronic documents containing personal identifying information to develop and maintain a written policy for the destruction and proper disposal of those documents and for reasonable security procedures. The law also amends the data breach notification statutes to specify who must be notified upon a breach and what must be included in such notifications. [Effective September 1, 2018] Louisiana (Act 382) Amends the existing data breach notification law to require entities conducting business in the state or that own or license computerized data to (1) “implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information from unauthorized access, destruction, use, modification, or disclosure;” and (2) take “all reasonable steps” to destroy documents containing personal information once they no longer need to be retained. The law revises and expands key definitions, requires entities to generally notify affected individuals within 60 days of the discovery of a data breach, and contains provisions allowing substitute notification (emails, website notices, etc.) under certain circumstances. [Effective August 1, 2018] Oregon (Ch. 10) Expands the definition of personal information and expands requirements related to notification of a data breach. Generally, persons subject to Title V of Gramm-Leach Bliley are exempt from the law; however, any person that owns or licenses personal information must provide to the Attorney General or the person’s primary regulator at least one copy of any notice that is sent to consumers in connection with a data security breach that affects more than 250 consumers. [Effective June 3, 2018] South Dakota (SB 62) Requires notifications be made by the information holder when personal or protected information has been or may have been acquired by an unauthorized person. Compliance with federal law requirements will be deemed sufficient. [Effective July 1, 2018] Vermont (H.B. 764) Sets operating standards for and an annual registration requirement for “data brokers.” “Data Broker” means a business, or unit or units of a business, separately or together, that knowingly collects and sells or licenses to third parties the brokered personal information of a consumer with whom the business does not have a direct relationship. The law is intended to adopt a narrowly tailored definition of data broker and the law contains detailed exemptions. The registration is with the Secretary of State and registrants will be subject to civil penalties for failure to register as well as disclosure requirements and data security standards. [Effective January 1, 2019; enacted without Governor approval] Vermont (Act 205) Establishes a registration for “Personal Information Protection Companies” which are businesses that are organized for the primary purpose of providing personal information protection services to individual consumers. The registration will be administered by the Department of Financial Regulation. [Effective July 1, 2018]