Colorado Data Breach Notification Laws: Reporting Rules & Timelines (2026)

Colorado has one of the most demanding data breach notification laws in the United States. The state's 30-day notification deadline gives organizations less time to respond than nearly every other jurisdiction, and its definition of protected personal information is among the broadest nationwide.

The current law took shape through House Bill 18-1128, signed into law in 2018 and effective September 1, 2018. That legislation overhauled Colorado's previous breach notification rules by shortening the notification window, expanding what counts as personal information, and adding an Attorney General reporting requirement.

For a broader look at Colorado's privacy framework, including the Colorado Privacy Act, see the parent guide to [Colorado Data Privacy Laws](/us-laws/data-privacy-laws/colorado-data-privacy-laws).

Who Must Comply

Colorado's breach notification obligations apply to two categories of entities.

Private entities fall under C.R.S. 6-1-716. This covers any person or commercial entity that maintains, owns, or licenses computerized data containing the personal information of Colorado residents in the course of business.

Government entities fall under C.R.S. 24-73-103. This covers state agencies, counties, municipalities, school districts, and other governmental bodies that maintain personal information.

Both statutes impose the same 30-day notification timeline and the same personal information definitions. The key distinction is the enforcement mechanism: private entity violations are treated as deceptive trade practices, while government entities face separate accountability under Title 24.

Third-party service providers are also covered. If an entity discloses personal information to a nonaffiliated third party, it must either provide its own security protections or contractually require the service provider to implement and maintain reasonable security procedures.

What Qualifies as Personal Information

Colorado's definition of personal information is among the broadest in the country. The law protects a Colorado resident's first name or first initial and last name combined with any of the following unencrypted data elements:

• Social Security number
• Driver's license number or state identification card number
• Student identification number
• Military identification number
• Passport number
• Employer, taxpayer, or financial transaction device identification number
• Medical information
• Health insurance identification number
• Biometric data used for authentication purposes

The law also protects two standalone categories that do not require a name match:

• A username or email address combined with a password or security questions and answers that would permit access to an online account
• An account number or credit or debit card number combined with any required security code, access code, or password

The inclusion of passport numbers, student IDs, military IDs, and employer identification numbers distinguishes Colorado from most other states, which typically limit their definitions to Social Security numbers, driver's licenses, and financial account data.

Personal information does not include data that is lawfully available from government records or widely distributed media.

What Triggers the Notification Requirement

A security breach under Colorado law is the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a covered entity.

When an entity becomes aware that a breach may have occurred, it must conduct a prompt, good-faith investigation to determine whether personal information has been or will be misused. The investigation must assess the nature and scope of the incident.

Notification is required only when the investigation determines that misuse of personal information has occurred or is reasonably likely to occur. If the entity determines there is no reasonable likelihood of misuse, notification is not required, but the entity should document its analysis.

The 30-Day Notification Deadline

Colorado requires notification in the most expedient time possible and without unreasonable delay, but no later than 30 days after the entity determines a breach has occurred.

This 30-day clock starts when the entity makes a determination that a breach occurred, not when the breach itself happened or when the entity first became aware of suspicious activity. However, the investigation itself must be prompt. Delaying an investigation to avoid triggering the clock would likely violate the statute's good-faith requirement.

The 30-day timeline is notably shorter than most states. Many states allow 45 or 60 days, and some have no specific deadline beyond "without unreasonable delay."

Law enforcement may request a delay in notification if it would impede a criminal investigation. The entity must provide notification as soon as the law enforcement agency determines that notification will no longer compromise the investigation.

What the Notice Must Include

Colorado specifies the content that breach notification letters must contain. Notices sent to affected residents must include:

• The date or estimated date range of the security breach
• A description of the personal information that was acquired or reasonably believed to have been acquired
• Contact information for the entity providing the notice
• Contact information for the Federal Trade Commission and the credit reporting agencies
• Toll-free numbers, addresses, and websites for the consumer reporting agencies
• A statement that the resident can obtain information from the FTC and credit reporting agencies about fraud alerts and security freezes

If the breach involved login credentials (username or email with password), the notice must direct the resident to promptly change their password and security questions for the affected account and any other account using the same credentials.

Attorney General Reporting

When a breach is reasonably believed to have affected 500 or more Colorado residents, the entity must notify the Colorado Attorney General's office within the same 30-day window.

The AG notification is submitted through an online Data Breach Reporting Form maintained by the Consumer Protection Section. If the online form is unavailable, entities can email databreach@coag.gov.

The reporting form requires:

• Entity name, type, address, and contact details
• Types of personal information compromised
• Number of Colorado residents affected and total individuals affected across all states
• Dates the breach started, ended, was discovered, and when the determination was made
• Planned notification dates for affected residents
• Whether the data was encrypted
• Type of breach (hacking, phishing, malware, lost equipment, insider misuse, etc.)
• Description of the incident
• Method of notification to residents

Submitted forms and examples of consumer notices may be subject to disclosure under the Colorado Open Records Act, meaning members of the public could request copies.

Consumer Reporting Agency Notification

If the breach is reasonably believed to have affected 1,000 or more Colorado residents, the entity must also notify the nationwide consumer reporting agencies (Equifax, Experian, and TransUnion).

This notice must include the anticipated date of notification to affected residents and the approximate number of residents who will be notified. The purpose is to prepare the credit bureaus for an influx of fraud alert and credit freeze requests.

Substitute Notice

Colorado allows substitute notice when direct notification is not feasible. An entity may use substitute notice if it demonstrates that:

• The cost of providing notice would exceed $250,000
• The affected class exceeds 250,000 Colorado residents
• The entity does not have sufficient contact information

Substitute notice must include email notification (if email addresses are available) and conspicuous posting on the entity's website.

Encryption Safe Harbor

Colorado provides an encryption safe harbor. Personal information that is encrypted, redacted, or secured by any other method that renders it unreadable or unusable is not considered to have been breached.

This means if the compromised data was properly encrypted at the time of unauthorized access, the notification requirements do not apply. The encryption must have been in place before the breach, not applied afterward.

Reasonable Security and Data Disposal Requirements

Beyond breach notification, Colorado law imposes ongoing data protection obligations through C.R.S. 6-1-713.

Covered entities must implement and maintain reasonable security procedures appropriate to the nature of the personal information they hold. The standard is flexible and considers factors such as the size and complexity of the business and the sensitivity of the data.

Entities must also develop and maintain a written policy for the destruction and proper disposal of paper and electronic documents containing personal information. When documents are no longer needed, the entity must render the personal information unreadable.

Interaction with Federal and State Regulations

Entities that comply with breach notification requirements under federal or state regulatory frameworks, such as HIPAA for healthcare or the Gramm-Leach-Bliley Act for financial institutions, are deemed in compliance with Colorado's notification provisions.

However, there are two important exceptions. Even HIPAA- and GLBA-regulated entities must still:

1. Notify the Colorado Attorney General when 500 or more Colorado residents are affected
2. Follow Colorado's 30-day notification timeline, which may be shorter than their federal deadline

Colorado's breach notification law also exists alongside the Colorado Privacy Act (CPA), which took effect July 1, 2023. The CPA addresses broader data privacy rights (access, deletion, opt-out), while the breach notification statute focuses specifically on security incidents. They are complementary, and businesses handling Colorado consumer data should comply with both.

Enforcement and Penalties

The Colorado Attorney General enforces the breach notification law. There is no private right of action, meaning individual consumers cannot sue directly for notification failures.

Violations by private entities are treated as deceptive trade practices under the Colorado Consumer Protection Act. Civil penalties can reach up to $20,000 per violation, and there is no cap on the total penalty for a related series of violations.

The Attorney General has actively enforced these provisions. Notable actions include:

• Savory Spice Shop (2022): A Denver company paid $30,000 after two breaches exposed payment card data of 13,888 Colorado customers. The company failed to maintain adequate security and delayed notification for nine months despite a 30-day policy commitment.
• Impact MHC (2021): A mobile home park management company paid $25,000 (with an additional $30,000 suspended pending compliance) after a phishing attack exposed Social Security numbers and financial data of over 700 Coloradans. The company delayed notification for 10 months.

Both cases resulted in requirements to implement written information security policies, develop incident response plans, and maintain ongoing compliance programs.

More Colorado Laws

• Colorado Recording Laws
• Colorado Recording Laws
• Colorado Data Privacy Laws
• Colorado Lemon Laws
• Colorado Recording Laws
• Colorado Recording Laws
• Colorado Whistleblower Laws
• Colorado Recording Laws

Sources and References

This article references Colorado state statutes and official guidance from the Colorado Attorney General's office. Nothing in this article constitutes legal advice. Consult a licensed attorney in Colorado for guidance on specific compliance obligations.

• Colorado Attorney General: Consumer Data Protection Laws FAQ
• Colorado HB 18-1128 (Protections for Consumer Data Privacy)
• Colorado Attorney General: Data Breach Reporting Form
• Colorado Attorney General: Data Privacy Complaints
• Colorado Attorney General: Colorado Privacy Act
• Colorado Attorney General: Data Security Best Practices