2018 has so far been a year that will long live in the memory of workplace privacy lawyers. Over the past eight months, lawyers for multinational corporations have had to familiarize themselves with a range of new laws, including the European Union’s General Data Protection Regulation (GDPR); the GDPR-styled California Consumer Privacy Act; and new data breach notification laws in South Dakota and Alabama. As we enter the final few months of the year, additional privacy laws and developments sit on the horizon. This article focuses on three more developments that privacy lawyers and employment counsel should be aware of heading into the final months of 2018.

Colorado’s Data Privacy Law (House Bill 18-1128)

Effective Sept. 1, companies that operate in Colorado and store paper or electronic documents containing personal identifying information will be required to comply with heightened data protection obligations. The new requirements stem from House Bill 18-1128, which was signed into law by Colorado Gov. John Hickenlooper on May 29, and amends the Colorado Consumer Protection Act (C.R.S.A. Section 6-1-101 et seq). Although the bill was captioned “Concerning Strengthening Protections for Consumer Data Privacy,” it defines a “covered entity” as a corporation, business or other legal or commercial entity that, in the course of its business, “maintains, owns, or licenses personal identifying information.” Colorado employers will therefore be required to comply with the bill’s requirements.