Colorado Gov. John Hickenlooper last week signed bipartisan bill HB18-1128, “Protections for Consumer Data Privacy,” officially setting in place some of the most stringent requirements for personal information data disposal and data breach notification in place in any U.S. state.

The new law requires organizations to maintain a policy for disposing documents with consumer data and notify Colorado residents of any potential personal information exposure no later than 30 days after discovering a data breach. The 30-day notification window does not provide for any specific exemptions and is the shortest of any state.