The bill specifies measures in several categories to protect personal identifying information (PII) kept by state agencies.
Limitations on PII shared by state agencies: A state agency employee is prohibited from disclosing or making accessible PII that is not available to the public for the purpose of investigating for, participating in, cooperating with, or assisting in federal immigration enforcement, except as required by federal or state law or as required to comply with a court-issued subpoena, warrant, or order.
Reduction of PII collected by state agencies: Beginning January 1, 2022, a state agency employee is prohibited from inquiring into, or requesting information or documents to ascertain, a person's immigration status for the purpose of identifying if the person has complied with federal immigration laws except as required by state or federal law or as necessary to perform state agency duties. In addition, beginning January 1, 2022, a state agency shall not collect data regarding a person's place of birth, immigration or citizenship status, or information from passports, permanent resident cards, alien registration cards, or employment authorization documents, except as required by state or federal law or as necessary to perform state agency duties.
Access to state agency records: Beginning January 1, 2022, to be granted access to PII through a database or automated network maintained by a state agency that is not otherwise available to the public, a third party must have, within the past year, certified under penalty of perjury that the third party will not use or disclose PII obtained for the purpose of investigating for, participating in, cooperating with, or assisting in federal immigration enforcement, unless required by federal or state law or to comply with a court-issued subpoena, warrant, or order that is not related to prosecution for a violation of specified provisions of federal immigration law. The attorney general's office is required to create a model certification form and provide it to state agencies.
Record keeping and reporting: The bill specifies what a request for records includes and does not include for purposes of the bill. Beginning January 1, 2022, if a third party requests a record from a state agency and the record contains PII, the state agency is required to retain a written record of the request that contains specified information (written record).
Beginning January 1, 2022, and on a quarterly basis thereafter, the state agency is required to provide the information contained in the written record to the governor's office of legal counsel and to attest that no request was granted for any purpose prohibited by the bill. On March 1, 2022, and on a quarterly basis thereafter, the governor's office is required to provide a report to the joint budget committee of the general assembly containing quarterly and year-to-date summaries of the information provided by state agencies in the written record.
Data privacy breaches: Any state agency employee who intentionally violates the provisions of the bill is subject to an injunction and is liable for a civil penalty of not more than $50,000 for each violation.
The bill includes an identification document issued to an individual who is not lawfully present in the United States in the list of records that the department of revenue shall not allow a person to inspect pursuant to the Colorado Open Records Act. In addition, the bill specifies that the provisions of the bill are included in the laws that the department of revenue is required to follow when releasing records for public inspection.
- Became law (06/25/2021)