Read the full stored bill text
Second Regular Session
Seventy-fifth General Assembly
STATE OF COLORADO
INTRODUCED
LLS NO. 26-0245.01 Brita Darling x2241 HOUSE BILL 26-1091
House Committees Senate Committees
Business Affairs & Labor
A BILL FOR AN ACT
CONCERNING DATA PRIVACY PROTECTIONS RELATING TO101
HOMEOWNER'S INSURANCE TRANSACTIONS.102
Bill Summary
(Note: This summary applies to this bill as introduced and does
not reflect any amendments that may be subsequently adopted. If this bill
passes third reading in the house of introduction, a bill summary that
applies to the reengrossed version of this bill w ill be available at
http://leg.colorado.gov.)
The bill provides personal data privacy protections for consumers
relating to homeowner's insurance transactions.
The bill establishes standards for an insurer, insurance producer,
or surplus line insurer (licensee), and the director, officer, or agent of the
licensee, as well as a processor on behalf of a licensee, relating to the use
HOUSE SPONSORSHIP
Lieder and Ricks,
SENATE SPONSORSHIP
(None),
Shading denotes HOUSE amendment. Double underlining denotes SENATE amendment.
Capital letters or bold & italic numbers indicate new material to be added to existing law.
Dashes through the words or numbers indicate deletions from existing law.
of a consumer's personal data. A licensee or processor is prohibited from
processing a consumer's personal data for purposes unrelated to a
homeowner's insurance transaction, selling personal data, or engaging in
targeted advertising or joint marketing of cobranded financial products
without first obtaining the consumer's affirmative consent to any of those
practices by exercising the right to opt in to those practices. Affiliates of
licensees are subject to the same requirements as licensees with respect
to processing personal data.
A consumer's personal data is defined in the bill, in part, as data
that identifies, relates to, describes, or is capable of being associated with
a particular consumer or household and includes, among other data, a
consumer's name, unique personal identifier, account number, social
security number, property records, products or services purchased,
account logins, information regarding the consumer's interactions with an
internet application, loss history information, credit report, insurance
score, insurance policy number and expiration date, and racial and ethnic
origin. Personal data does not include de-identified data and publicly
available data.
A consumer has the right to confirm whether a licensee is
processing the consumer's personal data, to access the consumer's
personal data, and to request a correction or amendment of inaccurate or
incomplete personal data or the deletion of personal data that is not
needed for the homeowner's insurance transaction or for specific products
or services for which the consumer has given their consent.
The bill requires a licensee to provide a consumer with a data
privacy notice that includes the consumer's rights with respect to personal
data, including the right to know whether and with whom personal data
is being shared, the type and sources of personal data being collected, and
the right to opt in to the sharing or sale of personal data. The bill prohibits
a licensee from retaliating against a consumer with respect to the
provision of homeowner's insurance and the terms of the insurance if the
consumer does not consent to opt in to certain actions relating to their
personal data.
The bill requires a licensee to:
!Enter into a contract with a processor to ensure that those
processing personal data on behalf of the licensee are
complying with the consumer data privacy protections; and
! Have a retention policy to ensure that a consumer's
personal data is deleted when it is no longer necessary for
the insurance or other products or services to which the
consumer has consented.
Additionally, if a licensee makes an adverse underwriting decision
relating to a consumer's request for homeowner's insurance, the licensee
must provide the consumer with the specific reasons for the adverse
decision and allow the consumer to review the specific data relating to the
HB26-1091-2-
adverse decision and to correct the data if appropriate. The bill prohibits
a licensee from denying insurance based solely on the loss history of the
previous owner of the property, or based solely on personal data received
from a processor whose primary source of information is licensees,
without the licensee obtaining further information that supports the
adverse decision.
A consumer aggrieved by a violation of the consumer data privacy
protections in the bill may bring a civil action in court and may be
awarded damages for each violation, including treble damages if proved
by clear and convincing evidence that the person violating the bill
engaged in bad faith conduct or intentionally violated the consumer data
privacy protection provisions of the bill.
In addition, the bill makes a violation of the bill an unfair or
deceptive act or practice in the business of insurance and gives the
commissioner of insurance the power to enforce the bill through actions
against licensees and the assessment of civil penalties.
Be it enacted by the General Assembly of the State of Colorado:1
SECTION 1. In Colorado Revised Statutes, add 10-4-125 as2
follows:3
10-4-125. Homeowner's insurance - consumer personal data4
protections - licensee requirements - opt in to certain uses of data -5
private right of action - rules - legislative declaration - definitions.6
(1) Legislative declaration.7
(a) THE GENERAL ASSEMBLY FINDS AND DETERMINES THAT:8
(I) A HOME IS FREQUENTLY A CONSUMER'S MOST EXPENSIVE AND9
MOST IMPORTANT ASSET;10
(II) S ECURING HOMEOWNER'S INSURANCE TO PROTECT A HOME11
FROM RISKS IS VITAL TO OBTAINING FINANCING TO PURCHASE A HOME ,12
RESULTING IN A LOSS OF BARGAINING POWER FOR A PURCHASER OF13
HOMEOWNER'S INSURANCE;14
(III) P RIVACY IS VITALLY IMPORTANT IN THE CONTEXT OF THE15
INSURANCE BUSINESS, AS INSURANCE COMPANIES REQUIRE SIGNIFICANT16
HB26-1091-3-
AMOUNTS OF PERSONAL DATA FROM CONSUMERS OF INSURANCE TO1
PROPERLY MANAGE RISKS;2
(IV) C HANGES IN TECHNOLOGY ARE ALLOWING INSURANCE3
COMPANIES TO USE MORE SOPHISTICATED METHODS TO COLLECT AND4
PROCESS CONSUMER'S DATA;5
(V) IN ADDITION, CHANGES IN THE STRUCTURE OF THE INSURANCE6
INDUSTRY HAVE LED TO INCREASINGLY COMPLEX CONTRACTING7
RELATIONSHIPS AMONG INSURANCE COMPANIES AND THE COMPANIES '8
PROCESSORS AND AFFILIATES;9
(VI) HOWEVER, INSURANCE DATA PRIVACY LAWS HAVE NOT KEPT10
PACE WITH CHANGES IN THE INSURANCE MARKETPLACE; AND11
(VII) C URRENTLY, CONSUMERS ARE PRESENTED WITH PRIVACY12
NOTICES THAT ARE CONFUSING AND UNINFORMATIVE , POSSIBLY13
SUBJECTING CONSUMERS TO THE OVERCOLLECTION OF THEIR PERSONAL14
DATA, THE PROLIFERATION OF THAT DATA TO RECIPIENTS NOT15
CONTEMPLATED BY THE CONSUMER, UNWANTED MARKETING CONTACTS,16
FRAUD ARISING FROM DATA BREACHES, UNDERWRITING BASED ON STALE17
DATA, OR RETALIATION FOR EXERCISING PRIVACY RIGHTS, AMONG OTHER18
RISKS.19
(b) T HE GENERAL ASSEMBLY DECLARES THAT THE PURPOSE OF20
THIS SECTION IS TO ADDRESS GAPS IN CONSUMER PROTECTIONS RELATING21
TO HOMEOWNER 'S INSURANCE AND TO GIVE THE COMMISSIONER AND22
CONSUMERS POWERFUL TOOLS TO PROTECT CONSUMER PRIVACY , AS23
FOLLOWS:24
(I) E NSURING THAT INSURANCE COMPANIES PROCESS ONLY25
PERSONAL DATA RELATING TO THE TRANSACTION REQUESTED BY THE26
CONSUMER;27
HB26-1091-4-
(II) E NSURING POLICIES ARE IN PLACE FOR RECORD RETENTION1
AND DESTRUCTION OF PERSONAL DATA THAT IS NO LONGER NEEDED;2
(III) E NSURING THAT VENDOR CONTRACTS BETWEEN INSURERS3
AND PROCESSORS PROTECT THE SECURITY OF CONSUMERS ' PERSONAL4
DATA;5
(IV) O PT-IN REQUIREMENTS SO THAT A CONSUMER 'S PERSONAL6
DATA IS USED ONLY TO PROVIDE THE INSURANCE PRODUCT REQUESTED BY7
THE CONSUMER AND NOT FOR OTHER PURPOSES WITHOUT THE EXPRESS8
CONSENT OF THE CONSUMER;9
(V) R EQUIRING REASONABLE NOTICE TO CONSUMERS WITH10
MEANINGFUL INFORMATION ABOUT WHAT DATA IS COLLECTED, HOW IT IS11
USED, TO WHOM IT IS DISCLOSED, AND WHAT RIGHTS THE CONSUMER HAS12
UNDER THE LAW;13
(VI) GOVERNANCE PROCESSES AND PROCEDURES ON DATA USE;14
(VII) P ROTECTING INSURANCE CONSUMERS ' ACCESS TO15
NONRETALIATION BY ENSURING THAT THEY HAVE REASONABLE ACCESS TO16
THEIR PRIVACY RIGHTS AND ARE NOT RETALIATED AGAINST IN THE17
PURCHASE OF HOMEOWNER'S INSURANCE BY EXERCISING THEIR PRIVACY18
RIGHTS;19
(VIII) A UTHORIZING THE COMMISSIONER TO INVESTIGATE AND20
TAKE ACTION AGAINST LICENSEES THAT VIOLATE CONSUMER PRIVACY21
PROTECTIONS, INCLUDING ACTIONS BY THE ATTORNEY GENERAL TO22
ENFORCE UNFAIR OR DECEPTIVE ACTS OR PRACTICES IN THE BUSINESS OF23
INSURANCE; AND24
(IX) AUTHORIZING CONSUMERS TO BRING A CIVIL ACTION AGAINST25
A LICENSEE FOR VIOLATING THE DATA PRIVACY PROVISIONS OF THIS26
SECTION.27
HB26-1091-5-
(2) Definitions. AS USED IN THIS SECTION, UNLESS THE CONTEXT1
OTHERWISE REQUIRES:2
(a) (I) "A FFILIATE" MEANS A LEGAL ENTITY THAT CONTROLS , IS3
CONTROLLED BY, OR IS UNDER COMMON CONTROL WITH ANOTHER LEGAL4
ENTITY.5
(II) AS USED IN SUBSECTION (2)(a)(I) OF THIS SECTION, "CONTROL"6
MEANS:7
(A) O WNERSHIP OF , CONTROL OF , OR POWER TO VOTE8
TWENTY-FIVE PERCENT OR MORE OF THE OUTSTANDING SHARES OF ANY9
CLASS OF VOTING SECURITY OF THE ENTITY , WHETHER DIRECTLY OR10
INDIRECTLY OR ACTING THROUGH ONE OR MORE OTHER PERSONS;11
(B) CONTROL IN ANY MANNER OVER THE ELECTION OF A MAJORITY12
OF THE DIRECTORS, TRUSTEES, OR GENERAL PARTNERS OF THE ENTITY OR13
OF INDIVIDUALS EXERCISING SIMILAR FUNCTIONS; OR14
(C) T HE POWER TO EXERCISE , DIRECTLY OR INDIRECTLY , A15
CONTROLLING INFLUENCE OVER THE MANAGEMENT OR POLICIES OF THE16
ENTITY AS DETERMINED BY THE APPLICABLE PRUDENTIAL REGULATOR, AS17
THAT TERM IS DEFINED IN 12 U.S.C. SEC. 5481 (24), IF ANY.18
(b) "A UTHENTICATE" MEANS TO USE REASONABLE MEANS TO19
DETERMINE THAT A REQUEST TO EXERCISE A RIGHT SET FORTH IN THIS20
SECTION IS BEING MADE ON BEHALF OF THE CONSUMER WHO IS ENTITLED21
TO EXERCISE THE RIGHT.22
(c) "CONSENT" MEANS A CLEAR, AFFIRMATIVE ACT SIGNIFYING A23
CONSUMER'S FREELY GIVEN , SPECIFIC , INFORMED , AND UNAMBIGUOUS24
AGREEMENT, SUCH AS BY A WRITTEN STATEMENT , INCLUDING BY25
ELECTRONIC MEANS, OR OTHER CLEAR , AFFIRMATIVE ACTION BY WHICH26
THE CONSUMER SIGNIFIES AGREEMENT TO THE PROCESSING OF PERSONAL27
HB26-1091-6-
DATA. THE FOLLOWING DOES NOT CONSTITUTE CONSENT:1
(I) A CCEPTANCE OF A GENERAL OR BROAD TERMS OF USE OR2
SIMILAR DOCUMENT THAT CONTAINS DESCRIPTIONS OF PERSONAL DATA3
PROCESSING ALONG WITH OTHER, UNRELATED INFORMATION;4
(II) H OVERING OVER , MUTING , PAUSING , OR CLOSING A GIVEN5
PIECE OF CONTENT; AND6
(III) AGREEMENT OBTAINED THROUGH DARK PATTERNS.7
(d) "CONSUMER" MEANS A HOMEOWNER'S INSURANCE APPLICANT,8
AN INSURED, AND, WITH RESPECT TO THE RETENTION OF PERSONAL DATA,9
A FORMERLY INSURED.10
(e) "CREDIT REPORT" HAS THE MEANING SET FORTH IN SECTION11
10-4-116 (8)(h).12
(f) "D ARK PATTERN " MEANS A USER INTERFACE DESIGNED OR13
MANIPULATED WITH THE SUBSTANTIAL EFFECT OF SUBVERTING OR14
IMPAIRING USER AUTONOMY, DECISION-MAKING, OR CHOICE.15
(g) "D E-IDENTIFIED DATA " HAS THE MEANING SET FORTH IN16
SECTION 6-1-1303 (11).17
(h) "D ELETE" OR "DELETION" MEANS TO REMOVE OR DESTROY18
PERSONAL DATA BY PERMANENTLY ERASING THE PERSONAL DATA ON19
EXISTING SYSTEMS SO THAT IT IS NOT MAINTAINED IN HUMAN - OR20
MACHINE-READABLE FORM AND CANNOT BE RETRIEVED OR UTILIZED IN21
THAT FORM.22
(i) (I) "I NSURANCE TRANSACTION " MEANS A TRANSACTION OR23
SERVICE BY OR ON BEHALF OF A LICENSEE AND ITS AFFILIATES RELATED TO24
ANY OF THE FOLLOWING:25
(A) T HE UNDERWRITING OR THE DETERMINATION OF A26
CONSUMER'S ELIGIBILITY FOR OR THE AMOUNT OF HOMEOWNER 'S27
HB26-1091-7-
INSURANCE COVERAGE , A RATE , A BENEFIT , A PAYMENT , OR A CLAIM1
SETTLEMENT;2
(B) LICENSEES OR PROCESSORS PERFORMING SERVICES, INCLUDING3
MAINTAINING OR SERVICING ACCOUNTS, PROVIDING CUSTOMER SERVICE,4
PROCESSING REQUESTS OR TRANSACTIONS , VERIFYING CUSTOMER5
INFORMATION, PROCESSING PAYMENTS, PROVIDING FINANCING, PROVIDING6
ANALYTIC SERVICES, PROVIDING STORAGE, OR ANY SIMILAR SERVICES;7
(C) P ROVISION OF VALUE -ADDED SERVICES OR BENEFITS IN8
CONNECTION WITH THE BUSINESS OF INSURANCE;9
(D) A N ACTUARIAL STUDY RELATED TO RATING , RISK10
MANAGEMENT, OR EXEMPT RESEARCH ACTIVITIES CONDUCTED BY OR FOR11
THE BENEFIT OF THE LICENSEE USING CONSUMERS' PERSONAL DATA;12
(E) THE SHORT-TERM, TRANSIENT USE OF A CONSUMER'S PERSONAL13
DATA IN CONNECTION WITH THE CONSUMER'S CURRENT INTERACTION WITH14
THE LICENSEE, INCLUDING NONPERSONALIZED ADVERTISING SHOWN AS15
PART OF A CONSUMER'S CURRENT INTERACTION WITH THE LICENSEE, IF THE16
CONSUMER'S PERSONAL DATA IS NOT OTHERWISE SHARED OR SOLD17
WITHOUT CONSENT AND IS NOT USED TO BUILD A PROFILE ABOUT THE18
CONSUMER OR OTHERWISE ALTER THE CONSUMER'S EXPERIENCE OUTSIDE19
THE CURRENT INTERACTION WITH THE LICENSEE;20
(F) D ETECTION OR PREVENTION OF INSURANCE FRAUD , CRIME21
RELATED TO INSURANCE CLAIMS , MATERIAL MISREPRESENTATION , OR22
MATERIAL NONDISCLOSURE; OR23
(G) P ROVIDING PERSONAL DATA TO STATISTICAL AGENTS OR24
REINSURERS, PROVIDED THAT THE PERSONAL DATA IS ONLY USED FOR THE25
PURPOSES FOR WHICH IT IS SHARED.26
(II) "INSURANCE TRANSACTION" DOES NOT INCLUDE PROCESSING27
HB26-1091-8-
RELATED TO MARKETING OR RESEARCH.1
(j) (I) "LICENSEE" MEANS A PERSON LICENSED , REQUIRED TO BE2
LICENSED, OR AUTHORIZED TO DO BUSINESS IN THE STATE IN CONNECTION3
WITH THE TRANSACTION OF HOMEOWNER 'S INSURANCE BUSINESS ,4
INCLUDING:5
(A) A N INSURER , INCLUDING THE FAIR ACCESS TO INSURANCE6
REQUIREMENTS PLAN ASSOCIATION CREATED IN SECTION 10-4-1804;7
(B) A PRODUCER;8
(C) A SURPLUS LINE INSURER; AND9
(D) A DIRECTOR, OFFICER, EMPLOYEE, OR AGENT OF A LICENSEE.10
(II) "LICENSEE" DOES NOT INCLUDE A PURCHASING GROUP OR A11
RISK RETENTION GROUP CHARTERED AND LICENSED IN A STATE OTHER12
THAN THIS STATE OR A LICENSEE THAT IS ACTING AS AN ASSUMING13
INSURER THAT IS DOMICILED IN ANOTHER STATE OR JURISDICTION.14
(k) "LOSS HISTORY INFORMATION REPORT" HAS THE MEANING SET15
FORTH IN SECTION 10-4-117 (2).16
(l) (I) "P ERSONAL DATA " MEANS ANY OF THE FOLLOWING17
INFORMATION PROCESSED IN THE BUSINESS OF INSURANCE THAT18
IDENTIFIES, RELATES TO, DESCRIBES, IS REASONABLY CAPABLE OF BEING19
ASSOCIATED WITH , OR COULD REASONABLY BE LINKED , DIRECTLY OR20
INDIRECTLY, WITH A PARTICULAR CONSUMER OR HOUSEHOLD, INCLUDING:21
(A) IDENTIFIERS SUCH AS REAL NAME, ALIAS, SIGNATURE, POSTAL22
ADDRESS, UNIQUE PERSONAL IDENTIFIER , ONLINE IDENTIFIER, INTERNET23
PROTOCOL ADDRESS , EMAIL ADDRESS , TELEPHONE NUMBER , ACCOUNT24
NAME, SOCIAL SECURITY NUMBER, DRIVER'S LICENSE NUMBER, PASSPORT25
NUMBER, OR OTHER SIMILAR IDENTIFIERS;26
(B) C OMMERCIAL DATA , INCLUDING RECORDS OF PERSONAL27
HB26-1091-9-
PROPERTY, PRODUCTS , OR SERVICES PURCHASED , OBTAINED , OR1
CONSIDERED, OTHER THAN PURCHASING OR CONSUMER HISTORIES OR2
TENDENCIES;3
(C) ACCOUNT LOGIN, FINANCIAL ACCOUNT NUMBER, DEBIT CARD4
NUMBER, OR CREDIT CARD NUMBER IN COMBINATION WITH ANY REQUIRED5
SECURITY ACCESS CODE, PASSWORD, OR CREDENTIALS ALLOWING ACCESS6
TO AN ACCOUNT;7
(D) I NTERNET OR OTHER ELECTRONIC NETWORK ACTIVITY8
INFORMATION, INCLUDING BROWSING HISTORY , SEARCH HISTORY , AND9
INFORMATION REGARDING A CONSUMER'S INTERACTION WITH AN INTERNET10
WEBSITE APPLICATION OR ADVERTISEMENT;11
(E) A LOSS HISTORY INFORMATION REPORT;12
(F) A CREDIT REPORT;13
(G) AN INSURANCE SCORE;14
(H) AN INSURANCE POLICY NUMBER;15
(I) AN INSURANCE POLICY EXPIRATION DATE;16
(J) PROFESSIONAL- OR EMPLOYMENT-RELATED INFORMATION;17
(K) EDUCATION INFORMATION THAT IS NOT PUBLICLY AVAILABLE;18
(L) PRECISE GEOLOCATION DATA;19
(M) I NFERENCES DRAWN FROM ANY OF THE INFORMATION20
IDENTIFIED IN THIS SUBSECTION (2)(l) TO CREATE A PROFILE ABOUT A21
CONSUMER REFLECTING THE CONSUMER 'S PREFERENCES ,22
CHARACTERISTICS, CHARACTER HABITS , AVOCATIONS , FINANCES ,23
OCCUPATION, GENERAL REPUTATION, CREDIT, PSYCHOLOGICAL TRENDS,24
PREDISPOSITIONS, BEHAVIOR, ATTITUDES, INTELLIGENCE, ABILITIES, AND25
APTITUDES;26
(N) CHARACTERISTICS OF PROTECTED CLASSIFICATIONS PURSUANT27
HB26-1091-10-
TO STATE OR FEDERAL LAW; AND1
(O) R ACIAL OR ETHNIC ORIGIN , CITIZENSHIP OR IMMIGRATION2
STATUS, RELIGIOUS OR PHILOSOPHICAL BELIEFS, OR UNION MEMBERSHIP.3
(II) "PERSONAL DATA" DOES NOT INCLUDE DE-IDENTIFIED DATA,4
PSEUDONYMOUS DATA , PUBLICLY AVAILABLE DATA , OR LAWFULLY5
OBTAINED, TRUTHFUL INFORMATION THAT IS A MATTER OF PUBLIC6
CONCERN.7
(m) "P RIVILEGED DATA " MEANS PERSONAL DATA THAT IS8
COLLECTED IN CONNECTION WITH OR IN REASONABLE ANTICIPATION OF A9
CLAIM FOR INSURANCE BENEFITS OR A CIVIL OR CRIMINAL PROCEEDING10
INVOLVING A CONSUMER UNTIL THE CLAIM OR PROCEEDING IS FINALIZED;11
EXCEPT THAT INFORMATION THAT MEETS THE REQUIREMENTS OF THIS12
SECTION SHALL NEVERTHELESS BE CONSIDERED PERSONAL DATA IF IT IS13
DISCLOSED IN VIOLATION OF THIS SECTION.14
(n) "PROCESS" OR "PROCESSING" MEANS THE USE, SALE, STORAGE,15
DISCLOSURE, ANALYSIS, DELETION, OR MODIFICATION OF PERSONAL DATA16
AND INCLUDES THE ACTIONS OF A LICENSEE DIRECTING A PROCESSOR TO17
PROCESS PERSONAL DATA.18
(o) "PROCESSOR" MEANS A PERSON THAT PROCESSES PERSONAL19
DATA ON BEHALF OF A LICENSEE.20
(p) "PRODUCER" MEANS A PERSON THAT SOLICITS , NEGOTIATES,21
EFFECTS, PROCURES, DELIVERS, RENEWS, CONTINUES, OR BINDS POLICIES22
OF HOMEOWNER'S INSURANCE.23
(q) "P SEUDONYMOUS DATA " MEANS PERSONAL DATA THAT24
CANNOT BE ATTRIBUTED TO A SPECIFIC INDIVIDUAL WITHOUT THE USE OF25
ADDITIONAL INFORMATION, PROVIDED THE ADDITIONAL INFORMATION IS26
KEPT SEPARATELY AND IS SUBJECT TO APPROPRIATE TECHNICAL AND27
HB26-1091-11-
ORGANIZATIONAL MEASURES TO ENSURE THAT THE PERSONAL DATA IS NOT1
ATTRIBUTABLE TO AN IDENTIFIED OR IDENTIFIABLE INDIVIDUAL.2
(r) "P UBLICLY AVAILABLE DATA" MEANS DATA RELATING TO A3
CONSUMER THAT A LICENSEE HAS A REASONABLE BASIS TO BELIEVE IS4
LAWFULLY MADE AVAILABLE FROM ANY OF THE FOLLOWING:5
(I) FEDERAL, STATE, OR LOCAL GOVERNMENT RECORDS;6
(II) WIDELY DISTRIBUTED MEDIA; OR7
(III) DISCLOSURES TO THE GENERAL PUBLIC THAT ARE REQUIRED8
TO BE MADE PURSUANT TO FEDERAL, STATE, OR LOCAL LAW.9
(s) "R ETAIN" OR "RETENTION" MEANS STORING OR ARCHIVING10
PERSONAL DATA THAT IS IN THE CONTINUOUS POSSESSION , USE , OR11
CONTROL OF A LICENSEE OR PROCESSOR.12
(t) (I) "S ALE OF PERSONAL DATA " OR "SELL PERSONAL DATA "13
MEANS THE EXCHANGE OF A CONSUMER 'S PERSONAL DATA TO A THIRD14
PARTY FOR MONETARY OR OTHER VALUABLE CONSIDERATION.15
(II) "SALE OF PERSONAL DATA" OR "SELL PERSONAL DATA" DOES16
NOT INCLUDE ANY OF THE FOLLOWING SHARING OF PERSONAL DATA:17
(A) D ISCLOSING PERSONAL DATA TO A PROCESSOR THAT18
PROCESSES THE PERSONAL DATA ON BEHALF OF A LICENSEE;19
(B) DISCLOSING PERSONAL DATA TO A THIRD PARTY FOR PURPOSES20
OF PROVIDING A PRODUCT OR SERVICE SPECIFICALLY REQUESTED BY A21
CONSUMER;22
(C) DISCLOSING PERSONAL DATA TO AN AFFILIATE OF A LICENSEE;23
(D) D ISCLOSING PERSONAL DATA PURSUANT TO A CONSUMER 'S24
DIRECTION TO A LICENSEE TO DISCLOSE PERSONAL DATA TO, OR INTERACT25
WITH, ONE OR MORE LICENSEES, A REINSURER, OR A THIRD PARTY;26
(E) T RANSFERRING PERSONAL DATA TO A THIRD PARTY AS AN27
HB26-1091-12-
ASSET PURSUANT TO A MERGER , ACQUISITION, BANKRUPTCY, OR OTHER1
TRANSACTION, OR A PROPOSED MERGER, ACQUISITION, BANKRUPTCY, OR2
OTHER TRANSACTION, IN WHICH THE THIRD PARTY ASSUMES CONTROL OF3
ALL OR PART OF A LICENSEE'S ASSETS; OR4
(F) T HE DISCLOSURE OF PERSONAL DATA THAT A CONSUMER5
INTENTIONALLY MADE AVAILABLE TO THE GENERAL PUBLIC VIA A6
CHANNEL OF MASS MEDIA.7
(u) "SHARE" OR "SHARING" MEANS SHARING, RENTING, RELEASING,8
DISCLOSING, DISSEMINATING , MAKING AVAILABLE , TRANSFERRING , OR9
OTHERWISE COMMUNICATING ORALLY, IN WRITING, OR BY ELECTRONIC OR10
OTHER MEANS A CONSUMER 'S PERSONAL DATA BY A LICENSEE OR11
PROCESSOR TO A THIRD PARTY , WHETHER OR NOT FOR MONETARY OR12
OTHER VALUABLE CONSIDERATION, INCLUDING TRANSACTIONS BETWEEN13
A LICENSEE AND A THIRD PARTY , FOR THE BENEFIT OF ANY PERSON , IN14
WHICH NO MONEY IS EXCHANGED.15
(v) "TARGETED ADVERTISING" HAS THE MEANING SET FORTH IN16
SECTION 6-1-1303 (25).17
(w) "T HIRD PARTY " MEANS A PERSON , PUBLIC AUTHORITY ,18
AGENCY, OR BODY OTHER THAN THE CONSUMER , LICENSEE, PROCESSOR,19
OR AFFILIATE OF THE LICENSEE OR PROCESSOR.20
(x) "VALUE-ADDED SERVICE OR BENEFIT" MEANS A PRODUCT OR21
SERVICE THAT RELATES TO HOMEOWNER 'S INSURANCE APPLIED FOR OR22
PURCHASED BY A CONSUMER THAT IS PRIMARILY DESIGNED TO:23
(I) P ROVIDE LOSS MITIGATION OR LOSS CONTROL TO MITIGATE24
RISKS RELATED TO THE HOMEOWNER 'S INSURANCE REQUESTED BY OR25
OFFERED TO THE CONSUMER;26
(II) REDUCE CLAIM COSTS OR CLAIM SETTLEMENT COSTS;27
HB26-1091-13-
(III) PROVIDE EDUCATION ABOUT LIABILITY RISKS OR RISK OF LOSS1
TO PERSONS OR PROPERTY;2
(IV) M ONITOR OR ASSESS RISK , IDENTIFY SOURCES OF RISK , OR3
DEVELOP STRATEGIES FOR ELIMINATING OR REDUCING RISK; OR4
(V) PROVIDE POST-LOSS SERVICES.5
(3) Applicability of section.6
(a) ON AND AFTER JANUARY 1, 2028, THIS SECTION APPLIES TO A7
LICENSEE OR A PROCESSOR THAT:8
(I) PROCESSES CONSUMERS' PERSONAL DATA IN CONNECTION WITH9
A POLICY OF HOMEOWNER'S INSURANCE;10
(II) ENGAGES IN HOMEOWNER'S INSURANCE TRANSACTIONS WITH11
CONSUMERS; OR12
(III) E NGAGES IN ACTIVITIES NOT RELATED TO HOMEOWNER 'S13
INSURANCE TRANSACTIONS INVOLVING HOMEOWNER 'S INSURANCE14
CONSUMERS' PERSONAL DATA.15
(b) THE PROTECTIONS OF THIS SECTION EXTEND TO A CONSUMER:16
(I) WHOSE PERSONAL DATA IS PROCESSED IN CONNECTION WITH A17
HOMEOWNER'S INSURANCE TRANSACTION;18
(II) WHO HAS PREVIOUSLY ENGAGED IN HOMEOWNER'S INSURANCE19
TRANSACTIONS WITH A LICENSEE OR PROCESSOR INVOLVING THE20
CONSUMER'S PERSONAL DATA; OR21
(III) WHOSE PERSONAL DATA IS USED FOR PURPOSES OTHER THAN22
HOMEOWNER 'S INSURANCE TRANSACTIONS BY LICENSEES AND23
PROCESSORS.24
(c) A N AFFILIATE THAT PROCESSES PERSONAL DATA RECEIVED25
FROM, OR ON BEHALF OF , A LICENSEE IS SUBJECT TO THE SAME26
REQUIREMENTS UNDER THIS SECTION THAT ARE APPLICABLE TO A27
HB26-1091-14-
LICENSEE.1
(d) THE OBLIGATIONS IMPOSED BY THIS SECTION DO NOT APPLY TO2
DEPOSITORY INSTITUTIONS OR AFFILIATES OF DEPOSITORY INSTITUTIONS3
THAT ARE SUBJECT TO THE FEDERAL "GRAMM-LEACH-BLILEY ACT", 154
U.S.C. SEC. 6801 ET SEQ ., UNLESS THE AFFILIATES ARE LICENSEES FOR5
PURPOSES OF THIS SECTION.6
(4) Right to access, correct, and delete personal data - right to7
opt in to certain activities regarding personal data - rules.8
(a) N O LATER THAN JANUARY 1, 2028, A HOMEOWNER 'S9
INSURANCE CONSUMER HAS THE RIGHT TO:10
(I) CONFIRM WHETHER A LICENSEE IS PROCESSING PERSONAL DATA11
CONCERNING THE CONSUMER AND TO ACCESS THE CONSUMER'S PERSONAL12
DATA;13
(II) TAKING INTO ACCOUNT THE NATURE OF THE PERSONAL DATA14
AND THE PURPOSE FOR PROCESSING THE CONSUMER'S PERSONAL DATA:15
(A) REQUEST A CORRECTION OR AMENDMENT OF INACCURATE OR16
INCOMPLETE PERSONAL DATA ABOUT THE CONSUMER; AND17
(B) R EQUEST THE DELETION OF PERSONAL DATA THAT IS NOT18
NEEDED FOR THE COMPLETION OF THE HOMEOWNER 'S INSURANCE19
TRANSACTION OR FOR SPECIFIC PRODUCTS OR SERVICES FOR WHICH THE20
CONSUMER HAS PROVIDED CONSENT;21
(III) WHEN EXERCISING THE RIGHT TO ACCESS PERSONAL DATA22
PURSUANT TO SUBSECTION (4)(a)(I) OF THIS SECTION, OBTAIN FROM THE23
LICENSEE THE PERSONAL DATA IN A PORTABLE AND , TO THE EXTENT24
TECHNICALLY FEASIBLE, READILY USABLE FORMAT THAT ALLOWS THE25
CONSUMER TO TRANSMIT THE DATA TO ANOTHER ENTITY WITHOUT26
HINDRANCE, SO LONG AS THE LICENSEE IS NOT REQUIRED TO REVEAL ANY27
HB26-1091-15-
TRADE SECRET; AND1
(IV) NOTWITHSTANDING ANY OTHER PROVISION OF LAW, OPT IN TO2
THE PROCESSING OF THE CONSUMER'S PERSONAL DATA FOR PURPOSES OF:3
(A) T HE SHARING OF PERSONAL DATA UNRELATED TO THE4
INSURANCE TRANSACTION;5
(B) THE SALE OF PERSONAL DATA;6
(C) TARGETED ADVERTISING; AND7
(D) JOINT MARKETING OF COBRANDED FINANCIAL PRODUCTS.8
(b) A LICENSEE PROVIDING AN OPT -IN PROCESS REQUIRED9
PURSUANT TO SUBSECTION (4)(a)(IV) OF THIS SECTION OR OTHERWISE10
OBTAINING CONSENT REQUIRED PURSUANT TO THIS SECTION SHALL11
PROVIDE TO A CONSUMER A CLEAR AND CONSPICUOUS NOTICE OF THE TYPE12
AND USE OF PERS ONAL DATA THAT THE LICENSEE WOULD BE ABLE TO13
PROCESS IF THE CONSUMER OPTS IN OR CONSENTS AND A PROCESS FOR THE14
CONSUMER TO REVOKE CONSENT AS EASILY AS IT WAS AFFIRMATIVELY15
PROVIDED.16
(c) T HE COMMISSIONER SHALL ADOPT RULES RELATING TO THE17
FORM AND MANNER FOR IMPLEMENTING THE CONSUMER RIGHTS SET FORTH18
IN THIS SUBSECTION (4).19
(5) Duties of licensees - consumer data privacy notice - consent20
- prohibited actions.21
(a) A LICENSEE SHALL ENSURE THAT A CONSUMER 'S PERSONAL22
DATA IS NOT PROCESSED , RETAINED , OR SHARED WITHOUT THE23
CONSUMER'S CONSENT FOR PURPOSES OTHER THAN THOSE REASONABLY24
NECESSARY TO TRANSACT HOMEOWNER'S INSURANCE BUSINESS AND FOR25
PRODUCTS OR SERVICES RELATED TO HOMEOWNER'S INSURANCE THAT ARE26
SPECIFICALLY REQUESTED BY THE CONSUMER.27
HB26-1091-16-
(b) (I) A LICENSEE SHALL CREATE A REASONABLY ACCESSIBLE ,1
CLEAR, AND MEANINGFUL CONSUMER DATA PRIVACY NOTICE AND2
DISTRIBUTE THE NOTICE TO EACH CONSUMER WITHIN A REASONABLE TIME3
AFTER THE LICENSEE , DIRECTLY OR THROUGH A PROCESSOR , FIRST4
COLLECTS, PROCESSES, OR SHARES THE CONSUMER'S PERSONAL DATA.5
(II) T HE CONSUMER DATA PRIVACY NOTICE MUST STATE IN6
WRITING ALL OF THE FOLLOWING:7
(A) THAT PERSONAL DATA HAS BEEN OR MAY BE COLLECTED BY8
THE LICENSEE OR A PROCESSOR FROM SOURCES OTHER THAN THE9
CONSUMER;10
(B) THE OTHER SOURCES THAT HAVE BEEN OR MAY BE USED TO11
COLLECT PERSONAL DATA;12
(C) THE CATEGORIES OF THE CONSUMER'S PERSONAL DATA THAT13
THE LICENSEE OR A PROCESSOR HAVE PROCESSED OR MAY PROCESS ,14
INCLUDING EXAMPLES OF THE DATA IN EACH CATEGORY;15
(D) T HE PURPOSES FOR WHICH THE LICENSEE PROCESSES THE16
CONSUMER'S PERSONAL DATA;17
(E) T HAT THE LICENSEE AND A PROCESSOR MAY SHARE THE18
CONSUMER'S PERSONAL DATA FOR PURPOSES OF THE INSURANCE19
TRANSACTION;20
(F) THE CATEGORIES OF PERSONS WITH WHOM THE LICENSEE OR A21
PROCESSOR HAS SHARED , OR MAY SHARE , THE CONSUMER 'S PERSONAL22
DATA;23
(G) T HAT THE CONSUMER MAY , UPON REQUEST , ANNUALLY24
OBTAIN A LIST OF PERSONS WITH WHOM THE LICENSEE OR A PROCESSOR25
HAS SHARED THE CONSUMER'S PERSONAL DATA WITHIN THE LAST TWELVE26
MONTHS;27
HB26-1091-17-
(H) THAT THE CONSUMER'S PRIOR CONSENT IS REQUIRED FOR THE1
LICENSEE OR A PROCESSOR TO PROCESS THE CONSUMER'S PERSONAL DATA2
FOR ANY PURPOSES UNRELATED TO THE INSURANCE TRANSACTION OR TO3
SELL PERSONAL DATA;4
(I) A STATEMENT OF THE CONSUMER'S RIGHTS OF NONRETALIATION5
ESTABLISHED PURSUANT TO SUBSECTION (13) OF THIS SECTION;6
(J) A STATEMENT OF THE RIGHTS OF THE CONSUMER TO ACCESS ,7
CORRECT, AMEND, OR DELETE PERSONAL DATA ABOUT THE CONSUMER ,8
AND THE INSTRUCTIONS FOR EXERCISING THOSE RIGHTS;9
(K) A STATEMENT OF THE RIGHTS OF THE CONSUMER TO RECEIVE10
NOTICE REGARDING AN ADVERSE UNDERWRITING DECISION , INCLUDING11
THE REASONS FOR THE ADVERSE UNDERWRITING DECISION, THE SPECIFIC12
DATA UNDERLYING THE ADVERSE UNDERWRITING DECISION , AND THE13
SOURCES OF THE DATA;14
(L) A STATEMENT OF THE CONSUMER 'S RIGHT TO PROVIDE15
CONSENT BEFORE THE CONSUMER'S PERSONAL DATA MAY BE PROCESSED16
IN A JURISDICTION OUTSIDE OF THE UNITED STATES OR ITS TERRITORIES;17
EXCEPT THAT THE REQUIREMENT IN THIS SUBSECTION (5)(b)(II)(L) DOES18
NOT APPLY IF THE ONLY SHARING OR PROCESSING IS IN CONNECTION WITH19
A REINSURANCE TRANSACTION OR WITH AN AFFILIATE OF THE LICENSEE;20
(M) H OW A CONSUMER MAY CONTACT A LICENSEE BY MAIL ,21
TELEPHONE, AND ACTIVE EMAIL ADDRESS OR OTHER ONLINE MECHANISM;22
AND23
(N) A DDITIONAL ITEMS THAT THE COMMISSIONER SPECIFIES BY24
RULE.25
(III) IF THE LICENSEE INTENDS TO SHARE A CONSUMER'S PERSONAL26
DATA FOR PURPOSES UNRELATED TO THE INSURANCE TRANSACTION OR TO27
HB26-1091-18-
SELL PERSONAL DATA , IN ADDITION TO THE INFORMATION REQUIRED1
PURSUANT TO SUBSECTION (5)(b)(II) OF THIS SECTION , THE CONSUMER2
PRIVACY NOTICE MUST INCLUDE:3
(A) A DESCRIPTION OF THE REASONABLE MEANS BY WHICH A4
CONSUMER MAY OPT IN OR OTHERWISE INDICATE THEIR CONSENT FOR ANY5
ONE OR MORE OF THOSE PURPOSES; AND6
(B) THAT ONCE THE CONSUMER CONSENTS TO THE SHARING OR7
SALE OF PERSONAL DATA, THE CONSUMER MAY REVOKE THE CONSENT AT8
ANY TIME AND THAT THE LICENSEE WILL NO LONGER SHARE OR SELL THE9
CONSUMER'S PERSONAL DATA FOR THOSE PURPOSES.10
(IV) T HE OBLIGATIONS IMPOSED BY THIS SECTION UPON A11
LICENSEE MAY BE SATISFIED BY ANOTHER LICENSEE OR A PROCESSOR12
AUTHORIZED TO ACT ON THE LICENSEE'S BEHALF.13
(c) A LICENSEE AND PROCESSOR SHALL TAKE REASONABLE STEPS14
TO SECURE PERSONAL DATA DURING BOTH STORAGE AND USE FROM15
UNAUTHORIZED ACQUISITION. A LICENSEE'S DATA SECURITY PRACTICES16
MUST BE APPROPRIATE TO THE VOLUME , SCOPE , AND NATURE OF THE17
PERSONAL DATA PROCESSED TO TRANSACT HOMEOWNER 'S INSURANCE18
BUSINESS.19
(6) Form of consent.20
(a) TO COMPLY WITH THE OPT-IN OR CONSENT REQUIREMENTS OF21
THIS SECTION , A LICENSEE OR PROCESSOR SHALL USE A METHOD OF22
CAPTURING A CONSUMER 'S CONSENT THAT IS CAPABLE OF BEING23
RECORDED OR MAINTAINED FOR AS LONG AS THE LICENSEE HAS A BUSINESS24
RELATIONSHIP WITH A CONSUMER OR A METHOD REQUIRED PURSUANT TO25
THIS SECTION.26
(b) A LICENSEE SHALL NOT REQUIRE A CONSUMER TO CREATE A27
HB26-1091-19-
NEW ACCOUNT IN ORDER TO EXERCISE A RIGHT SPECIFIED IN SUBSECTION1
(4) OR (5) OF THIS SECTION.2
(c) (I) WHEN A CONSUMER HAS A CHOICE TO OPT IN OR PROVIDE3
PRIOR CONSENT PURSUANT TO THIS SECTION, THE FORM USED TO OBTAIN4
THE CONSUMER'S CONSENT MUST:5
(A) BE WRITTEN IN PLAIN LANGUAGE;6
(B) BE DATED AND, IF THE CONSENT RELATES TO THE SHARING OR7
USE OF PERSONAL DATA OF A CONSUMER WITH WHOM THE LICENSEE HAS8
NO ONGOING RELATIONSHIP PURSUANT TO A CLAIM UNDER THE LICENSEE'S9
POLICY, CONTAIN A TERMINATION DATE FOR THE CONSENT;10
(C) N AME THE LICENSEE THAT THE CONSUMER AUTHORIZES TO11
SHARE THE CONSUMER'S PERSONAL DATA;12
(D) SPECIFY TO WHOM THE CONSUMER'S PERSONAL DATA WILL BE13
SHARED CONSISTENT WITH THIS SECTION;14
(E) SPECIFY THE TYPES AND USES OF THE PERS ONAL DATA THAT15
THE CONSUMER IS AUTHORIZING TO BE SHARED;16
(F) ADVISE THE CONSUMER THAT THE CONSUMER IS ENTITLED TO17
RECEIVE A COPY OF THE FORM CONTAINING THE CONSUMER'S CONSENT;18
(G) E XPLAIN THAT , PURSUANT TO SUBSECTION (13) OF THIS19
SECTION , THE CONSUMER IS PROTECTED FROM RETALIATION ,20
DISCRIMINATION, OR DISPARATE TREATMENT BASED ON THE CONSUMER'S21
DECISION TO PROVIDE OR WITHHOLD CONSENT; AND22
(H) INCLUDE ADDITIONAL DATA OR ELEMENTS SPECIFIED BY THE23
COMMISSIONER BY RULE.24
(II) T HE CONSUMER 'S MOST RECENT CONSENT SHALL TAKE25
PRECEDENCE OVER ANY PRIOR CONSENT.26
(III) A CONSUMER'S CONSENT GIVEN PURSUANT TO THIS SECTION27
HB26-1091-20-
IS EFFECTIVE UNTIL IT IS REVOKED BY THE CONSUMER , BUT CONSENT1
PROVIDED BY A CONSUMER WITH WHOM A LICENSEE HAS NO ONGOING2
CUSTOMER RELATIONSHIP IS ONLY VALID FOR THE DURATION SPECIFIED ON3
THE CONSENT DOCUMENT.4
(IV) IF A CONSUMER ESTABLISHES A NEW RELATIONSHIP WITH A5
LICENSEE, ANY CONSENT THAT APPLIED TO THE FORMER RELATIONSHIP6
DOES NOT APPLY TO THE NEW RELATIONSHIP . A NEW RELATIONSHIP7
OCCURS WHEN THE CONSUMER WHO PREVIOUSLY ENDED ALL BUSINESS8
RELATIONSHIPS WITH A LICENSEE REESTABLISHES A BUSINESS9
RELATIONSHIP MORE THAN THIRTY DAYS AFTER THE PREVIOUS BUSINESS10
RELATIONSHIP ENDED.11
(V) IF TWO OR MORE CONSUMERS JOINTLY OBTAIN HOMEOWNER'S12
INSURANCE OR ANOTHER PRODUCT OR SERVICE FROM A LICENSEE , THE13
LICENSEE OR A PROCESSOR MAY PROVIDE A SINGLE CONSENT NOTICE .14
EACH OF THE JOINT CONSUMERS SHALL INDICATE THEIR CONSENT.15
(7) Designated agent - authorization.16
(a) A CONSUMER MAY DESIGNATE ANOTHER PERSON, ACTING ON17
THE CONSUMER 'S BEHALF TO EXERCISE THE CONSUMER 'S RIGHTS ,18
INCLUDING PROVIDING CONSENT WHERE REQUIRED AND OPTING IN TO19
LICENSEE OR PROCESSOR ACTIONS SPECIFIED IN SUBSECTIONS (4) AND (5)20
OF THIS SECTION.21
(b) A LICENSEE OR PROCESSOR SHALL COMPLY WITH ACTIONS22
TAKEN BY A CONSUMER'S DESIGNATED AGENT IF THE LICENSEE IS ABLE TO23
AUTHENTICATE, WITH COMMERCIALLY REASONABLE EFFORT , THE24
IDENTITY OF THE CONSUMER AND THE AUTHORITY OF THE AUTHORIZED25
AGENT TO ACT ON THE CONSUMER'S BEHALF.26
(8) Requirements for processing consumer's personal data -27
HB26-1091-21-
prohibitions.1
(a) A LICENSEE SHALL NOT PROCESS A CONSUMER 'S PERSONAL2
DATA UNLESS:3
(I) THE PROCESSING, RETENTION, OR SHARING OF THE CONSUMER'S4
PERSONAL DATA IS CONSISTENT WITH AND COMPLIES WITH THE MOST5
RECENT DATA PRIVACY NOTICE PROVIDED TO THE CONSUMER BY THE6
LICENSEE PURSUANT TO SUBSECTION (5) OF THIS SECTION; AND7
(II) T HE PROCESSING AND RETENTION OF THE CONSUMER 'S8
PERSONAL DATA IS REASONABLY NECESSARY AND PROPORTIONATE TO9
ACHIEVE THE PURPOSES RELATED TO A HOMEOWNER 'S INSURANCE10
TRANSACTION OR OTHER PURPOSE THE CONSUMER REQUESTED OR11
AUTHORIZED AND NOT FURTHER PROCESSED IN A MANNER THAT IS12
INCOMPATIBLE WITH THOSE PURPOSES.13
(b) A LICENSEE SHALL NOT PERMIT AN EMPLOYEE TO PROCESS ,14
RETAIN, OR SHARE A CONSUMER'S PERSONAL DATA, EXCEPT AS RELEVANT15
AND NECESSARY AS PART OF THAT EMPLOYEE'S ASSIGNED DUTIES.16
(c) A REINSURER, PROCESSOR, OR SURPLUS LINE INSURER SHALL17
NOT PROCESS A CONSUMER'S PERSONAL DATA UNLESS:18
(I) THE PROCESSING IS IN COMPLIANCE WITH THIS SECTION;19
(II) T HE PROCESSING OF THE CONSUMER 'S PERSONAL DATA IS20
CONSISTENT WITH AND COMPLIES WITH THE MOST RECENT PRIVACY21
NOTICE PROVIDED BY THE REINSURER , PROCESSOR , OR SURPLUS LINE22
INSURER ON ITS INTERNET WEBSITE;23
(III) W ITH RESPECT TO REINSURERS , THE PROCESSING OF THE24
CONSUMER'S PERSONAL DATA IS REASONABLY NECESSARY AND25
PROPORTIONATE TO ACHIEVE THE PURPOSES RELATED TO THE26
REINSURANCE TRANSACTION AND NOT FURTHER PROCESSED IN A MANNER27
HB26-1091-22-
THAT IS INCOMPATIBLE WITH THOSE PURPOSES; AND1
(IV) WITH RESPECT TO PROCESSORS AND SURPLUS LINE INSURERS,2
THE PROCESSING OF THE CONSUMER 'S PERSONAL DATA IS REASONABLY3
NECESSARY AND PROPORTIONATE TO ACHIEVE THE PURPOSES RELATED TO4
THE PURPOSES FOR WHICH THE PROCESSOR OR SURPLUS LINE INSURER5
COLLECTED THE DATA AND NOT FURTHER PROCESSED IN A MANNER THAT6
IS INCOMPATIBLE WITH THOSE PURPOSES.7
(d) OTHER THAN PROCESSING PURSUANT TO A CONTRACT WITH A8
LICENSEE PURSUANT TO SUBSECTION (10) OF THIS SECTION, A REINSURER,9
PROCESSOR, OR SURPLUS LINE INSURER SHALL NOT PROCESS A CONSUMER'S10
PERSONAL DATA OBTAINED IN THE BUSINESS OF INSURANCE FOR A11
PURPOSE UNRELATED TO AN INSURANCE TRANSACTION.12
(9) Authorized processing of personal data.13
(a) CONSISTENT WITH THIS SECTION, A LICENSEE MAY PROCESS A14
CONSUMER'S PERSONAL DATA AS NECESSARY FOR THE FOLLOWING15
PURPOSES:16
(I) IN CONNECTION WITH AN INSURANCE TRANSACTION;17
(II) FOR COMPLIANCE WITH A REQUEST OR DIRECTIVE FROM A LAW18
ENFORCEMENT AGENCY OR INSURANCE REGULATORY AUTHORITY OR AN19
ADMINISTRATIVE, CRIMINAL, OR CIVIL LEGAL PROCESS, ARBITRATION, OR20
OTHER LEGAL REQUIREMENT OR ORDER THAT IS BINDING UPON THE21
LICENSEE;22
(III) WHEN SPECIFICALLY REQUIRED BY STATE LAW;23
(IV) F OR A LIENHOLDER , MORTGAGEE , ASSIGNEE , LESSOR , OR24
OTHER PERSON SHOWN IN THE RECORDS OF A LICENSEE AS HAVING A25
LEGAL OR BENEFICIAL INTEREST IN AN INSURANCE POLICY , TO PROTECT26
THAT INTEREST, IF THE PERSONAL DATA SHARED IS LIMITED TO WHAT IS27
HB26-1091-23-
REASONABLY NECESSARY TO PROTECT THE REQUESTOR'S LEGAL INTERESTS1
IN THE POLICY;2
(V) TO PERMIT A PARTY OR A REPRESENTATIVE OF A PARTY TO A3
PROPOSED OR CONSUMMATED SALE , TRANSFER , MERGER , OR4
CONSOLIDATION OF ALL OR PART OF THE BUSINESS OF THE LICENSEE TO5
REVIEW THE PERSONAL DATA NECESSARY FOR THE TRANSACTION, IF:6
(A) B EFORE THE CONSUMMATION OF THE SALE , TRANSFER ,7
MERGER, OR CONSOLIDATION , PERSONAL DATA IS ONLY SHARED AS IS8
REASONABLY NECESSARY TO ENABLE THE RECIPIENT TO MAKE BUSINESS9
DECISIONS ABOUT THE SALE , TRANSFER , MERGER , OR CONSOLIDATION ;10
AND11
(B) T HE RECIPIENT AGREES NOT TO SHARE THE ACQUIRED12
PERSONAL DATA FOR PURPOSES OTHER THAN THE SALE , TRANSFER ,13
MERGER, OR CONSOLIDATION;14
(VI) I N CONNECTION WITH THE MARKETING OF A PRODUCT OR15
SERVICE, AFTER RECEIVING AFFIRMATIVE CONSENT FROM THE CONSUMER16
TO USE THE CONSUMER 'S PERSONAL DATA IN CONNECTION WITH THE17
SPECIFIC MARKETING ACTIVITY TO WHICH THE CONSUMER HAS18
CONSENTED;19
(VII) IN CONNECTION WITH THE JOINT MARKETING OF COBRANDED20
FINANCIAL PRODUCTS OR SERVICES BETWEEN A LICENSEE AND A21
FINANCIAL INSTITUTION, IF:22
(A) THE CONSUMER OPTS IN TO THE JOINT MARKETING ACTIVITY;23
(B) P ERSONAL DATA IS ONLY PROCESSED PURSUANT TO A24
CONTRACT COMPLYING WITH THE REQUIREMENTS OF SUBSECTION (10) OF25
THIS SECTION; AND26
(C) O NLY THE FOLLOWING ELEMENTS OF PERSONAL DATA ARE27
HB26-1091-24-
SHARED AND PROCESSED FOR PURPOSES OF THE JOINT MARKETING : THE1
CONSUMER'S NAME, ADDRESS OR EMAIL ADDRESS, FINANCIAL INSTITUTION2
AFFILIATION, AND ACCOUNT TYPE; AND3
(VIII) ADDITIONAL PURPOSES SPECIFIED BY THE COMMISSIONER BY4
RULE.5
(b) A LICENSEE MAY PROCESS A CONSUMER'S DE-IDENTIFIED DATA.6
(c) THIS SUBSECTION (9) DOES NOT PROHIBIT THE SHARING OF A7
CONSUMER'S PERSONAL DATA WITH A LICENSEE 'S AFFILIATES TO THE8
EXTENT PREEMPTED BY SECTION 15 U.S.C. SEC. 1681t (b)(1)(H) OR 1681t9
(b)(2).10
(10) Contracts between licensees and processors.11
(a) A LICENSEE SHALL EXERCISE DUE DILIGENCE IN SELECTING AND12
OVERSEEING THE LICENSEE 'S PROCESSORS. A LICENSEE SHALL DEVELOP13
WRITTEN PROCEDURES FOR THE SELECTION AND OVERSIGHT OF14
PROCESSORS AND SHALL MAKE THE PROCEDURES AVAILABLE TO THE15
COMMISSIONER UPON REQUEST . A LICENSEE'S PROCEDURES DEVELOPED16
PURSUANT TO THIS SUBSECTION (10) ARE NOT A PUBLIC RECORD AND ARE17
EXEMPT FROM PUBLIC INSPECTION AND COPYING UNDER THE "COLORADO18
OPEN RECORDS ACT", PART 2 OF ARTICLE 72 OF TITLE 24.19
(b) P ROCESSING BY A PROCESSOR MUST BE GOVERNED BY A20
CONTRACT BETWEEN THE LICENSEE AND THE PROCESSOR THAT IS BINDING21
ON BOTH PARTIES. THE CONTRACT MUST CONTAIN CLEAR INSTRUCTIONS22
FOR PROCESSING PERSONAL DATA , THE NATURE AND PURPOSE OF23
PROCESSING, THE TYPES OF PERSONAL DATA SUBJECT TO PROCESSING, THE24
DURATION OF PROCESSING, AND THE RIGHTS AND OBLIGATIONS OF BOTH25
PARTIES. THE CONTRACT MUST ALSO INCLUDE REQUIREMENTS THAT THE26
PROCESSOR DO ALL OF THE FOLLOWING:27
HB26-1091-25-
(I) ENSURE THAT EACH PERSON PROCESSING PERSONAL DATA IS1
SUBJECT TO A DUTY OF CONFIDENTIALITY WITH RESPECT TO THE PERSONAL2
DATA AND ONLY USES THE PERSONAL DATA FOR LEGITIMATE DUTIES AS3
ASSIGNED;4
(II) D EVELOP AND MAINTAIN A PROGRAM OF ADMINISTRATIVE ,5
TECHNICAL, AND PHYSICAL SAFEGUARDS SUFFICIENT TO ENSURE THE6
CONFIDENTIALITY, INTEGRITY , AND AVAILABILITY OF PERSONAL DATA7
PROVIDED BY THE LICENSEE;8
(III) PROMPTLY REPORT TO THE LICENSEE AND THE COMMISSIONER9
ANY INCIDENT AFFECTING THE CONFIDENTIALITY , INTEGRITY , OR10
AVAILABILITY OF PERSONAL DATA, INCLUDING A BREACH IN THE SECURITY11
OF PERSONAL DATA;12
(IV) AT THE CHOICE OF THE LICENSEE , DELETE OR RETURN ALL13
PERSONAL DATA TO THE LICENSEE AS REQUESTED AT THE END OF THE14
PROVISION OF SERVICES, UNLESS RETENTION OF THE PERSONAL DATA IS15
REQUIRED BY LAW OR THE LICENSEE REQUESTS AN EARLIER DELETION16
DATE;17
(V) U PON THE REASONABLE REQUEST OF THE LICENSEE , MAKE18
AVAILABLE TO THE LICENSEE ALL INFORMATION IN THE PROCESSOR 'S19
POSSESSION NECESSARY TO DEMONSTRATE THE PROCESSOR'S COMPLIANCE20
WITH THIS SECTION;21
(VI) PROVIDE REASONABLE ASSISTANCE TO THE COMMISSIONER22
WITH RESPECT TO AN INVESTIGATION OR PROCEEDING PURSUANT TO THIS23
SECTION OR TO THE LICENSEE WITH RESPECT TO A CONSUMER REQUEST24
PURSUANT TO THIS SECTION;25
(VII) E NGAGE A SUBCONTRACTOR PURSUANT TO A WRITTEN26
CONTRACT THAT REQUIRES THE SUBCONTRACTOR TO COMPLY WITH THE27
HB26-1091-26-
SAME OBLIGATIONS AS THE PROCESSOR WITH RESPECT TO THE PERSONAL1
DATA;2
(VIII) NOT FURTHER PROCESS OR DISCLOSE THE PERSONAL DATA3
OBTAINED FROM OR ON BEHALF OF THE LICENSEE OTHER THAN AS4
SPECIFICALLY STATED IN THE CONTRACT; AND5
(IX) P ROMPTLY NOTIFY THE LICENSEE IF THE PROCESSOR IS NO6
LONGER ABLE TO COMPLY WITH THE PROCESSOR 'S OBLIGATIONS UNDER7
THE CONTRACT , IN WHICH CASE THE LICENSEE HAS THE RIGHT TO8
TERMINATE THE CONTRACT.9
(c) NOTWITHSTANDING SUBSECTION (10)(b) OF THIS SECTION, IN10
CONNECTION WITH AN INSURANCE TRANSACTION, A LICENSEE MAY SHARE11
A CONSUMER 'S PERSONAL DATA WITH A PROCESSOR WITH WHICH THE12
LICENSEE HAS NO ONGOING BUSINESS RELATIONSHIP AND WITH WHICH THE13
LICENSEE HAS NO WRITTEN CONTRACT UPON RECEIVING THE CONSENT OF14
THE CONSUMER AND ONLY TO THE EXTENT NECESSARY TO PROVIDE THE15
TEMPORARY SERVICE REQUESTED BY THE LICENSEE ON BEHALF OF THE16
CONSUMER.17
(d) A PROCESSOR SHALL ALLOW FOR , AND CONTRIBUTE TO ,18
REASONABLE AUDITS AND INSPECTIONS BY THE LICENSEE OR THE19
LICENSEE'S DESIGNATED AUDITOR. ALTERNATIVELY, THE PROCESSOR MAY,20
WITH THE LICENSEE 'S CONSENT , ARRANGE FOR A QUALIFIED AND21
INDEPENDENT AUDITOR TO CONDUCT, AT LEAST ANNUALLY AND AT THE22
PROCESSOR'S EXPENSE , AN AUDIT OF THE PROCESSOR 'S POLICIES AND23
TECHNICAL AND ORGANIZATIONAL MEASURES IN SUPPORT OF THE24
OBLIGATIONS UNDER THIS SECTION USING AN APPROPRIATE AND ACCEPTED25
CONTROL STANDARD OR FRAMEWORK AND AUDIT PROCEDURE FOR THE26
AUDITS AS APPLICABLE. THE PROCESSOR SHALL PROVIDE A REPORT OF THE27
HB26-1091-27-
AUDIT TO THE LICENSEE UPON REQUEST.1
(e) T HIS SUBSECTION (10) APPLIES TO A CONTRACT BETWEEN A2
LICENSEE AND A PROCESSOR THAT IS EXECUTED, AMENDED, OR RENEWED3
ON OR AFTER JANUARY 1, 2028. IF A LICENSEE HAS AN IN -FORCE4
CONTRACT WITH A PROCESSOR THAT PROCESSES, RETAINS, OR SHARES ANY5
CONSUMER'S PERSONAL DATA AND THE CONTRACT HAS NOT BEEN6
RENEWED AFTER THE EFFECTIVE DATE OF THIS SECTION , THE LICENSEE7
SHALL NOTIFY THE PROCESSOR OF THE REQUIREMENTS OF THIS SECTION.8
(f) I N NO EVENT MAY A CONTRACT RELIEVE A LICENSEE OR A9
PROCESSOR FROM THE LIABILITIES IMPOSED ON THEM BY VIRTUE OF THEIR10
ROLE IN THE PROCESSING RELATIONSHIP AS DESCRIBED IN THIS SECTION.11
(11) Retention of personal data.12
(a) A LICENSEE OR PROCESSOR MAY RETAIN A CONSUMER 'S13
PERSONAL DATA AS NECESSARY FOR ANY OF THE FOLLOWING:14
(I) PERFORMANCE OF A HOMEOWNER'S INSURANCE TRANSACTION,15
PRODUCT, OR SERVICE WITH A CONSUMER WHO IS IN AN ONGOING BUSINESS16
RELATIONSHIP WITH THE LICENSEE AND WHO , IF REQUIRED , HAS17
CONSENTED TO OR OPTED IN TO THE PRODUCT OR SERVICE;18
(II) C OMPLIANCE WITH A LEGAL OBLIGATION OF THE LICENSEE19
RELATED TO THE INSURANCE TRANSACTION INVOLVING THE CONSUMER'S20
PERSONAL DATA;21
(III) COMPLIANCE WITH A REQUEST OR DIRECTIVE FROM A LAW22
ENFORCEMENT AGENCY OR STATE , FEDERAL , OR INTERNATIONAL23
REGULATORY AUTHORITY ; A WARRANT , A SUBPOENA , A DISCOVERY24
REQUEST, A JUDICIAL ORDER, OR OTHER ADMINISTRATIVE, CRIMINAL, OR25
CIVIL LEGAL PROCESS; OR ANOTHER LEGAL REQUIREMENT THAT IS BINDING26
UPON A LICENSEE;27
HB26-1091-28-
(IV) P ROTECTION OF A LEGAL OR BENEFICIAL INTEREST IN AN1
INSURANCE POLICY, WITH RESPECT TO A LIENHOLDER, A MORTGAGEE, AN2
ASSIGNEE, A LESSOR , OR OTHER PERSON SHOWN ON THE RECORDS OF A3
LICENSEE AS HAVING A LEGAL OR BENEFICIAL INTEREST IN THE INSURANCE4
POLICY;5
(V) EXEMPT RESEARCH ACTIVITIES RELATED TO AN INSURANCE6
TRANSACTION INVOLVING THE CONSUMER 'S PERSONAL DATA , OR FOR7
RATING OR RISK MANAGEMENT PURPOSES FOR OR ON BEHALF OF THE8
LICENSEE IN CONNECTION WITH A HOMEOWNER'S INSURANCE PRODUCT OR9
SERVICE;10
(VI) IDENTIFICATION OF BENEFICIARIES OF UNCLAIMED INSURANCE11
POLICY BENEFITS; AND12
(VII) OTHER PURPOSES THAT THE COMMISSIONER IDENTIFIES BY13
RULE.14
(b) (I) NOT LESS THAN ANNUALLY , A LICENSEE AND PROCESSOR15
SHALL REVIEW ANY RECORDS CONTAINING PERSONAL DATA TO DETERMINE16
WHETHER ANY OF THE PURPOSES SPECIFIED IN SUBSECTION (11)(a) OF THIS17
SECTION PERMIT THE CONTINUING RETENTION OF A CONSUMER'S PERSONAL18
DATA.19
(II) O NCE A LICENSEE HAS DETERMINED THAT A CONSUMER 'S20
PERSONAL DATA , OR A SPECIFIC ELEMENT OF PERSONAL DATA , IS NO21
LONGER NEEDED , THE LICENSEE SHALL DESTROY THE CONSUMER 'S22
PERSONAL DATA WITHIN NINETY DAYS AFTER MAKING THE23
DETERMINATION.24
(III) S UBJECT TO THE APPROVAL OF THE COMMISSIONER , IF A25
LICENSEE'S SYSTEMS DO NOT ALLOW THE TARGETED DESTRUCTION OF26
PERSONAL DATA, THE LICENSEE SHALL:27
HB26-1091-29-
(A) D EVELOP A WRITTEN PLAN THAT PROVIDES FOR1
TRANSITIONING FROM THE EXISTING SYSTEMS WITHIN A REASONABLE TIME2
FRAME; AND3
(B) REPORT PROGRESS TO THE COMMISSIONER.4
(IV) A LICENSEE SHALL DEVELOP A WRITTEN DATA RETENTION5
POLICY AND DATA RETENTION SCHEDULE AND SHALL MAKE THE POLICY6
AND SCHEDULE AVAILABLE TO THE COMMISSIONER UPON REQUEST.7
(V) U NLESS RETENTION OF THE PERSONAL DATA IS OTHERWISE8
REQUIRED BY LAW , A PROCESSOR IN POSSESSION OF A CONSUMER 'S9
PERSONAL DATA PROVIDED BY A LICENSEE SHALL DELETE THAT DATA AS10
OF THE DATE SPECIFIED IN THE CONTRACT BETWEEN THE LICENSEE AND A11
THIRD-PARTY SERVICE PROVIDER , OR UPON THE CONCLUSION OF THE12
PROVISION OF SERVICES , UNLESS THE LICENSEE SPECIFIES AN EARLIER13
DESTRUCTION DATE.14
(VI) THIS SUBSECTION (11)(b) DOES NOT PERMIT OR REQUIRE THE15
DELETION OF A RECORD THAT IS REQUIRED BY LAW TO BE RETAINED.16
(12) Adverse underwriting decision - consumer rights.17
(a) (I) I N THE EVENT OF AN ADVERSE UNDERWRITING DECISION18
RELATING TO A HOMEOWNER'S INSURANCE TRANSACTION, THE LICENSEE19
RESPONSIBLE FOR THE DECISION SHALL PROVIDE IN WRITING TO THE20
CONSUMER AT THE CONSUMER'S ADDRESS OF RECORD AND, IF KNOWN, THE21
EMAIL ADDRESS OF THE CONSUMER:22
(A) T HE SPECIFIC REASON OR REASONS FOR THE ADVERSE23
UNDERWRITING DECISION;24
(B) THE SPECIFIC ITEMS OF PERSONAL, PUBLICLY AVAILABLE, OR25
PRIVILEGED DATA THAT SUPPORT THOSE REASONS, INCLUDING THE NAMES26
AND ADDRESSES OF THE SOURCES THAT SUPPLIED THE DATA THAT27
HB26-1091-30-
RESULTED IN THE ADVERSE UNDERWRITING DECISION;1
(C) A LIST IDENTIFYING WITH REASONABLE SPECIFICITY ANY2
SYSTEMS, PROCESSES , POLICIES , OR PROCEDURES INVOLVED IN3
GENERATING DATA THAT RESULTED IN THE ADVERSE UNDERWRITING4
DECISION; AND5
(D) A SUMMARY OF THE CONSUMER'S RIGHT TO ACCESS, CORRECT,6
AMEND, OR DELETE PERSONAL DATA PURSUANT TO SUBSECTION (4) OF7
THIS SECTION.8
(II) N OTWITHSTANDING SUBSECTION (12)(a)(I)(B) OF THIS9
SECTION, A LICENSEE IS NOT REQUIRED TO FURNISH SPECIFIC PRIVILEGED10
DATA IF THE LICENSEE HAS A REASONABLE SUSPICION , BASED UPON11
SPECIFIC INFORMATION AVAILABLE FOR REVIEW BY THE COMMISSIONER,12
THAT THE CONSUMER HAS ENGAGED IN CRIMINAL ACTIVITY , FRAUD ,13
MATERIAL MISREPRESENTATION , OR A MATERIAL NONDISCLOSURE AND14
THAT THE DATA WITHHELD RELATES TO THE SUSPECTED CRIMINAL15
ACTIVITY, FRAUD , MATERIAL MISREPRESENTATION , OR MATERIAL16
NONDISCLOSURE.17
(b) A LICENSEE SHALL NOT BASE AN ADVERSE UNDERWRITING18
DECISION ON:19
(I) S OLELY THE LOSS HISTORY OF THE PREVIOUS OWNER OF THE20
PROPERTY TO BE INSURED;21
(II) P ERSONAL DATA RECEIVED FROM A PROCESSOR WHOSE22
PRIMARY SOURCE OF INFORMATION IS LICENSEES, UNLESS THE LICENSEE23
OBTAINS FURTHER DATA INDEPENDENTLY SUPPORTING THE ADVERSE24
UNDERWRITING DECISION;25
(III) A PREVIOUS ADVERSE UNDERWRITING DECISION AFFECTING26
THE CONSUMER, UNLESS THE LICENSEE BASES ITS UNDERWRITING DECISION27
HB26-1091-31-
ON THE UNDERLYING BASIS OF THE PREVIOUS DECISION; OR1
(IV) I NFORMATION THAT THE CONSUMER INQUIRED ABOUT THE2
NATURE OR SCOPE OF COVERAGE UNDER A POLICY AND THE INQUIRY DID3
NOT RESULT IN THE FILING OF A CLAIM.4
(c) THE COMMISSIONER MAY ASSIST A CONSUMER WITH OBTAINING5
INFORMATION ABOUT AN ADVERSE UNDERWRITING DECISION AFFECTING6
THE CONSUMER . THE COMMISSIONER MAY REQUEST INFORMATION7
REGARDING SYSTEMS, PROCESSES, POLICIES, OR PROCEDURES RESPONSIBLE8
FOR GENERATING THE DATA THAT RESULTED IN THE ADVERSE9
UNDERWRITING DECISION . INFORMATION RECEIVED ABOUT SYSTEMS ,10
PROCESSES, POLICIES, OR PROCEDURES IS CONFIDENTIAL AND IS EXEMPT11
FROM PUBLIC INSPECTION AND COPYING UNDER THE "COLORADO OPEN12
RECORDS ACT", PART 2 OF ARTICLE 72 OF TITLE 24.13
(d) FOR PURPOSES OF THIS SECTION, THE FOLLOWING ACTIONS ARE14
NOT ADVERSE UNDERWRITING DECISIONS, BUT THE LICENSEE RESPONSIBLE15
FOR TAKING THE ACTION SHALL PROVIDE THE CONSUMER WITH THE16
SPECIFIC REASON OR REASONS FOR THE ACTION IN WRITING:17
(I) T HE TERMINATION OF AN INDIVIDUAL POLICY FORM ON A18
CLASS-WIDE OR STATEWIDE BASIS;19
(II) A DENIAL OF INSURANCE COVERAGE SOLELY BECAUSE THE20
COVERAGE IS NOT AVAILABLE ON A CLASS-WIDE OR STATEWIDE BASIS; OR21
(III) I F REQUESTED BY A CONSUMER , ANY INSURER -INITIATED22
INCREASE IN THE PREMIUM ON AN INSURANCE PRODUCT PURCHASED BY23
THE CONSUMER.24
(13) Nonretaliation for exercise of privacy rights. A LICENSEE25
OR PROCESSOR SHALL NOT RETALIATE AGAINST A CONSUMER BECAUSE THE26
CONSUMER EXERCISED OR ATTEMPTED TO EXERCISE THE CONSUMER 'S27
HB26-1091-32-
RIGHTS PURSUANT TO THIS SECTION . A LICENSEE OR PROCESSOR1
RETALIATES AGAINST A CONSUMER IF THE LICENSEE OR PROCESSOR, AS A2
RESULT OF A CONSUMER'S PRIVACY CHOICES:3
(a) INFRINGES UPON A RIGHT, OR IMPAIRS OR IMPEDES A BENEFIT4
OR PROTECTION, THAT IS AFFORDED TO CONSUMERS UNDER THIS SECTION;5
(b) REQUIRES THE CONSUMER TO CONSENT TO THE SHARING OR6
SALE OF PERSONAL DATA FOR A PURPOSE UNRELATED TO AN INSURANCE7
TRANSACTION TO OBTAIN A PARTICULAR PRODUCT, COVERAGE, RATE, OR8
SERVICE, AND THE PERSONAL DATA IS NOT NECESSARY FOR THE PROVISION9
OF THE PRODUCT OR SERVICE;10
(c) IMPOSES A FEE OR CHARGE FOR THE CONSUMER TO EXERCISE11
THEIR RIGHTS PURSUANT TO THIS SECTION; OR12
(d) CHARGES A DIFFERENT RATE OR PREMIUM TO THE CONSUMER,13
PROVIDES A DIFFERENT INSURANCE PRODUCT TO THE CONSUMER, REFUSES14
TO WRITE INSURANCE COVERAGE FOR THE CONSUMER, OR DENIES A CLAIM15
UNDER AN INSURANCE PRODUCT PURCHASED BY THE CONSUMER.16
(14) Data protection assessments - definition.17
(a) A LICENSEE SHALL NOT CONDUCT PROCESSING THAT PRESENTS18
A HEIGHTENED RISK OF HARM TO A CONSUMER WITHOUT CONDUCTING AND19
DOCUMENTING A DATA PROTECTION ASSESSMENT OF THE LICENSEE 'S20
PROCESSING ACTIVITIES THAT INVOLVE PERSONAL DATA ACQUIRED ON OR21
AFTER JANUARY 1, 2028, AND THAT PRESENT A HEIGHTENED RISK OF HARM22
TO A HOMEOWNER'S INSURANCE CONSUMER.23
(b) FOR PURPOSES OF THIS SUBSECTION (14), "PROCESSING THAT24
PRESENTS A HEIGHTENED RISK OF HARM TO A CONSUMER" INCLUDES:25
(I) P ROCESSING PERSONAL DATA FOR PURPOSES OF TARGETED26
ADVERTISING OR FOR PROFILING , IF THE PROFILING PRESENTS A27
HB26-1091-33-
REASONABLY FORESEEABLE RISK OF:1
(A) U NFAIR OR DECEPTIVE TREATMENT OF , OR UNLAWFUL2
DISPARATE IMPACT ON, A CONSUMER; OR3
(B) F INANCIAL INJURY TO A CONSUMER , INCLUDING ADVERSE4
UNDERWRITING DECISIONS;5
(II) SELLING PERSONAL DATA; OR6
(III) PROCESSING PERSONAL DATA.7
(c) DATA PROTECTION ASSESSMENTS MUST IDENTIFY THE BENEFITS8
THAT MAY FLOW , DIRECTLY OR INDIRECTLY , FROM THE PROCESSING TO9
THE LICENSEE, THE CONSUMER, OTHER STAKEHOLDERS, AND THE PUBLIC10
AND WEIGH THESE BENEFITS AGAINST THE POTENTIAL RISKS TO THE11
RIGHTS OF THE CONSUMER ASSOCIATED WITH THE PROCESSING , AS12
MITIGATED BY SAFEGUARDS THAT THE LICENSEE CAN EMPLOY TO REDUCE13
THE RISKS. THE LICENSEE SHALL FACTOR INTO THIS ASSESSMENT THE USE14
OF DE -IDENTIFIED DATA AND THE REASONABLE EXPECTATIONS OF15
CONSUMERS, AS WELL AS THE CONTEXT OF THE PROCESSING AND THE16
RELATIONSHIP BETWEEN THE LICENSEE AND THE CONSUMER WHOSE17
PERSONAL DATA WILL BE PROCESSED.18
(d) A LICENSEE SHALL MAKE A DATA PROTECTION ASSESSMENT19
AVAILABLE TO THE COMMISSIONER UPON REQUEST . THE COMMISSIONER20
MAY EVALUATE THE DATA PROTECTION ASSESSMENT FOR COMPLIANCE BY21
A LICENSEE WITH THE DUTIES OF THE LICENSEE PURSUANT TO THIS22
SECTION. DATA PROTECTION ASSESSMENTS ARE CONFIDENTIAL AND23
EXEMPT FROM PUBLIC INSPECTION AND COPYING UNDER THE "COLORADO24
OPEN RECORDS ACT", PART 2 OF ARTICLE 72 OF TITLE 24. THE25
DISCLOSURE OF A DATA PROTECTION ASSESSMENT PURSUANT TO A26
REQUEST FROM THE COMMISSIONER UNDER THIS SUBSECTION (14) DOES27
HB26-1091-34-
NOT CONSTITUTE A WAIVER OF ANY PRIVILEGE OR PROTECTION THAT1
MIGHT OTHERWISE EXIST WITH RESPECT TO THE ASSESSMENT AND ANY2
INFORMATION CONTAINED IN THE ASSESSMENT.3
(e) A SINGLE DATA PROTECTION ASSESSMENT MAY ADDRESS A4
COMPARABLE SET OF PROCESSING OPERATIONS THAT INCLUDE SIMILAR5
ACTIVITIES.6
(f) D ATA PROTECTION ASSESSMENTS APPLY TO PROCESSING7
ACTIVITIES CREATED OR GENERATED ON OR AFTER JANUARY 1, 2028, AND8
ARE NOT RETROACTIVE.9
(15) Rules. THE COMMISSIONER SHALL ADOPT RULES NECESSARY10
TO IMPLEMENT THIS SECTION, INCLUDING THE RIGHTS AND PROTECTIONS11
AFFORDED TO HOMEOWNER 'S INSURANCE CONSUMERS AND THE12
RESPONSIBILITIES OF PERSONS INVOLVED IN HOMEOWNER 'S INSURANCE13
TRANSACTIONS.14
(16) Enforcement - investigation by commissioner - penalties.15
(a) T HE COMMISSIONER MAY USE ANY OF THE COMMISSIONER 'S16
ENFORCEMENT POWERS TO OBTAIN COMPLIANCE WITH THIS SECTION. TO17
DETERMINE WHETHER A LICENSEE OR A PROCESSOR CONTRACTED WITH A18
LICENSEE HAS BEEN OR IS ENGAGED IN ANY CONDUCT IN VIOLATION OF19
THIS SECTION, THE COMMISSIONER MAY EXAMINE AND INVESTIGATE THE20
BUSINESS PRACTICES OF A LICENSEE OR PROCESSOR TRANSACTING21
BUSINESS IN THIS STATE OR TRANSACTING BUSINESS OUTSIDE OF THIS22
STATE THAT HAVE AN EFFECT ON A CONSUMER RESIDING IN THIS STATE.23
(b) A VIOLATION OF THIS SECTION IS AN UNFAIR OR DECEPTIVE ACT24
OR PRACTICE IN THE BUSINESS OF INSURANCE PURSUANT TO SECTION25
10-3-1104 (1)(uu) AND IS SUBJECT TO SECTIONS 10-3-1106 TO 10-3-1113.26
(17) Consumer - private right of action - damages.27
HB26-1091-35-
(a) I N ADDITION TO OTHER REMEDIES PROVIDED AT LAW OR IN1
EQUITY, A CONSUMER AGGRIEVED BY A VIOLATION OF SUBSECTIONS (4) TO2
(13) OF THIS SECTION MAY BRING A CIVIL ACTION ON BEHALF OF THEMSELF3
OR A GROUP OF SIMILARLY SITUATED CONSUMERS TO RESTRAIN FURTHER4
VIOLATIONS AND TO RECOVER DAMAGES , COSTS , AND REASONABLE5
ATTORNEY FEES, INCLUDING THE GREATER OF:6
(I) T HE AMOUNT OF ACTUAL DAMAGES SUSTAINED , INCLUDING7
PREJUDGMENT INTEREST EITHER OF EIGHT PERCENT PER YEAR OR AT THE8
RATE PROVIDED IN SECTION 13-21-101, WHICHEVER IS GREATER , FROM9
THE DATE ON WHICH THE CLAIM UNDER THIS SECTION BEGAN ACCRUING OR10
THREE TIMES THE AMOUNT OF ACTUAL DAMAGES SUSTAINED , IF IT IS11
ESTABLISHED BY CLEAR AND C ONVINCING EVIDENCE THAT THE PERSON12
VIOLATING THIS SECTION ENGAGED IN BAD FAITH CONDUCT OR13
INTENTIONALLY VIOLATED THIS SECTION; OR14
(II) T HREE THOUSAND DOLLARS FOR EACH VIOLATION OF THIS15
SECTION, WITH EACH VIOLATION OF THIS SECTION CONSTITUTING A16
SEPARATE VIOLATION WITH RESPECT TO EACH CONSUMER AND17
TRANSACTION INVOLVED.18
(b) A CAUSE OF ACTION FOR DEFAMATION, INVASION OF PRIVACY,19
OR NEGLIGENCE SHALL NOT ARISE AGAINST A PERSON:20
(I) DISCLOSING PERSONAL OR PRIVILEGED DATA IN ACCORDANCE21
WITH THIS SECTION; OR22
(II) FURNISHING PERSONAL OR PRIVILEGED DATA TO A LICENSEE23
OR PROCESSOR.24
SECTION 2. In Colorado Revised Statutes, 10-3-1104, add25
(1)(uu) as follows:26
10-3-1104. Unfair methods of competition - unfair or deceptive27
HB26-1091-36-
practices - rules - definitions.1
(1) The following are defined as unfair methods of competition2
and unfair or deceptive acts or practices in the business of insurance:3
(uu) A VIOLATION OF SECTION 10-4-125 CONCERNING4
HOMEOWNER'S INSURANCE CONSUMER DATA PRIVACY PROTECTIONS.5
SECTION 3. Act subject to petition - effective date. This act6
takes effect at 12:01 a.m. on the day following the expiration of the7
ninety-day period after final adjournment of the general assembly (August8
12, 2026, if adjournment sine die is on May 13, 2026); except that, if a9
referendum petition is filed pursuant to section 1 (3) of article V of the10
state constitution against this act or an item, section, or part of this act11
within such period, then the act, item, section, or part will not take effect12
unless approved by the people at the general election to be held in13
November 2026 and, in such case, will take effect on the date of the14
official declaration of the vote thereon by the governor.15
HB26-1091-37-