Colorado’s amended and restated consumer data privacy statute, which took effect on September 1, 2018, defines key terms, tightens breach notification requirements and adds security and data disposal requirements. This article details the changes, with insights from David M. Stauss, a partner at Ballard Spahr, who worked as an outside expert with the Colorado Attorney General and the bill sponsors after the bill was introduced in the Colorado Assembly. Colorado “is taking the lead on these types of laws,” he said. See “Synthesizing New York and Colorado’s Trailblazing Data Security Regulations for Financial Firms” (Jul. 12, 2017) and “Analyzing New and Amended State Breach Notification Laws” (Jun. 6, 2018).