The act specifies measures in several categories to protect personal identifying information (PII) kept by state agencies.
Limitations on PII shared by state agencies: A state agency employee is prohibited from disclosing or making accessible PII that is not available to the public for the purpose of investigating for, participating in, cooperating with, or assisting in federal immigration enforcement, except as required by federal or state law or as required to comply with a court-issued subpoena, warrant, or order. The department of revenue is prohibited from sharing motor vehicle records with law enforcement agencies and other government agencies if the information is to be used for the purpose of investigating for or assisting in federal immigration enforcement, except as required by federal or state law or as required to comply with a court-issued subpoena, warrant, or order. Reduction of PII collected by state agencies: Beginning January 1, 2022, a state agency employee is prohibited from inquiring into, or requesting information or documents to ascertain, a person's immigration status for the purpose of identifying if the person has complied with federal immigration laws except as required by state or federal law or as necessary to perform state agency duties, or to verify a person's eligibility for a government-funded program for housing or economic development if verification is a condition of the government funding.
In addition, beginning January 1, 2022, a state agency shall not collect data regarding a person's place of birth, immigration or citizenship status, or information from passports, permanent resident cards, alien registration cards, or employment authorization documents, except as required by state or federal law or as necessary to perform state agency duties, or to verify a person's eligibility for a government-funded program for housing or economic development if verification is a condition of the government funding.
Access to state agency records: Beginning January 1, 2022, to be granted access to PII through a database or automated network maintained by a state agency that is not otherwise available to the public, a third party must have, within the past year, certified under penalty of perjury that the third party will not use or disclose PII obtained for the purpose of investigating for, participating in, cooperating with, or assisting in federal immigration enforcement, unless required by federal or state law or to comply with a court-issued subpoena, warrant, or order that is not related to prosecution for a violation of specified provisions of federal immigration law. The attorney general's office is required to create a model certification form and provide it to state agencies. Record keeping and reporting: The act specifies what a request for records includes and does not include for purposes of the act. Beginning January 1, 2022, if a third party requests a record from a state agency and the record contains PII, the state agency is required to retain a written record of the request that contains specified information (written record).
Beginning January 1, 2022, and on a quarterly basis thereafter, the state agency is required to provide the information contained in the written record to the governor's office of legal counsel and to attest that no request was granted for any purpose prohibited by the act. On March 1, 2022, and on a quarterly basis thereafter, the governor's office is required to provide a report to the joint budget committee of the general assembly containing quarterly and year-to-date summaries of the information provided by state agencies in the written record.
For a request made by a third party through the Colorado driver's license, record, identification, and vehicle enterprise solution, if the department of revenue is unable to gather the information for the written record because doing so would require technology or programming changes outside the department's control, the department is required to continue to allow access to the information if access is required by state or federal law or is a condition of receiving federal or state funding. The department of revenue is required to submit quarterly reports including the identity of the third party, the reason for the inability to collect the written record, and an attestation that the department of revenue and third party have met the other applicable requirements of the act.
Data privacy breaches: Any state agency employee who intentionally violates the provisions of the act is subject to an injunction and is liable for a civil penalty of not more than $50,000 for each violation.
The act includes an identification document issued to an individual who is not lawfully present in the United States in the list of records that the department of revenue shall not allow a person to inspect pursuant to the "Colorado Open Records Act". In addition, the act specifies that the provisions of the act are included in the laws that the department of revenue is required to follow when releasing records for public inspection.
(Note: This summary applies to this bill as enacted.)