Employee Privacy: Colorado
Federal law and guidance on this subject should be reviewed together with this section.
Authors: Stuart R. Buttrick, Susan W. Kline and Jenie Van Hampton, Faegre Baker Daniels LLP
- Colorado law recognizes invasion of privacy claims. See Invasion of Privacy.
- An employee can be terminated for a positive drug test if consistent with the employer's policies. See Drug and Alcohol Testing.
- Colorado employers are generally prohibited from discharging employees for lawful activity outside the employer's premises during nonworking hours, subject to certain exceptions. See Off-Duty Conduct.
- Colorado law imposes restrictions on conducting medical screens of employees and job applicants. See Preemployment Screening and Postemployment Screening.
- Employers who regularly use documents with personal identifying information must develop proper document destruction policies. See Privacy and Security of Personnel Records and Information.
- Colorado has a law protecting the social media privacy rights of employees and applicants. Colorado places significant limitations on the use of credit checks for hiring and other employment purposes. See Credit Checks.
- Boulder has requirements pertaining to employee privacy. See Local Requirements.
Invasion of Privacy
Colorado law recognizes three types of invasion of privacy claims:
- Appropriation of another's name and likeness;
- Public disclosure of private facts; and
- Unreasonable intrusion upon the seclusion of another.
See Slaughter v. John Elway Dodge Southwest/AutoNation, +107 P.3d 1165 (Colo. App. 2005).
Drug and Alcohol Testing
The use of marijuana to alleviate certain debilitating medical conditions is authorized, but the employer is not required to accommodate the medical use of marijuana in any workplace. See +Colo. Const. Art XVIII, Section 14.
Personal Use of Marijuana for Recreational Purposes
In 2012, Colorado voters approved Colorado Amendment 64 which permits recreational use of marijuana in Colorado and makes it legal for individuals 21 years of age and older to possess up to 1 ounce of marijuana. +Colo. Const. Art. XVIII, Section 16. The marijuana may not be consumed in public or in a manner that endangers others.
It is acceptable for an employer to discharge an employee if a drug test shows the presence of marijuana or any not medically prescribed controlled substance in the employee's system during working hours if consistent with the employer's policies. No public policy entitles an at-will employee to refuse to comply with an employer's previously-existing policy requiring drug testing. See Slaughter v. John Elway Dodge Southwest/AutoNation, +107 P.3d 1165 (Colo. App. 2005).
The Colorado Court of Appeals affirmed that despite the fact that Colorado law permits the medicinal use of marijuana, employers are permitted to terminate employees for failing a drug test even if the marijuana is used off duty and for medical purposes. The court reasoned that such individuals are not protected by Colorado's lawful off-duty activities statute because to be considered lawful, the conduct must be legal under both federal and state law and marijuana use remains illegal under federal law. The court's holding was limited to medical marijuana and did not address Amendment 64. See Coats v. Dish Network, LLC, +2013 COA 62 (2013).
Boulder has requirements pertaining to drug testing. See Local Requirements.
Drug Dealer Liability
Employers who are damaged by an employee's illegal drug use, possession, sale, transport or giving away of illegal drugs in the workplace may be awarded damages for the cost of employer-funded treatment, rehabilitation or medical expenses for the illegal drug user. Employers may also be awarded exemplary damages, reasonable attorney fees and costs. +C.R.S 13-21-801.
Employees may not be discharged for lawful activity outside the employer's premises during nonworking hours unless the activity relates to a bona fide occupational requirement or is necessary to avoid a conflict of interest or the appearance of a conflict of interest with any responsibilities to the employer. Whistleblowing about job conditions may be considered lawful off-duty conduct protecting the whistleblower from termination. +C.R.S. 24-34-402.5 (2008); See Watson v. Public Service Co. of Colo. d/b/a Xcel Energy, +207 P.3d 860 (Colo. App. 2008).
The Federal Employee Polygraph Protection Act of 1988 generally prohibits the use of polygraph testing by private employers. +29 U.S.C. 2001. There are no Colorado statutes governing the use of polygraph tests by employers.
Colorado does not have law specifically addressing genetic testing in the workplace, but state law generally provides for the protection of genetic information to prevent unfair denial of insurance coverage based on genetic testing. +C.R.S 10-3-1104.
Preemployment and Postemployment Screening
Like the ADA, the Colorado Anti-Discrimination Act (CADA) prohibits pre-offer medical screenings in all cases. The two statutes are alike alike in that after a conditional offer has been extended, interviewers may require medical examinations only if they are done for all applicants entering into a particular job category. The CADA, however, is more restrictive than the ADA because it only allows post-offer examinations that test for essential job-related capabilities. See +3 CCR 708-1.
Surveillance and Monitoring
The Colorado Supreme Court has held that video surveillance equipment in a particular room of the facility eliminated an employee's reasonable expectation of privacy as to his private employer in that room, but it did not terminate the employee's expectation of privacy as to government intrusion (e.g., executing a search warrant). See People v. Galvadon, +103 P.3d 923 (Colo. 2005). Further, in Colorado, it is unlawful to observe or photograph another individual's private parts without that person's consent where that individual has a reasonable expectation of privacy. +C.R.S. 18-3-405.6.
Wiretapping is generally prohibited. Wiretapping occurs when a person who is not a sender or intended recipient of a telephone or telegraph communication knowingly overhears, reads, takes, copies or records a telephone, telegraph or electronic communication without the consent of the sender or receiver. +C.R.S. 18-9-303. Thus, an employer is not permitted to listen to or record employee computer, email and telephone communications and conversations without prior consent.
However, the Tenth Circuit has held that an employee who downloaded pornographic materials onto his work-issued computer did not have a reasonable expectation privacy over the files because the employer's computer-use policies provided notice to the employee that internet use might be audited and monitored (thus negating any expectation of privacy); because the computer was issued solely for work purposes and he did not have immediate control over the information seized and because he did not take actions to maintain his privacy interest in those files. See United States v. Angevine, +281 F.3d 1130 (10th Cir. 2002).
Colorado prohibits eavesdropping on the conversation or discussion of another. Eavesdropping occurs when any person not visibly present "knowingly overhears or records such conversation or discussion without the consent of at least one of the principal parties thereto." Eavesdropping also occurs when any person "intentionally overhears or records such conversation or discussion for the purpose of committing or aiding and abetting the commission of an unlawful act." Eavesdropping further encompasses the knowing disclosure, or attempt at disclosure, of the contents of any conversation or discussion obtained in violation of this section. Lastly, eavesdropping also occurs when any person knowingly "aids, authorizes, agrees with, employs, permits, or intentionally conspires with any person to violate the provisions of this section." +C.R.S. 18-9-304.
Privacy and Security of Personnel Records and Information
Any covered entity that maintains paper or electronic documents containing personal identifying information must develop a written policy for the destruction of those documents once the documents are no longer needed, by shredding, erasing, or otherwise modifying the personal identifying information so that it's unreadable or indecipherable. +C.R.S. 6-1-713. A covered entity means anyone that maintains, owns, or licenses personal identifying information in the course of that person's business, vocation, or occupation.
The law defines personal identifying information as:
- A social security number;
- A personal identification number;
- A password; A pass code;
- An official state or government-issued driver's license or identification card number;
- A government passport number;
- Biometric data;
- An employer, student, or military identification number; or
- A financial transaction device.
Also, a covered entity or third-party service provider must implement and maintain reasonable security procedures to prevent unlawful access to personal identifying information. These security measures must be appropriate to the nature of the personal identifying information and reasonably designed to protect the information from unauthorized access, use, modification, disclosure, or destruction. +C.R.S. 6-1-713.5.
Under current Colorado law, an individual or a commercial entity that conducts business in Colorado and that owns or licenses computerized data that includes personal information about a Colorado resident must, upon learning of a breach of the security of the system, conduct a good faith and prompt investigation to determine the likelihood that personal information has been or will be misused. +C.R.S. 6-1-716.
The law defines security breach as the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity. Good faith acquisition of personal information by an employee or agent of a covered entity for the covered entity's business purposes is not a security breach if the personal information is not used for a purpose unrelated to the lawful operation of the business or is not subject to further unauthorized disclosure
Personal information means a Colorado resident's first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident, when the data elements are not encrypted, redacted, or secured by any other method rendering the name or the element unreadable or unusable:
- Social security number;
- Driver's license number or identification card number;
- Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial account.
Under the law, personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records or widely distributed media.
Notice must be given to the affected Colorado residents "in the most expedient time possible and without unreasonable delay, but not later than 30 days after the date of determination that a security breach occurred." Covered entities are also requried to notify the Colorado attorney general within 30 days in the event that notice of a security breach is reasonably believed to have affected 500 or more Colorado residents.
- Written notice to the postal address listed in the records of the individual or commercial entity;
- Telephonic notice;
- Electronic notice, if a primary means of communication by the individual or commercial entity with a Colorado resident is by electronic means or the notice provided is consistent with federal law regarding electronic records and signatures; or
- Substitute notice, if the individual or the commercial entity required to provide notice demonstrates that the cost of providing notice will exceed two hundred fifty thousand dollars, the affected class of persons to be notified exceeds two hundred fifty thousand Colorado residents, or the individual or the commercial entity does not have sufficient contact information to provide notice. Substitute notice consists of all of the following:
- E-mail notice if the individual or the commercial entity has email addresses for the members of the affected class of Colorado residents;
- Conspicuous posting of the notice on the website page of the individual or the commercial entity if the individual or the commercial entity maintains one; and
- Notification to major statewide media.
The notice must include the following:
- The date, estimated date, or estimated date range of the security breach;
- A description of the acquired personal information;
- Contact information for the covered entity;
- Toll-free numbers, addresses, and websites for consumer reporting agencies (CRAs) and the Federal Trade Commission (FTC);
- A statement that the resident can obtain information from the FTC and CRAs about fraud alerts and security freezes; and,
- If the acquired data included a username or email address in combination with a password or security questions and answers for an online account, a statement directing the person to promptly change the password and security questions or answers or to take other steps appropriate to protect online accounts that use the same username or email address.
An individual or a commercial entity that maintains its own notification procedures as part of an information security policy for the treatment of personal information and whose procedures are otherwise consistent with the timing requirements of the law, will be deemed to be in compliance with the notice requirements if the individual or the commercial entity notifies affected Colorado customers in accordance with its policies in the event of a breach of security of the system.
Notice may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation and the law enforcement agency has notified the individual or commercial entity that conducts business in Colorado not to send notice. Notice must be made in good faith, without unreasonable delay, and as soon as possible after the law enforcement agency determines that notification will no longer impede the investigation and has notified the individual or commercial entity that conducts business in Colorado that it is appropriate to send the notice required by this section.
If an individual or commercial entity is required to notify more than one thousand Colorado residents of a breach of the security of the system, the individual or commercial entity must also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the anticipated date of the notification to the residents and the approximate number of residents who are to be notified. The individual or commercial entity is not required to provide to the consumer reporting agency the names or other personal information of breach notice recipients.
The attorney general may bring an action in law or equity to address violations of this law and for other relief that may be appropriate to ensure compliance or to recover direct economic damages resulting from a violation, or both.
Social Security Numbers
Colorado employers may not do the following activities related to an individual's social security number:
- Publicly post or display an individual's social security number;
- Print an individual's social security number on any card required by the individual to access employer-provided products or services;
- Require an individual to transmit his or her social security number over the internet (unless via a secure connection or the number is encrypted);
- Require an individual to use his or her social security number to access an internet site; or
- Print an individual's social security number on any materials mailed to the individual (unless state or federal law requires or permits the number to be on the document mailed).
Employers may not inquire about sealed records in an employment application or otherwise. In response to a question about a sealed record, an applicant may deny that the incident occurred. Employers may not reject an applicant solely because of a refusal to disclose information about a sealed record. +C.R.S. 24-72-306(1)(f)(l)
Colorado has enacted a "ban the box" law, see Future Developments.
Unless acting as an agent of the government, private employers are not constrained by the privacy protections in the Federal or Colorado constitutions. However, Colorado courts have developed common law invasion of privacy principles prohibiting employers from conducting unreasonable searches. See Thompson v. Johnson County Comty. Coll., +108 F.3d 1388 (10th Cir. 1997).
Thus, employers should have clear written policies in their employee handbook stating that property on the employer's premises is subject to search at any time. Such policies should be distributed to all employees.
Social Media Privacy Rights of Employees and Applicants
Colorado law protects the social media privacy rights of employees and applicants. +C.R.S. 8-2-127. Under the law, employers (other than law enforcement or the Department of Corrections) are prohibited from suggesting, requesting or requiring employees or applicants to disclose any user name, password or other means of accessing the employee's or applicant's personal account or service through the employee's or applicant's personal electronic communications device, such as computers, phones, or personal digital assistants. An electronic communications device is a device using electronic signals to create, transmit, and receive information including computers, telephones, personal digital assistants and other similar devices. The Act also provides that an employer may not require an employee or applicant to add anyone to the employee's or applicant's list of contacts on a social media account or require an employee or applicant to change the privacy settings associated with a social networking account. Further, an employer may not discharge, discipline or otherwise penalize an employee for refusing to provide any user name or password to a personal account or service or fail to hire an applicant because the applicant refuses to provide such information, add anyone as a contact or change the privacy settings.
The law includes some limited protections for employers. For example, it does not prohibit employers from:
- Requiring employees to disclose user names or passwords or other means of accessing nonpersonal accounts or services that provide access to the employer's internal computer or information systems;
- Conducting an investigation to ensure compliance with applicable securities or financial laws or regulations based on the receipt of information about the use of a personal website, internet website, or other web-based account by an employee for business purposes;
- Investigating an employee's electronic communications based on information about unauthorized downloading of an employer's proprietary information or financial data to a personal website, internet website or other web-based account; or
- Enforcing existing personnel polices policies that do not conflict with the new law.
An employee cannot disclose information considered confidential under federal or state law or under a contract between the employer and employee. An employer also may access information about employees and applicants that is publicly available online.
The law allows an individual whose rights are violated to file a complaint with the Department of Labor and Employment, which shall investigate the complaint and issue findings thirty days after a hearing. The Colorado Department of Labor may issue rules regarding penalties including a fine of up to $1,000 for the first offense and up to $5,000 for each subsequent offense.
Colorado significantly limits the use of credit checks for hiring and other employment purposes. Under the Employment Opportunity Act, most private-sector employers with four or more employees from conducting credit checks on job applicants or employees. +C.R.S. 8-2-127.
There are only a few limited exceptions in which an employer may make use of a credit check to screen job applicants or employees. These include high-ranking, executive or management-level positions that involve setting the direction or control of a business; banks or financial institutions; employers that are "required by law" to obtain such information; and positions involving contracts with defense, intelligence, national security or space agencies of the federal government.
Boulder Drug and Alcohol Testing
The City of Boulder's municipal code contains its own drug and alcohol testing requirements that apply to employers with employees in Boulder, except for some public employers. Boulder Revised Code Chapter 12-3. The ordinance addresses preemployment and post-employment drug and alcohol testing requirements.
At the preemployment stage, employers may only conduct drug and alcohol testing under the following circumstances:
- The testing requirement is included in the employment application, or if there is no application, in all advertising for the position;
- All applicants are personally informed of the requirement of a drug or alcohol test at the first formal interview;
- Colorado applicants may only be tested if they are the single finalist for the position. Out-of-state applicants may only be tested if they are finalists and come to the state for an interview, and even then, only if the same test is required for all finalists for that position; and
- The test complies with a number of procedural requirements.
Even after an accident, an employer may only conduct drug and alcohol testing under the following circumstances:
- The employer has an individualized reasonable suspicion, based on specific, objective, clearly expressed facts, to believe that:
- The employee is under the influence of a drug or alcohol;
- The employee's job performance is currently adversely affected by the use of a drug or alcohol; or
- The employee has agreed to the test as a part of an employee assistance program after a finding or admission of prior drug or alcohol abuse;
- Prior to any tests, the employer adopts a written testing policy that is available to employees and contains various specific provisions required by the statute; and
- The test complies with a number of procedural requirements.
Any employers with employees in Boulder should carefully review Boulder's ordinance before any applicant or employee drug or alcohol testing.
An employer is not restricted from prohibiting the use of, possession of or trafficking in, illegal drugs during work hours, or restricts an employer's ability to discipline an employee for being under the influence of, using, possessing or trafficking in, illegal drugs during work hours or on the employer's premises. An employer is also not restricted from prohibiting the use of alcohol during work hours, or restricts an employer's ability to discipline an employee for being under the influence of alcohol during work hours or on the employer's premises.
An employer is not prevented from conducting routine medical examinations of employees or medical screening in order to monitor exposure to toxic or other unhealthy substances encountered in the work place or in the performance of an employee's job responsibilities. An employer should not extend medical screening beyond the specific substance being monitored, and any inadvertently obtained information concerning drug or alcohol use shall be maintained in confidence in the medical record and not disclosed to any employer. An employer shall not use any such evidence to determine promotion, additional compensation, transfer, termination, disciplinary or other personnel action or the receipt of any benefit.
It is an affirmative defense that a person was required to conduct drug or alcohol testing or take disciplinary action against an employee based on such testing in order to comply with a statute or regulation of the United States or the State of Colorado or any of their agencies or any agency interpretation of such statute or regulation. It is a specific defense that a person, based on specific, objective, clearly expressed facts, was reasonably required to conduct such testing or take such action in order to compete effectively to obtain a contract with the United States or the State of Colorado or any of their agencies.
Ban the Box
Colorado has enacted a "ban the box" law restricting employer access to criminal history information. The law takes effect on or after September 1, 2019 for an employer with 11 or more employees, and on and after September 1, 2021 for all employers.
For more information, see Interviewing and Selecting Job Candidates: Colorado.
There are no other developments to report at this time. Continue to check XpertHR regularly for the latest information on this and other topics.