1

Privacy Policy

Colorado Department of Revenue Privacy Policy - V.1.0

Purpose

Establish a written policy for the protection of personally identifying information (PII) collected and maintained by the Colorado Department of Revenue (DOR). DOR has long addressed the protection of PII in multiple topic-specific internal policies at departmental and divisional levels. This policy is intended to complement and work alongside such policies and is not to be understood to replace them.
 

Scope

The policy applies to all PII collected and maintained by any division of DOR in any document (paper and electronic), database, source, or medium. 

Background

State law requires each governmental entity of the state to create a privacy policy for the purpose of standardizing within such governmental entity the collection, storage, transfer, and use of personally identifiable information by such governmental entity. (§ 24-72-502(1), C.R.S.) This policy memorializes DOR’s general position on the protection of PII and Department-wide practices with respect to protecting PII. 
 

Policy

  1. DOR is required by law to provide services that require the collection and maintenance of PII, including, but not limited to: issuing vehicle registrations, driver licenses, and identification documents; collecting state income and sales taxes; regulating the use of marijuana and natural medicine; regulating specialized businesses; and operating the Colorado Lottery (“Services”). DOR is committed to protecting individual privacy and safeguarding the PII it collects and maintains in accordance with applicable laws, regulations, and standards.
     
  2. Minimum Necessary. DOR collects and maintains the minimum amount of PII necessary to provide Services.
     
  3. Use of PII. PII is available only to DOR personnel who have a reasonable and appropriate purpose to receive and use that information. DOR shares PII with limited third-party service providers, such as payment-processing partners, only as necessary to provide services and under contractual obligations to protect PII.
     
  4. Confidentiality of PII. DOR maintains the confidentiality of PII in accordance with applicable state and federal laws. An appendix to this policy contains a table identifying confidentiality statutes that apply to PII collected and maintained by DOR. 
     
  5. Disclosure of PII. DOR does not disclose PII except as required by or permitted by applicable state and federal laws.
     
  6. Open Records. The Colorado Open Records Act (“CORA”), §§ 24-72-201 et seq., C.R.S., provides that all public records shall be open for inspection by any person at reasonable times, except as otherwise provided by law. DOR is subject to CORA and treats all requests for public records in accordance with its CORA policy (EDO-040). 

    In particular, DOR does not disclose PII designated as confidential by applicable state and federal laws in response to CORA requests. Information that is considered to be “personally identifiable information” in any document requested and released through the CORA process will be redacted and withheld from release. 
     
  7. PII Retention and Disposition. In general, DOR retains documents and materials that are not official records only as long as they are needed. Documents and materials that are not official records can be destroyed when they are no longer needed if the documents are not subject to a litigation hold or an outstanding CORA request. 

    DOR destroys official records when: (a) the retention period set forth in the applicable Records Disposition Schedule (SA-194) has expired, and (b) the record is not subject to a litigation hold or an outstanding CORA request. DOR destroys documents in accordance with its policy for the Destruction/Disposal of Paper and Electronic Documents Containing Personal Identifying Information (AOD-013).
     
  8. Questions. Questions about DOR’s privacy or security practices should be directed to the Office of Communications.

Definitions

Documents

“Documents” as used in this policy means any writing, paper or electronic, created or received in the course of DOR business, containing personal identifying information. This includes official records and other types of materials, including non-records, as defined in DOR’s Records Management Manual.

Personally Identifying Information (PII)

“Personally identifiable information,” as defined in § 24-72-501, C.R.S., means information about an individual collected by a governmental entity that could reasonably be used to identify such individual, including, but not limited to, first and last name, residence or other physical address, electronic mail address, telephone number, birth date, credit card information, and social security number. Notwithstanding any provision to the contrary, “personally identifiable information” shall not include information collected in furtherance of any regulatory, investigative, or criminal justice purpose, information collected in furtherance of litigation in which the state is a party, or information that is required to be collected pursuant to any state or federal statute or regulation.

Authority

§§ 24-72-501 to -502, C.R.S.
 

Revision History

Draft Version 0.1 - 05/12/2025 - PM - This policy was established as a requirement of state law.
Version 1.0 was finalized on July 1, 2025.