Colorado Privacy Act (CPA) Final Rules
COLORADO DEPARTMENT OF LAW
Consumer Protection Section
Colorado Privacy Act Rules
4 CCR 904-3
PART 1 GENERAL APPLICABILITY
Rule 1.01 BASIS, SPECIFIC STATUTORY AUTHORITY, AND PURPOSE
The rules in this Part 904-3 are developed pursuant to C.R.S. § 6-1-108(1), which grants the Attorney General the authority to promulgate such rules as may be necessary to administer the provisions of the Colorado Consumer Protection Act, and to C.R.S. § 6-1-1313, which gives the Attorney General authority to promulgate rules for the purpose of carrying out the Colorado Privacy Act and requires the Attorney General to adopt rules that detail the technical specifications for one or more Universal Opt-Out Mechanisms that clearly communicate a consumer’s affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data pursuant to C.R.S. §§ 6-1-1306(1)(a)(I)(A) or (1)(a)(I)(B).
These rules are promulgated to establish implementation and operational guidelines for the Colorado Privacy Act and to help ensure that the Colorado Privacy Act is carried out in a way that is consistent with the intent of the General Assembly, as reflected in the legislative declaration at C.R.S. § 6-1-1302.
Rule 1.02 SEVERABILITY
If any provision of these Colorado Privacy Act Rules, 4 CCR 904-3, is found to be invalid by a court of competent jurisdiction, the remaining provisions of these rules shall remain in full force and effect.
Rule 1.03 EFFECTIVE DATE
Except for the provisions that have delayed effective dates as stated in these rules or C.R.S. §§ 6-1-1313 et seq., these rules shall become effective July 1, 2023.
Rule 1.04 EXEMPTIONS
These Colorado Privacy Act Rules, 4 CCR 904-3, are subject to the applicability requirements and exemptions provided in C.R.S. § 6-1-1304.
PART 2 DEFINITIONS
Rule 2.01 AUTHORITY AND PURPOSE
A. The statutory authority for the rules in this Part 2 is C.R.S. §§ 6-1-108(1), 6-1-1303, and 6-1-1313. The purpose of these rules is to define certain undefined terms that are used throughout the Colorado Privacy Act, C.R.S. § 6-1-1301, et seq., and these Colorado Privacy Act Rules, 4 CCR 904-3, including but not limited to certain undefined terms that are used in the definitions set forth in C.R.S. § 6-1-1303. The terms defined by this rule and C.R.S. § 6-1-1303 are capitalized where they appear in the rules to let the reader know to refer back to the definitions. When a term is used in a conventional sense and is not intended to be a defined term, it is not capitalized.
Rule 2.02 DEFINED TERMS
The following definitions of terms, in addition to those set forth in C.R.S. § 6-1-1303, apply to these Colorado Privacy Act Rules, 4 CCR 904-3, promulgated pursuant to the Colorado Privacy Act, unless the context requires otherwise:
-
Authorized Agent as referred to in C.R.S. § 6-1-1306(1)(a)(II) means a person or entity authorized by the consumer to act on the consumer's behalf.
-
Biometric Data as referred to in C.R.S. § 6-1-1303(24)(b) means biometric identifiers that are used or intended to be used, singly or in combination with each other or with other personal data, for identification purposes. Unless such data is used for identification purposes, Biometric Data does not include:
(a) a digital or physical photograph;
(b) an audio or voice recording; or
(c) any data generated from a digital or physical photograph or an audio or video recording. -
Biometric Identifiers means data generated by the technological processing, measurement, or analysis of an individual’s biological, physical, or behavioral characteristics that can be processed for the purpose of uniquely identifying an individual, including but not limited to a fingerprint, a voiceprint, scans or records of eye retinas or irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics.
-
Bona Fide Loyalty Program as referred to in C.R.S. § 6-1-1308(1)(d) is defined as a loyalty, rewards, premium feature, discount, or club card program established for the genuine purpose of providing Bona Fide Loyalty Program Benefits to consumers that voluntarily participate in that program, such that the primary purpose of processing personal data through the program is solely to provide Bona Fide Loyalty Program Benefits to participating consumers.
-
Bona Fide Loyalty Program Benefit is defined as an offer of superior price, rate, level, quality, or selection of goods or services provided to a consumer through a Bona Fide Loyalty Program. Such benefits may be provided directly by a controller or through a Bona Fide Loyalty Program Partner.
-
Bona Fide Loyalty Program Partner is defined as a third party that provides Bona Fide Loyalty Program Benefits to consumers through a controller’s Bona Fide Loyalty Program, either alone or in partnership with the controller.
-
Commercial Product or Service as referred to in C.R.S. § 6-1-1304(1)(a) means a product or service bought, sold, leased, joined, provided, subscribed to, or delivered in exchange for monetary or other valuable consideration in the course of a controller’s business, vocation, or occupation.
-
Controller is defined as set forth in C.R.S. § 6-1-1303(7), and means a person that, alone or jointly with others, determines the purposes for and means of processing personal data.
-
Data Broker is defined as a controller that knowingly collects and sells to third parties the personal data of a consumer with whom the controller does not have a direct relationship.
-
Data Right or Data Rights means the consumer personal data rights granted in C.R.S. § 6-1-1306(1).
-
Disability or Disabilities has the same meaning as set forth in C.R.S. § 24-85-102(2.3).
-
Employee means any person, acting as a job applicant to, or performing labor or services for the benefit of an employer, including contingent and temporary workers and migratory laborers.
-
Employer means every person, entity, firm, partnership, association, corporation, migratory field labor contractor or crew leader, receiver, or other officer of court, and any agent or officer thereof, of the above-mentioned classes, employing any person.
-
Employment Records as referred to in C.R.S. § 6-1-1304(2)(k) means the records of an employee, maintained by the employer in the context of the employer-employee relationship having to do with hiring, promotion, demotion, transfer, layoff or termination, rates of pay or other terms of compensation, as well as other information maintained because of the employer-employee relationship.
-
Human Involved Automated Processing means the automated processing of personal data where a human (1) engages in a meaningful consideration of available data used in the processing or any output of the processing and (2) has the authority to change or influence the outcome of the processing.
-
Human Reviewed Automated Processing means the automated processing of personal data where a human reviews the automated processing, but the level of human engagement does not rise to the level required for Human Involved Automated Processing. Reviewing the output of the automated processing with no meaningful consideration does not rise to the level of Human Involved Automated Processing.
-
Information that a Controller has a reasonable basis to believe the Consumer has lawfully made available to the general public as referred to in C.R.S. § 6-1-1303(17)(b) means information that a consumer has intentionally made available to the general public or information that a consumer has made available under federal or state law, which may include but is not limited to:
- Personal data found in a telephone book, a television or radio program, or a national or local news publication;
- Personal data that has been intentionally made available by the consumer through a website or online service where the consumer has not restricted the information to a specific audience;
- A visual observation of an individual’s physical presence in a public place by another person, not including data collected by a device in the individual’s possession; and
- A disclosure that has been made to the general public as required by federal, state, or local law.
-
Intimate Image means any visual depiction, photograph, film, video, recording, picture, or computer or computer-generated image or picture, whether made or produced by electronic, mechanical, or other means, that depicts an identified or identifiable person’s private parts, or a person engaged in a private act, in circumstances in which a reasonable person would reasonably expect to be afforded privacy.
-
Noncommercial Purpose as referred to in C.R.S. § 6-1-1304(2)(o) includes, but is not limited to, the following activities when conducted by:
(a) A state institution of higher education, as defined in C.R.S. § 23-18-102(10), the state, the judicial department of the state, or a county, city and county, or municipality; or
(b) A processor acting on behalf of one or more of the foregoing:
- Processing activities related to the delivery of services and benefits;
- Research purposes;
- Budgeting;
- Improving operations or the delivery of services or benefits;
- Auditing operations or service or benefit delivery;
- Sharing personal data between these categories of entities for any of these purposes; or
- Any other purpose related to speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism.
-
Opt-Out Purpose or Opt-Out Purposes means the categories of personal data processing from which the consumer may opt out pursuant to C.R.S. § 6-1-1306(1)(a).
-
Personal Data is defined as set forth in C.R.S. § 6-1-1303(17), and
(a) Means information that is linked or reasonably linkable to an identified or identifiable individual; and
(b) Does not include de-identified data or publicly available information as used in (17)(b). -
Process or Processing is defined as set forth in C.R.S. § 6-1-1303(18), and means the collection, use, sale, storage, disclosure, analysis, deletion, or modification of personal data and includes the actions of a controller directing a processor to process personal data.
-
Processor is defined as set forth in C.R.S. § 6-1-1303(19), and means a person that processes personal data on behalf of a controller.
-
Profiling is defined as set forth in C.R.S. § 6-1-1303(20), and means any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
-
Publicly Available Information is defined as set forth in C.R.S. § 6-1-1303(17), and does not include:
- Any personal data obtained or processed in violation of C.R.S. §§ 18-7-107 or 18-7-801;
- Biometric data;
- Genetic information; or
- Nonconsensual intimate images known to the controller.
-
Revealing as referred to in C.R.S. § 6-1-1303(24)(a) includes Sensitive Data Inferences. For example:
- While precise geolocation information at a high level may not be considered sensitive data, precise geolocation data which is used to infer an individual visited a mosque and is used to infer that individual’s religious beliefs is considered sensitive data under C.R.S. § 6-1-1303(24)(a). Similarly, precise geolocation data which is used to infer an individual visited a reproductive health clinic and is used to infer an individual’s health condition or sex life is considered sensitive data under C.R.S. § 6-1-1303(24)(a).
- While web browsing data at a high level may not be considered sensitive data, web browsing data which, alone or in combination with other personal data, infers an individual’s sexual orientation is considered sensitive data under C.R.S. § 6-1-1303(24)(a).
-
Sensitive Data Inference or Sensitive Data Inferences means inferences made by a controller based on personal data, alone or in combination with other data, which are used to indicate an individual’s racial or ethnic origin; religious beliefs; mental or physical health condition or diagnosis; sex life or sexual orientation; or citizenship or citizenship status.
-
Solely Automated Processing means the automated processing of personal data with no human review, oversight, involvement, or intervention.
-
Universal Opt-Out Mechanism or Universal Opt-Out Mechanisms means mechanisms that clearly communicate a consumer's affirmative, freely given, and unambiguous choice to opt out of the processing of personal data for purposes of targeted advertising or the sale of personal data pursuant to C.R.S. § 6-1-1306(1)(a)(I)(A) or (1)(a)(I)(B), which meets the technical specifications set forth in 4 CCR 904-3, Rule 5.06 pursuant to C.R.S. § 6-1-1313(2).
PART 3 CONSUMER DISCLOSURES
Rule 3.01 Authority and Purpose
- The statutory authority for the rules in this Part 3 is C.R.S. §§ 6-1-108(1) and 6-1-1313. The purpose of the rules in Part 3 is to ensure that disclosures, notifications, and other communications to Consumers are clear, accessible, and understandable to Consumers so that Consumers can understand and exercise the full scope of their rights under the Colorado Privacy Act, C.R.S. § 6-1-1303, et seq.
Rule 3.02 Requirements for Disclosures, Notifications, and Other Communications to Consumers
-
Disclosures, notifications, and other communications to Consumers pursuant to 4 CCR 904-3, Rules 4.02, 4.05(D), 5.03, 6.02, 6.05, and 7.04 must be:
- Designed to be understandable and accessible to a Controller’s target audiences, considering the vulnerabilities or unique characteristics of the audience and paying particular attention to the vulnerabilities of children. For example, they shall use plain, straightforward language and avoid technical or legal jargon.
- Reasonably accessible to Consumers with Disabilities, including through the use of digital accessibility tools. For notices provided online, the Controller shall follow generally recognized industry standards, such as the Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium, incorporated herein by reference as described at 4 CCR 904-3, Rule 11.02. In other contexts, the Controller shall provide information on how a Consumer with a Disability may access the disclosure or communication or make a request in an alternative format.
- Available in the languages in which the Controller in its ordinary course provides web pages, interfaces, contracts, disclaimers, sale announcements, and other information to Consumers. Disclosures and communications sent directly to Consumers must be sent in the language in which the Consumer ordinarily interacts with the Controller.
- Available through a readily accessible interface regularly used in conjunction with the Controller’s product or service.
- Provided in a readable format on all devices through which Consumers normally or regularly interact with the Controller, including on smaller screens and through mobile applications, if applicable.
- Unless otherwise stated, communicated in a manner by which the Controller regularly interacts with Consumers.
- Straightforward and accurate, and must not be written or presented in a way that is unfair, deceptive, false, or misleading.
PART 4 CONSUMER PERSONAL DATA RIGHTS
Rule 4.01 Authority and Purpose
- The statutory authority for the rules in this Part 4 is C.R.S. §§ 6-1-108(1), 6-1-1306, and 6-1-1313. The purpose of the rules in Part 4 is to clarify the scope of Consumer Personal Data rights and standards for the processes required to facilitate the exercise of those rights.
Rule 4.02 Submitting Requests to Exercise Personal Data Rights
-
A. Pursuant to C.R.S. § 6-1-1306(1), a Controller’s privacy notice must include specific methods through which a Consumer may submit requests to exercise Data Rights.
-
B. Any method specified by a Controller pursuant to this rule must comply with each of the following:
- Consider the ways in which Consumers normally interact with the Controller:
a. A Controller that interacts with Consumers exclusively online and has a direct relationship with a Consumer from whom it collects Personal Data shall only be required to provide an email address for submitting access, correction, deletion, or data portability requests.
b. A Controller that does not fall within subsection 4 CCR 904-3, Rule 4.02(B)(1)(a) shall provide two or more designated methods for submitting a Data Rights request. If a Controller maintains a website, mobile application, or other digital presence, one method for submitting requests shall be through its website, mobile application, or digital interface, such as through a web form.
c. If a Controller interacts with Consumers in person, the Controller shall consider providing an in-person method such as a printed form the Consumer can directly submit or send by mail; a tablet or computer portal that allows the Consumer to complete and submit an online form; or a telephone by which the Consumer can call the Controller’s toll-free number. - Enable the Consumer to submit the request to the Controller at any time.
- Comply with requirements for disclosures, notifications, and other communications to Consumers provided in 4 CCR 904-3, Rule 3.02.
- Use reasonable data security measures, consistent with 4 CCR 904-3, Rule 6.09, when exchanging information in furtherance of Data Rights requests, considering the volume, scope, and nature of Personal Data that may be exchanged.
- Be easy for Consumers to execute, requiring a minimal number of steps.
-
C. The Data Rights request method does not have to be specific to Colorado, so long as the request method:
- Clearly indicates which rights are available to Colorado Consumers.
- Provides all Data Rights available to Colorado Consumers.
- Provides Colorado Consumers a clear understanding of how to exercise their rights.
- Meets all other requirements of this part, 4 CCR 904-3, Rule 4.02.
-
D. When a Consumer submits a Data Rights request, a Controller may only collect Personal Data through the request process if the Personal Data is reasonably necessary to authenticate the Consumer, respond to the request, or effectuate the Data Rights request.
-
E. A Controller must not require a Consumer to create a new user account to exercise their Data Rights request, but may require a Consumer to use an existing password-protected account.
Rule 4.03 Right to Opt Out
-
A. A Controller shall comply with an opt-out request by:
- Ceasing to Process the Consumer’s Personal Data for the Opt-Out Purpose(s) as soon as feasibly possible and without undue delay from the date the Controller receives the request, taking into account the size and complexity of the Controller’s businesses and burden of operationalizing the opt-out.
a. If a Controller does not know the identity of a Consumer submitting an online opt-out request, such that the Controller is unable to opt the Consumer out of the Processing of offline or other connected Personal Data, the Controller may request the additional information necessary to do so subject to 4 CCR 904-3, Rules 4.08 and 5.05.
b. If a Consumer submits a request to exercise more than one Data Right and a Controller is able to complete the opt-out request in a more timely manner than other Data Rights requests, the Controller should complete the opt-out request prior to any other Data Rights request. - Maintaining a record of the opt-out request and response, in compliance with 4 CCR 904-3, Rule 6.11.
- Using agreed upon technical, organizational, or other measures or processes to instruct its Processors, pursuant to C.R.S. § 6-1-1305(2)(a), to stop Processing the Personal Data as needed to effectuate the Consumer’s opt-out request.
-
B. To enable a Consumer to exercise the right to opt out of the Opt-Out Purposes provided in C.R.S. § 6-1-1306(1)(a)(I), a Controller must provide the disclosures required by C.R.S. § 6-1-1308(1)(b).
- A Controller that Sells Personal Data or Processes Personal Data for Targeted Advertising must also provide a clear and conspicuous method for Consumers to exercise the right to opt out of the Processing of Personal Data for each or all of the Opt-Out Purposes, as applicable.
a. The clear, conspicuous method must be provided either directly or through a link, in a clear, conspicuous, and readily accessible location outside the privacy notice. - A Controller Processing Personal Data for Profiling in furtherance of a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services, as subject to the opt-out right provided at C.R.S. § 6-1-1306(1)(a)(I), shall provide a clear and conspicuous method for Consumers to exercise the right to opt out of Processing Personal Data for such Profiling at or before the time such Processing occurs.
- Any clear and conspicuous method for Consumers to exercise the right to opt out of Processing for the Opt-Out Purposes, provided pursuant to this section, must comply with the requirements of 4 CCR 904-3, Rule 4.02(B). If a link is used, it must take a Consumer directly to the opt-out method and the link text must provide a clear understanding of its purpose, for example “Colorado Opt-Out Rights,” “Personal Data Use Opt-Out,” “Your Opt-Out Rights,” “Your Privacy Choices,” or “Your Colorado Privacy Choices.”
-
C. An Authorized Agent may exercise a Consumer’s opt-out right on behalf of the Consumer, so long as the Controller is able to, with commercially reasonable effort, Authenticate the identity of the Consumer and the Authorized Agent’s authority to act on the Consumer’s behalf.
-
D. A Controller may collect the Consumer’s Personal Data necessary to effectuate the Consumer’s opt-out right, pursuant to 4 CCR 904-3, Rule 4.02(D).
Rule 4.04 Right of Access
-
A. A Controller shall comply with an access request by providing the Consumer all the specific pieces of Personal Data it has collected and maintains about the Consumer that are the subject of the request, including without limitation, any Personal Data that the Controller’s Processors obtained from the Controller in providing services to the Controller.
- Specific pieces of Personal Data include final Profiling decisions, inferences, derivative data, marketing profiles, and other Personal Data created by the Controller which is linked or reasonably linkable to an identified or identifiable individual.
-
B. Personal Data provided in response to an access request must:
- Be provided in a form that is concise, transparent, and easily intelligible and in an appropriate, commonly used electronic format, depending on the nature of the data;
- Be available in the language in which the Consumer interacts with the Controller;
- Avoid incomprehensible internal codes and, if necessary, include explanations that would allow the average Consumer to make an informed decision of whether to exercise deletion, correction, or opt-out rights;
- Be provided in compliance with the requirements for disclosures, notifications, and other communications, as described in 4 CCR 904-3, Rule 3.02, as applicable.
-
C. The Controller shall implement and maintain reasonable data security measures, consistent with 4 CCR 904-3, Rule 6.09, in Processing any documentation relating to a Consumer’s access request.
-
D. A Controller shall not be required to disclose in response to an access request a Consumer’s government-issued identification number, financial account number, health insurance or medical identification number, an account password, security questions and answers, Biometric Data, or Biometric Identifiers. The Controller shall, however, inform the Consumer with sufficient particularity that it has collected that type of information. For example, a Controller shall respond that it collects “unique Biometric Data including a fingerprint scan” without disclosing the actual fingerprint scan data.
-
E. If a Consumer exercises the right to access their Personal Data in a portable format pursuant to C.R.S. § 6-1-1306(1)(e) and the Controller determines the manner of response would reveal the Controller’s trade secrets, the Controller must still honor the Consumer’s undiminished right of access in a format or manner which would not reveal trade secrets, such as in a non-portable format.
Rule 4.05 Right to Correction
A. Consumers have the right to correct inaccuracies in their Personal Data subject to C.R.S. § 6-1-1306(c).
B. A Controller shall comply with a Consumer’s correction request by correcting the Consumer’s Personal Data in its existing systems, except archive or backup systems. The Controller shall also use agreed upon technical, organizational, or other measures or processes to instruct its Processors, pursuant to C.R.S. § 6-1-1305(2)(a), to make the necessary corrections in their respective systems.
C. If a Controller or Processor stores any Personal Data on archived or backup systems, it may delay compliance with the Consumer’s correction request with respect to an archived or backup system until that system is restored to an active system or is next accessed or used.
D. If a Consumer submits a request to exercise their right to correct Personal Data and the requested correction to that Personal Data could be made by the Consumer through the Consumer’s account settings, a Controller may respond to the Consumer’s request by providing instructions on how the Consumer may correct the Personal Data so long as:
- The correction process is not unduly burdensome to the Consumer;
- The instructions meet all requirements of 4 CCR 904-3, Rule 3.02;
- The Controller’s response is compliant with the timing requirements set forth in C.R.S. § 6-1-1306(2)(a); and
- The process described in the instructions enables the Consumer to make the specific requested correction.
E. A Controller may require the Consumer to provide documentation if necessary to determine whether the Personal Data, or the Consumer’s requested correction to the Personal Data, is accurate.
-
When requesting documentation, the Controller must provide the Consumer with a meaningful understanding of why the documentation is necessary.
-
Any documentation provided by the Consumer in connection with the Consumer’s right to correction shall only be Processed by the Controller in considering the accuracy of the Consumer’s Personal Data.
-
The Controller shall implement and maintain reasonable data security measures, consistent with 4 CCR 904-3, Rule 6.09, in Processing any documentation relating to the Consumer’s correction request.
-
If the Controller did not receive the Personal Data directly from the Consumer and has no documentation to support the accuracy of the Personal Data, the Consumer’s assertion of inaccuracy shall be sufficient to establish that the Personal Data is inaccurate.
-
A Controller, having exhausted the steps above, may decide not to act upon a Consumer’s correction request if the Controller determines that the contested Personal Data is more likely than not accurate.
- If a Controller denies a Consumer’s correction request based on the Controller’s determination that the contested Personal Data is more likely than not accurate, the Controller must describe in documentation required by 4 CCR 904-3, Rule 6.11(A), the Consumer’s requested correction to the Personal Data, any documentation requested from and provided by the Consumer in support of the correction request, and the reason for the Controller’s determination that the Consumer’s documentation was not sufficient to support the Consumer’s position.
Rule 4.06 Right to Deletion
A. A Controller shall comply with a Consumer’s deletion request by:
- Permanently and completely erasing the Personal Data from its existing systems, except archive or backup systems, or de-identifying the Personal Data such that it cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, in accordance with C.R.S. § 6-1-1303(11); and
- Using agreed-upon technical, organizational, or other measures or processes to instruct its Processors, pursuant to C.R.S. § 6-1-1305(2)(b), to delete the Consumer’s Personal Data held by the Processors.
B. Notwithstanding 4 CCR 904-3, Rule 4.06(A), a Controller may maintain records of a Consumer’s deletion request consistent with 4 CCR 904-3, Rule 6.11 and as needed to effectuate the deletion request.
C. If a Controller or Processor stores any Personal Data on archived or backup systems, it may delay compliance with the Consumer’s deletion request with respect to an archived or backup system until that system is restored to an active system or is next accessed or used.
D. A Controller that has obtained Personal Data about a Consumer from a source other than the Consumer shall comply with a Consumer's deletion request with respect to that Personal Data pursuant to C.R.S. § 6-1-1306(d) by:
- (i) Retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the Consumer’s Personal Data remains deleted from the Consumer’s records and not using such retained data for any other purpose, or
- (ii) Opting the Consumer out of the Processing of such Personal Data for any purpose except for those exempted pursuant to the provisions of C.R.S. § 6-1-1304.
E. If a Controller complies with a deletion request by opting the Consumer out of Processing under Rule 4.06(D) or does not opt the Consumer out of some Processing of Personal Data because the Processing purpose is exempted pursuant to the provisions of C.R.S. § 6-1-1304, the Controller shall provide the Consumer with the categories of Personal Data that were not deleted along with any applicable exception. The Controller shall not use the Consumer’s Personal Data retained for any other purpose than provided for by the applicable exception.
Rule 4.07 Right to Data Portability
A. To comply with a data portability request, a Controller must transfer to a Consumer the Personal Data it has collected and maintains about the Consumer through a secure method in a commonly used electronic format that, to the extent technically feasible, is readily usable and allows the Consumer to transmit the Personal Data to another entity without hindrance.
B. Pursuant to C.R.S. § 6-1-1306(1)(e), a Controller is not required to provide Personal Data to a Consumer in a manner that would disclose the Controller’s trade secrets. When complying with a request to access Personal Data in a portable format, Controllers must provide as much data as possible in a portable format without disclosing the trade secret.
- For example, if sharing both raw or unedited Personal Data along with related inferences or derived Personal Data in an Excel file would reveal a trade secret, the Controller may provide either set of Personal Data in an Excel file, so long as it is clear to the Consumer that the Controller maintains both types of Personal Data.
Rule 4.08 Authentication
A. Pursuant to C.R.S. § 6-1-1306(1), a Controller shall use a commercially reasonable method for authenticating the identity of every Consumer submitting any Data Right request, and the authority of every Authorized Agent submitting an opt-out request on behalf of a Consumer pursuant to C.R.S. § 6-1-1306(1)(a)(II).
- To determine if an authentication method is commercially reasonable, the Controller shall consider the Data Rights exercised, the type, sensitivity, value, and volume of Personal Data involved, the level of possible harm that improper access or use could cause to the Consumer submitting the Data Right request, and the cost of authentication to the Controller. A Controller must avoid methods that place an unreasonable burden on the Consumer submitting a Data Right request, or Authorized Agent submitting an opt-out request on behalf of a Consumer.
B. When possible, a Controller shall avoid requesting additional Personal Data to Authenticate a Consumer unless the Controller cannot Authenticate the Consumer using the Personal Data already maintained by the Controller.
C. Personal Data obtained to Authenticate a Consumer may only be used to Authenticate the Consumer submitting the Data Right request, pursuant to C.R.S. § 6-1-1306(1), or to Authenticate an Authorized Agent’s authority, pursuant to C.R.S. § 6-1-1306(1)(a)(II), and must be deleted as soon as practical after Processing the Consumer’s request, except as required by 4 CCR 904-3, Rule 6.11, or as otherwise required.
D. A Controller shall implement reasonable security measures, consistent with 4 CCR 904-3, Rule 6.09, to protect Personal Data exchanged to Authenticate a Consumer or to Authenticate an Authorized Agent’s authority, considering the type, value, sensitivity, and volume of information exchanged and the level of possible harm improper access or use could cause to the Consumer submitting a Data Right request.
E. A Controller shall not require the Consumer or Authorized Agent to pay a fee for authentication. For example, a Controller may not require a Consumer to provide a notarized affidavit for authentication unless the Controller compensates the Consumer for the cost of notarization.
F. If a Controller cannot Authenticate the Consumer submitting a Data Right request using commercially reasonable efforts, the Controller is not required to comply with the Consumer’s request. The Controller shall inform the Consumer that their identity could not be authenticated, provide information on how to remedy any deficiencies, and may request additional Personal Data if reasonably necessary to Authenticate the Consumer.
Rule 4.09 Responding to Consumer Requests
A. A Controller must respond to a Consumer’s Data Right request in compliance with the timing provisions of C.R.S. § 6-1-1306(2)(a)-(b).
B. A Controller does not have to comply with an authenticated Consumer request to access, correct, delete, or provide Personal Data in a portable format, to the extent that the Personal Data at issue meets the requirements of the exceptions in C.R.S. § 6-1-1307(1)(b) and 1307(3).
C. If a Controller decides not to act on a Consumer’s Data Right request, the Controller’s response to the Consumer must include the grounds for denial, including but not limited to:
-
Any conflict with federal or state law;
-
If the Controller relied on an exception to the Colorado Privacy Act found at C.R.S. § 6-1-1304(2), a description of the exception;
-
The Controller’s inability to Authenticate the Consumer’s identity;
-
Any factual basis for a Controller’s good-faith claim that compliance is impossible; or
-
Any basis for a good-faith, documented belief that the request is fraudulent or abusive.
-
If a Controller denies a Consumer Data Right request based on the inability to Authenticate, the Controller must describe in documentation required by 4 CCR 904-3, Rule 6.11 their reasonable efforts to authenticate and why they were unable to do so.
-
A Controller that decides not to act on a Consumer’s request must also provide instructions on how to appeal the Controller’s decision in accordance with C.R.S. § 6-1-1306(3).
D. When a Controller complies with a Consumer’s Personal Data Right request, the Controller shall also use agreed-upon technical, organizational, or other measures or processes, to instruct its Processors, pursuant to C.R.S. § 6-1-1305(2)(a), to fulfill requests relating to Personal Data held by the Processors.
E. Controllers must maintain all documentation as required by 4 CCR 904-3, Rule 6.11 of these rules.
F. If a Consumer or Authorized Agent submits a request to opt out of the Processing of a Consumer’s Personal Data for an Opt-Out Purpose in a manner that is not one of the Controller’s opt-out request methods, or submits a Data Right request that is otherwise deficient in a manner unrelated to the Authentication process, the Controller shall either:
- Treat the request as if it had been submitted in accordance with the Controller’s specified request methods, or
- Provide the Consumer or Authorized Agent that submitted the request with information on how to submit the request or remedy any deficiencies in the request.
PART 5 Universal Opt-Out Mechanism
Rule 5.01 Authority and Purpose
A. The statutory authority for the rules in Part 5 is C.R.S. §§ 6-1-108(1), 6-1-1306, and 6-1-1313. The purpose of this Part 5 is to provide technical and other specifications for Universal Opt-Out Mechanisms.
Rule 5.02 Rights Exercised
A. Consumers may exercise their right to opt out of the Processing of Personal Data concerning the Consumer for purposes of Targeted Advertising or the Sale of Personal Data through a user-selected Universal Opt-Out Mechanism that meets the technical and other specifications provided in this Rule 5.
B. The purpose of a Universal Opt-Out Mechanism is to provide Consumers with a simple and easy-to-use method by which Consumers can automatically exercise their opt-out rights with all Controllers they interact with without having to make individualized requests with each Controller.
C. A Universal Opt-Out Mechanism may:
- Express a Consumer’s choice to opt out of the Processing of Personal Data for both the Processing of Personal Data for purposes of Targeted Advertising and Sale of Personal Data; or
- Express a Consumer’s choice to opt out of the Processing of Personal Data for only one specific purpose, either Targeted Advertising or Sale of Personal Data alone.
Rule 5.03 Notice and Choice for Universal Opt-Out Mechanisms
A. If a platform, developer, or provider provides a Universal Opt-Out Mechanism, that platform, developer, or provider shall make clear to the Consumer, whether in its configuration or disclosures to the public, that the mechanism is meant to allow the Consumer to exercise the right to opt out of the Processing of Personal Data for one specific purpose, either Targeted Advertising or Sale of Personal Data, or both purposes. These notices provided to the Consumer:
- Shall comply with the requirements for disclosures and communications to Consumers provided in 4 CCR 904-3, Rule 3.02;
- If applicable, shall state that the Universal Opt-Out Mechanism has been recognized by the Colorado Attorney General;
- Shall clearly describe any limitations that may be applicable to the mechanism, for example:
a. That the mechanism will allow a consumer to exercise the opt-out right for only one specific purpose, either Targeted Advertising or Sale of Personal Data; or
b. That the mechanism applies only to a single browser or device. - Need not be tailored only to Colorado or refer to Colorado or to any other specific provisions of these rules or the Colorado Privacy Act, provided the mechanism meets the requirements of 4 CCR 904-3, Rule 5.03(A)(1)-(3).
a. Example: A platform, developer, or provider discloses that its Universal Opt-Out Mechanism permits consumers to exercise “any and all opt-out rights available to you under state laws,” and complies with the other requirements of this Rule 5.03(A) but makes no mention of Colorado nor recites any section of these rules or the Colorado Privacy Act. These disclosures satisfy the requirements of this Rule 5.03(A).
B. A valid Universal Opt-Out Mechanism must represent the Consumer’s affirmative, freely given, and unambiguous choice to opt out of the Processing of Personal Data for the purposes listed at C.R.S. § 6-1-1306(1)(a)(IV)(A) and (B). Controllers are not obligated to honor Consumer rights requests for purposes other than those listed at C.R.S. § 6-1-1306(1)(a)(IV)(A) and (B) when transmitted through a Universal Opt-Out Mechanism.
C. The platform, developer, or provider that provides a Universal Opt-Out Mechanism is not obligated to authenticate that a user is a Resident of Colorado. The platform, developer, or provider may provide such authentication capabilities if it chooses.
Rule 5.04 Default Settings for Universal Opt-Out Mechanisms
A. To comply with C.R.S. § 6-1-1313(2), a Universal Opt-Out Mechanism may not be the default setting for a tool that comes pre-installed with a device, such as a browser or operating system.
- Example: An operating system manufacturer bundles a browser pre-installed with every device shipped with the operating system. The browser sends a Universal Opt-Out Mechanism signal by default and never asks the Consumer to enable this setting. The Consumer’s decision to use this browser does not represent the Consumer’s affirmative, freely given, and unambiguous choice to use the Universal Opt-Out Mechanism because it is a default choice. This is so even if the marketing for the operating system touts its privacy protective features.
- Example: An operating system manufacturer bundles a browser and apps pre-installed with every device shipped with the operating system. The first time a Consumer runs a browser or app, the operating system asks the Consumer specifically and clearly whether they want to opt out of the Sale of their Personal Data using a Universal Opt-Out Mechanism signal when using the browser or app. No choice is pre-selected, meaning the Consumer is forced to decide. The Consumer’s decision to select “yes” to enable the signal to opt out of the Sale of Personal Data represents the Consumer’s affirmative, freely given, and unambiguous choice to use the Universal Opt-Out Mechanism.
B. Notwithstanding 4 CCR 904-3, Rule 5.04(A), a Consumer’s decision to adopt a tool that does not come pre-installed with a device, such as a browser or operating system, but is marketed as a tool that will exercise a user’s rights to opt out of the Processing of Personal Data using a Universal Opt-Out Mechanism, shall be considered the Consumer's affirmative, freely given, and unambiguous choice to use a Universal Opt-Out Mechanism. The marketing for such a tool may also describe functionality other than the exercise of opt-out rights, and it need not refer specifically to opt-out rights in the State of Colorado.
- Example: A browser manufacturer markets its browser as a “privacy-friendly” browser, prominently highlighting that the browser sends a Universal Opt-Out Mechanism signal by default. The browser does not come pre-installed with a device or operating system and must be installed by the Consumer. The Consumer’s decision to use this browser represents the Consumer’s affirmative, freely given, and unambiguous choice to use the Universal Opt-Out Mechanism. The Consumer need not be given an explicit choice about whether to use the Universal Opt-Out Mechanism in this example.
Rule 5.05 Personal Data Use Limitations
A. A platform, developer, or provider providing a Universal Opt-Out Mechanism shall not use, disclose, or retain any Personal Data collected from the Consumer in connection with the Consumer’s utilization of the mechanism for any purpose other than sending or processing the opt-out preference. For example, the fact that a particular device sends a Universal Opt-Out Mechanism may not be used as part of a digital fingerprint to later identify that device.
B. When processing a Universal Opt-Out Mechanism, a Controller may not require the collection of additional Personal Data beyond that which is strictly necessary to authenticate a Consumer is a resident of Colorado, determine that the mechanism represents a legitimate request to opt out of the Processing of Personal Data as permitted by C.R.S. § 6-1-1306(1)(a)(IV), or comply with the authentication mandates of the law of another jurisdiction specifically regarding universal opt-out mechanisms or signals.
- Example: The law of a state other than Colorado obligates Controllers to gather specific pieces of information from a user before the Controller honors the use of a Universal Opt-Out Mechanism by that user. This additional information may be gathered while processing a Universal Opt-Out Mechanism, even if it is not otherwise “strictly necessary to authenticate a Consumer is a resident of Colorado or determine that the mechanism represents a legitimate request."
C. Notwithstanding 4 CCR 904-3, Rule 5.05(B), a Controller may provide the Consumer with an option to provide additional Personal Data only if it will extend the recognition of the Consumer’s use of the Universal Opt-Out Mechanism across platforms, devices, or offline. For example, a Controller may give the Consumer the option to provide their phone number or email address so that the Universal Opt-Out Mechanism or signal can apply to offline Sale of Personal Data or link the Consumer’s opt-out choice across devices. Any information provided by the Consumer for this purpose shall not be used, disclosed, or retained for any purpose other than processing the opt-out request.
D. The Controller shall implement and maintain reasonable data security measures, consistent with 4 CCR 904-3, Rule 6.09, in Processing any Personal Data relating to the Consumer’s use of a Universal Opt-Out Mechanism.
Rule 5.06 Technical Specification
A. A Universal Opt-Out Mechanism must allow for Consumers to automatically communicate their opt-out choice with multiple Controllers.
- The Universal Opt-Out Mechanism may communicate a Consumer’s opt-out choice by sending an opt-out signal. The signal must be in a format commonly used and recognized by Controllers. An example would be an HTTP header field or JavaScript object.
B. The Universal Opt-Out Mechanism must allow Consumers to clearly communicate one or more opt-out rights available under C.R.S. § 6-1-1306(1)(a)(IV).
- The Universal Opt-Out Mechanism may allow for a Consumer to opt out of Processing for one or more of the Opt-Out Purposes.
C. The Universal Opt-Out Mechanism must store, Process, and transmit any Consumer Personal Data using reasonable data security measures, consistent with 4 CCR 904-3, Rule 6.09.
D. A Universal Opt-Out Mechanism must not prevent the Controller’s ability to determine:
- Whether a Consumer is a Resident of the State of Colorado; or
- That the Universal Opt-Out Mechanism represents a legitimate request to opt out of the Processing of Personal Data.
E. A Universal Opt-Out Mechanism must not unfairly disadvantage any Controller. For example, a Universal Opt-Out Mechanism may not engage in self-dealing benefiting the creator of the Universal Opt-Out Mechanism over other Controllers.
Rule 5.07 System for Recognizing Universal Opt-Out Mechanisms
A. The Colorado Department of Law shall maintain a public list of Universal Opt-Out Mechanisms that have been recognized to meet the standards of this subsection. The initial list shall be released no later than January 1, 2024, and shall be updated periodically.
B. The goal of the public list is to simplify the options facing Controllers, Consumers, and other actors.
C. To be recognized, a Universal Opt-Out Mechanism must at a minimum meet these standards:
- Comply with all of the technical and other specifications of Rule 5; and
- Not create Consumer or Controller confusion about the similarities and differences between Universal Opt-Out Mechanisms on the public list.
D. The Colorado Department of Law may consider additional factors when determining which Universal Opt-Out Mechanisms to recognize. These include but are not limited to:
- Commercial adoption by Consumers or Controllers;
- Ease and cost of use, implementation, and detection by Consumers and Controllers;
- Whether the Universal Opt-Out Mechanism has been approved by a widely recognized, legitimate standards body after broad multistakeholder participation in the standards-making process; and
- Whether the Universal Opt-Out Mechanism is based on an open system or standard, and whether such standard is free for adoption by device, operating system, browser, and other manufacturers, Controllers, or Consumers without permission or on fair, reasonable, and non-discriminatory terms.
E. The public list shall describe recognized Universal Opt-Out Mechanisms in enough technical detail to permit Controllers to identify them when used by Consumers.
F. The Colorado Department of Law will allow Controllers six (6) months to recognize a Universal Opt-Out Mechanism once that Mechanism is added to the public list.
Rule 5.08 Obligations on Controllers
A. Effective July 1, 2024:
- A Controller that receives an opt-out request through a Universal Opt-Out Mechanism shall treat such as a valid request to opt out of the Processing of Personal Data for purposes of Targeted Advertising, Sale of Personal Data, or both purposes, as indicated by the mechanism, for the associated browser or device, and, if known, for the Consumer.
- After receiving a valid opt-out request through the use of a Universal Opt-Out Mechanism, a Controller shall continue to treat the browser, device, and Consumer as having exercised opt-out rights until the Consumer Consents to the Sale of Personal Data or Processing of Personal Data for Targeted Advertising, as specified in 4 CCR 904-3, Rule 5.09.
- A Controller shall be capable of recognizing any Universal Opt-Out Mechanism reflected in the public list maintained by the Colorado Department of Law pursuant to subsection 4 CCR 904-3, Rule 5.07 provided the Controller has had at least six months’ notice of the addition of new mechanisms. For example, in the case of a recognized Universal Opt-Out Mechanism sent as a signal, the Controller must listen for the signal.
B. A Controller may also recognize Universal Opt-Out Mechanisms that are not reflected in the public list maintained by the Colorado Department of Law pursuant to subsection 4 CCR 904-3, Rule 5.07.
C. Notwithstanding 4 CCR 904-3, Rule 5.08(A), a Controller may choose to honor an opt-out request received through a Universal Opt-Out Mechanism prior to July 1, 2024, pursuant to C.R.S. § 6-1-1306(a)(IV)(A).
D. Unless a Controller is Authenticating a Consumer as permitted by C.R.S. § 6-1-1313(2)(f), a Controller may not require a Consumer to log in or otherwise Authenticate themself as a condition of recognizing the Consumer’s use of a Universal Opt-Out Mechanism. A Controller may not subject a Consumer to undertake any authentication actions that are unnecessary or unnecessarily burdensome.
E. A Controller may display in a conspicuous manner if it has Processed the Consumer’s opt-out preference signal. For example, the Controller may display on its website “Opt-Out Preference Signal Honored” when a browser, device, or Consumer utilizing a Universal Opt-Out Mechanism visits the website.
F. Pursuant to C.R.S. § 6-1-1313(2)(f), a Controller may authenticate that the user sending an opt-out request through a Universal Opt-Out Mechanism is a Resident of Colorado, but they are not obligated to do so.
Rule 5.09 Consent After Universal Opt-Out
A. A Controller may enable a Consumer to Consent to Processing that the Consumer has opted out of using a Universal Opt-Out mechanism, so long as the Controller’s request for Consent complies with the Consent requirements provided in C.R.S. § 6-1-1306(1)(a)(IV)(C), and 4 CCR 904-3, Rule 7.05.
B. A Controller shall not interpret the absence of a Universal Opt-Out Mechanism signal after the Consumer previously utilized a Universal Opt-Out Mechanism as Consent to opt back in.
PART 6 Duties of Controllers
Rule 6.01 Authority and Purpose
A. The statutory authority for the rules in this Part 6 is C.R.S. §§ 6-1-108(1), 6-1-1308, and 6-1-1313. The purpose of the rules in this Part 6 is to provide clarity on the duties of Controllers concerning the Personal Data of Colorado Consumers.
Rule 6.02 Privacy Notice Principles
A. A privacy notice shall provide Consumers with a meaningful understanding and accurate expectations of how their Personal Data will be Processed. It shall also inform Consumers about their rights under the Colorado Privacy Act and provide any information necessary for Consumers to exercise those rights.
B. A Controller is not required to provide a separate Colorado-specific privacy notice or section of a privacy notice as long as the Controller’s privacy notice meets all requirements of this section and makes clear that Colorado Consumers are entitled to the rights provided by C.R.S. § 6-1-1306.
C. A privacy notice shall comply with all requirements for disclosures and communications to Consumers provided in 4 CCR 904-3, Rule 3.02.
D. A privacy notice must be clear. Information contained in a privacy notice shall be:
- Concrete and definitive, avoiding abstract or ambivalent terms that may lead to varying interpretations.
- Clearly labeled, such that Consumers seeking to understand a Controller’s Processing activities or how to exercise their Data Rights can easily access the section of the privacy notice containing relevant information.
E. A privacy notice must be easily accessible. A privacy notice must be:
- Posted online through a conspicuous link using the word “privacy” on the Controller’s website homepage or on a mobile application’s app store page or download page. A Controller that maintains an application on a mobile or other device shall also include a link to the privacy notice in the application’s settings menu. a. A Controller that does not operate a website shall make the privacy notice conspicuously available to Consumers through a medium regularly used by the Controller to interact with Consumers. For instance, if a Controller interacts with a Consumer offline, an offline version of the privacy notice must be available to the Consumer.
F. A privacy notice must be specific. The level of specificity in a privacy notice should enable a Consumer to understand, in advance or at the time of the Processing, the scope of the Controller’s Processing operations, such that a Consumer should not be taken by surprise at a later point about Personal Data that has been collected and the ways in which Personal Data has been Processed.
Rule 6.03 Privacy Notice Content
A. A privacy notice must include the following information:
-
A comprehensive description of the Controller’s online and offline Personal Data Processing practices, including but not limited to the following, linked in a way that gives Consumers a meaningful understanding of how each category of their Personal Data will be used when they provide that Personal Data to the Controller for a specified purpose:
- a. The categories of Personal Data Processed, including, but not limited to, whether Personal Data of a Child or other Sensitive Data is Processed.
- i. Categories shall be described in a level of detail that provides Consumers a meaningful understanding of the type of Personal Data Processed. For example, categories of Personal Data described at a sufficiently granular level of detail include, but are not limited to: "contact information,” “government issued identification numbers,” “payment information,” “Information from Cookies,” “data revealing religious affiliation,” and “medical data.”
- b. The Processing purpose described in a level of detail that gives Consumers a meaningful understanding of how each category of their Personal Data is used when provided for that Processing purpose.
- c. Whether the Personal Data provided for a specific purpose will be sold or used for Targeted Advertising or Profiling in furtherance of Decisions that Produce Legal or Similarly Significant Effects Concerning a Consumer.
- d. Categories of Personal Data that the Controller Sells to or shares with Third Parties, if any.
- e. Categories of Third Parties to whom the Controller sells, or with whom the Controller shares Personal Data, if any. Categories of Third Parties must be described in a level of detail that gives Consumers a meaningful understanding of the type of, business model of, or processing conducted by the Third Party.
- i. For example, categories of Third Parties described in a sufficiently granular level of detail include, but are not limited to: “analytics companies,” “data brokers,” “third-party advertisers,” “payment processors,” “lenders,” “other merchants,” and “government agencies.”
- a. The categories of Personal Data Processed, including, but not limited to, whether Personal Data of a Child or other Sensitive Data is Processed.
-
If a Controller’s Processing activity involves the Processing of Personal Data for the purpose of Profiling in furtherance of Decisions that Produce Legal or Similarly Significant Effects Concerning a Consumer, all disclosures required by 4 CCR 904-3, Rule 9.03.
-
A list of the Data Rights available.
-
A description of the methods through which a Consumer may submit requests to exercise Data Rights, as required by C.R.S. § 6-1-1306(1) and 4 CCR 904-3, Rule 4.02, including:
- a. Instructions on how to use each method.
- b. Instructions on how an Authorized Agent may submit a request to opt out of the Processing of Consumer Personal Data on a Consumer’s behalf pursuant to C.R.S. § 6-1-1306(1)(a)(II).
- c. A clear and conspicuous method to exercise the right to opt out of the Processing of Personal Data concerning the Consumer pursuant to C.R.S. § 6-1-1306(1)(a)(I) and (1)(a)(III), or links to any online method, such as a webform or portal, consistent with 4 CCR 904-3, Rule 4.03.
- d. A description of the commercially reasonable process the Controller uses to Authenticate the identity of a Consumer exercising a Data Right request or to Authenticate the authority of an Authorized Agent exercising the right to opt out on a Consumer’s behalf.
- e. Effective July 1, 2024, an explanation of how requests to opt out using Universal Opt-Out Mechanisms will be processed.
-
If a Controller will delete Sensitive Data Inferences within twenty-four (24) hours pursuant to 4 CCR 904-3, Rule 6.10, a description of the Sensitive Data Inferences subject to this provision and the retention and deletion timeline for such Sensitive Data Inferences.
-
A Controller’s contact information.
-
Instructions on how a Consumer may appeal a Controller’s action in response to the Consumer’s request, as contemplated by C.R.S. § 6-1-1306(3).
-
The date the privacy notice was last updated.
Rule 6.04 Changes to a Privacy Notice
A. A Controller shall notify Consumers of material changes to a privacy notice. Such changes to a privacy notice shall be communicated to Consumers in a manner by which the Controller regularly interacts with Consumers.
- Material changes may include, but are not limited to, changes to: (1) categories of Personal Data Processed; (2) Processing purposes; (3) a Controller’s identity; (4) the act of sharing of Personal Data with Third Parties; (5) categories of Third Parties Personal Data is shared with; or (6) methods by which Consumers can exercise their Data Rights request.
B. If a material change rises to the level of a secondary use, a Controller must obtain Consent from a Consumer pursuant to 4 CCR 904-3, Rules 7.02-7.05 in order to Process Personal Data that was collected before the change to the privacy notice for that Secondary Use.
Rule 6.05 Loyalty Programs
-
A. Pursuant to 6-1-1308(1)(d), a Controller is not prohibited from offering Bona Fide Loyalty Program Benefits to a Consumer based on the Consumer’s voluntary participation in a Bona Fide Loyalty Program.
-
B. If a Consumer exercises their right to delete Personal Data such that it is impossible for the Controller to provide a certain Bona Fide Loyalty Program Benefit to the Consumer, the Controller is no longer obligated to provide that Bona Fide Loyalty Benefit to the Consumer. However, the Controller shall provide any available Bona Fide Loyalty Program Benefit for which the deleted Personal Data is not necessary.
-
C. If a Consumer exercises their right to opt out of the Sale of Personal Data or Processing of Personal Data for Targeted Advertising, such that the exchange of Personal Data needed to obtain a Bona Fide Loyalty Program Benefit through a Bona Fide Loyalty Program Partner is no longer possible, the Controller is no longer obligated to provide that Bona Fide Loyalty Program Benefit to the Consumer.
- If the Controller’s Bona Fide Loyalty Program offers Bona Fide Loyalty Program Benefits that are unrelated to the exchange of Personal Data with a Bona Fide Loyalty Program Partner, the Controller shall continue to provide those Benefits to a Consumer who opts out of the Sale of Personal Data or Processing of Personal Data for Targeted Advertising.
- The sale of Personal Data or Processing of Personal Data for Targeted Advertising that is unrelated to sharing of information with a Bona Fide Loyalty Program Partner is a Secondary Use that requires Consent pursuant to 4 CCR 904-3, Rule 6.08.
-
D. If a Consumer refuses to Consent to the Processing of Sensitive Data necessary for a personalized Bona Fide Loyalty Program Benefit, the Controller is no longer obligated to provide that personalized Bona Fide Loyalty Program Benefit. However, the Controller shall provide any available, non-personalized Bona Fide Loyalty Program Benefit for which the Sensitive Data is not necessary. A Controller may not condition a Consumer’s participation in a Bona Fide Loyalty Program on the Consumer’s Consent to Process Sensitive Data unless the Sensitive Data is required for all Bona Fide Loyalty Program Benefits.
-
E. If a Consumer’s decision to exercise a Data Right impacts the Consumer’s membership in a Bona Fide Loyalty Program, the Controller shall notify the Consumer of the impact of the Consumer’s decision in conformance with 4 CCR 904-3, Rule 3.02 and at least twenty-four (24) hours before discontinuing the Consumer’s Bona Fide Loyalty Program Benefit or membership, and must provide a reference or link to the information required by subparagraph F, below.
-
F. Loyalty Program Disclosures
- In addition to all other disclosures required by 4 CCR 904-3, Rules 6.03 and 7.03, a Controller maintaining a Bona Fide Loyalty Program must provide the following disclosures at the point of program registration, either directly, or in the form of a link to the specific section of a privacy notice or terms and conditions containing such information
a. The categories of Personal Data or Sensitive Data collected through the Bona Fide Loyalty Program that will be Sold or Processed for Targeted Advertising, if any.
b. Categories of Third Parties that will receive the Consumer’s Personal Data and Sensitive Data, provided in the level the detail described in 4 CCR 904-3, Rule 6.03(a)(1)(e), including whether Personal Data will be provided to Data Brokers.
c. A list of any Bona Fide Loyalty Program Partners, and the Bona Fide Loyalty Program Benefits provided by each Bona Fide Loyalty Program Partner.
d. If a Controller claims that a Consumer’s decision to delete Personal Data makes it impossible to provide a Bona Fide Loyalty Program Benefit, then the Controller shall provide an explanation of why the deletion of Personal Data makes it impossible to provide a Bona Fide Loyalty Program Benefit.
e. If a Controller claims that a Consumer’s Sensitive Data is required for a Bona Fide Loyalty Program Benefit, then the Controller shall provide an explanation of why the Sensitive Data is required for a Bona Fide Loyalty Program Benefit.
- Bona Fide Loyalty Program terms and requests for Consent to Process Sensitive Data or Personal Data in connection with the Bona Fide Loyalty Program shall also include a link to the Controller’s privacy notice.
-
G. Example: A Consumer joins a grocery store’s Bona Fide Loyalty Program that includes both personalized and non-personalized Bona Fide Loyalty Program Benefits. The grocery store asks the Consumer for Consent to collect Sensitive Data about the Consumer in order to provide personalized Bona Fide Loyalty Program Benefits. When the Consumer refuses Consent, the Controller gives timely notice to the Consumer that it will not provide the personalized Bona Fide Loyalty Program Benefits, but will continue to provide non-personalized Bona Fide Loyalty Program Benefits. Moving forward, the Controller provides only the non-personalized Bona Fide Loyalty Program Benefits following the Consumer’s decision to continue to refuse Consent to the collection of Sensitive Data. The Controller is not acting impermissibly because the grocery store is still providing all available non-personalized Bona Fide Loyalty Program Benefits and did not condition the Consumer’s participation in the Bona Fide Loyalty Program on the Consumer's Consent to process Sensitive Data that is not required for personalized Bona Fide Loyalty Program Benefits.
-
H. Example: A Consumer joins a hotel chain’s Bona Fide Loyalty Program, which provides points that can be applied to obtain discounts for that hotel chain, and for a popular restaurant chain that is not otherwise affiliated with the hotel chain. The restaurant chain requires the hotel chain to provide the Personal Data of each Consumer who wishes to apply the hotel chain’s points to obtain restaurant discounts. When the Consumer opts out of the Sale of Personal Data and Processing of Personal Data for Targeted Advertising, the Controller is unable to provide the required information to the restaurant chain. The Controller may discontinue the Bona Fide Loyalty Program Benefit that allows Consumers to use points for discounts for the restaurant chain. However, the hotel chain must still provide all available Bona Fide Loyalty Benefits to be used at the hotel chain.
-
I. Example: A Consumer joins a retailer’s Bona Fide Loyalty Program that offers discounts on products based on the Consumer’s purchase history. The retailer wishes to fund the loyalty program, in part, by selling the Consumer’s purchase history to a Data Broker. The retailer must obtain the Consumer’s consent to Sell the Consumer’s Personal Data to the Data Broker because selling Personal Data obtained through a Bona Fide Loyalty Program to a Data Broker is a secondary use.
-
J. Example: A Consumer exercises their right to opt out of the Processing of Personal Data for Targeted Advertising. An online gaming company gives the Consumer fewer free games through the company’s service, arguing that the additional free games are for members of its loyalty program, which requires the use of Personal Data for Targeted Advertising. The company’s differential treatment is prohibited if the Processing of Personal Data is not necessary to provide the additional games. However, if the free games are provided by a Bona Fide Loyalty Program Partner that requires the Consumer data for Targeted Advertising through a co-marketing agreement with the Controller, the differential treatment may be appropriate.
Rule 6.06 Purpose Specification
-
A. Controllers shall specify the express purposes for which each category of Personal Data is collected and processed in both external disclosures to Consumers, including privacy notices required by C.R.S. § 6-1-1308(1), as well as in any internal documentation required by this Part 6.
-
B. The express purpose must be described in a level of detail that gives Consumers a meaningful understanding of how each category of their Personal Data is used when provided for that Processing purpose.
-
C. If Personal Data is collected and processed for more than one purpose, Controllers should specify each unrelated purpose with enough detail to allow Consumers to understand each individual, unrelated purpose.
- Controllers should not identify one broad purpose to justify numerous Processing activities that are only remotely related.
- Controllers should not specify one broad purpose to cover potential future Processing activities that are only remotely related.
- Controllers should not specify so many purposes for which Personal Data could potentially be processed to cover potential future Processing activities that the purpose becomes unclear or uninformative.
-
D. If the Processing purpose has evolved beyond the original express purpose such that it becomes a distinct purpose that is no longer reasonably necessary to or compatible with the original express purpose, the Controller must review and update all related disclosures and documentation as necessary.
Rule 6.07 Data Minimization
A. To ensure all Personal Data collected is reasonably necessary for the specified purpose, Controllers shall carefully consider each Processing purpose and determine the minimum Personal Data that is necessary, adequate, or relevant for the express purpose or purposes.
B. Personal Data should only be kept in a form which allows identification of Consumers for as long as is necessary for the express Processing purpose(s). To ensure that the Personal Data are not kept longer than necessary, adequate, or relevant, Controllers shall set specific time limits for erasure or to conduct a periodic review.
- Any Personal Data determined to no longer be necessary, adequate, or relevant to the express Processing purpose(s) shall be deleted by the Controller and any Processors that the Controller has shared the Personal Data with.
- Biometric Identifiers, a digital or physical photograph of a person, an audio or voice recording containing the voice of a person, or any Personal Data generated from a digital or physical photograph or an audio or video recording held by a Controller shall be reviewed at least once a year to determine if its storage is still necessary, adequate, or relevant to the express Processing purpose. Such assessment shall be documented according to 4 CCR 904-3, Rule 6.11.
- Sensitive Data for which Controllers no longer have consent to Process should be deleted or otherwise rendered permanently anonymized or inaccessible within a reasonable period of time after withdrawal of Consent.
C. A Controller shall not collect Personal Data other than those disclosed in its required privacy notice. If the Controller intends to collect additional Personal Data, the Controller shall revise its privacy notice, and notify Consumers of the change to its privacy notice pursuant to 4 CCR 904-3, Rule 6.04.
Rule 6.08 Secondary Use
A. The specified Processing purpose is the purpose disclosed to Consumers at or before the time the Personal Data is collected or processed from Consumers. Such disclosure shall be included in any required privacy notice or Consent disclosure.
B. Before Processing Personal Data for purposes that are not reasonably necessary to or compatible with specified Processing purpose(s) disclosed on or after July 1, 2023, the Controller must obtain Consent consistent with C.R.S. § 6-1-1308 and 4 CCR 904-3, Rules 7.02-7.05.
C. When considering if the new Processing purpose is reasonably necessary to or compatible with the original specified purpose(s), Controllers may consider the following, as applicable:
- The reasonable expectation of an average Consumer concerning how their Personal Data would be Processed once it was collected.
- The link between the original specified purpose(s) for which the data was collected and the purpose(s) of further Processing.
- The relationship between the Consumer and the Controller and the context in which the Personal Data was collected.
- The type, nature, and amount of the Personal Data subject to the new Processing purpose.
- The type and degree of possible consequence or impact to the Consumer of the new Processing purpose.
- The identity of the entity conducting the new Processing purposes, e.g., the same or different Controller, or a Third Party.
- The existence of additional safeguards for the Personal Data, such as encryption or pseudonymization.
Rule 6.09 Duty of Care
-
Personal Data must be processed in a manner that ensures reasonable and appropriate administrative, technical, organizational, and physical safeguards of Personal Data collected, stored, and processed.
-
When determining reasonable and appropriate safeguards, Controllers should consider:
- Applicable industry standards and frameworks.
- The nature, size, and complexity of the Controller’s organization.
- The sensitivity and amount of Personal Data.
- The original source of Personal Data.
- The risk of harm to Consumers resulting from unauthorized or unlawful access, use, or degradation of the Personal Data.
- The burden or cost of safeguards to protect Personal Data from harm as assessed in 4 CCR 904-3, Rule 6.09(B)(5).
-
Reasonable and appropriate administrative, technical, organizational, and physical safeguards must be designed to:
- Protect against unauthorized or unlawful access to or use of Personal Data and the equipment used for processing and against accidental loss, destruction, or damage.
- Ensure the confidentiality, integrity, and availability of Personal Data collected, stored, and processed.
- Identify and protect against reasonably anticipated threats to security or the integrity of information.
- Oversee compliance with data security policies by the Controller and Processors through reasonable requirements.
-
Reasonable and appropriate safeguards to secure Personal Data include but are not limited to those measures provided by C.R.S. § 6-1-713.5 and C.R.S. § 24-73-102, as interpreted by state courts and administrative orders.
Rule 6.10 Duty Regarding Sensitive Data
-
Controllers must obtain Consent to Process Sensitive Data, including Sensitive Data Inferences, consistent with C.R.S. § 6-1-1308(7) and 4 CCR 904-3, Rules 7.02-7.05.
-
Controllers may be exempt from obtaining Consent to Process Sensitive Data Inferences from Consumers over the age of thirteen (13) only if:
- The Processing purpose of such Personal Data would be obvious to a reasonable Consumer based on the context of the collection and use of the Personal Data, and the relationship between the Controller and Consumer.
- Sensitive Data Inferences are permanently deleted within twenty-four (24) hours of collection or of the completion of the Processing activity, whichever comes first.
- Sensitive Data Inferences are not transferred, sold, or shared with any Processors, Affiliates, or Third-Parties.
- The Personal Data and any Sensitive Data Inferences are not processed for any purpose other than the express purpose disclosed to the Consumer.
-
If a Controller will delete Sensitive Data Inferences within twenty-four (24) hours, pursuant to this section, they must:
- Include a description of the Sensitive Data Inferences subject to this provision and the retention and deletion timeline for such Sensitive Data Inferences in its privacy notice, pursuant to 4 CCR 904-3, Rule 6.03.
- Include the details of the deletion and verification process in the Controller’s Data Protection Assessment, pursuant to 4 CCR 904-3, Rule 8.04.
Rule 6.11 Documentation Concerning Duties of Controllers
A. Controllers shall maintain records of all Consumer Data Rights requests made pursuant to C.R.S. § 6-1-1306 for at least twenty-four (24) months. Such records shall include, at a minimum, each of the following:
- The date of request;
- The Consumer Data Rights request type;
- The date of the Controller’s response;
- The nature of the Controller’s response;
- The basis for the denial of the request if the request is denied in whole or in part; and
- The existence and resolution of any Consumer appeal to a denied request.
B. Controllers shall maintain a record of all Data Rights requests made pursuant to C.R.S. § 6-1-1306 with which the Controller has previously complied. Such records shall be retained for at least twenty-four (24) months and shall be made available at the completion of a merger, acquisition, bankruptcy, or other transaction in which a Third Party assumes control of Personal Data to ensure any new Controller continues to recognize the Consumer’s previously exercised Data Rights.
C. Controllers shall maintain documents sufficient to demonstrate compliance with 4 CCR 904-3, Rules 6.07, 6.08, and 7.06 for as long as the Processing activity continues, and for at least twenty-four (24) months after the conclusion of Processing activity.
D. Required records shall be maintained in a readable format, appropriate to the sophistication and size of the Controller’s business.
E. The Controller shall implement and maintain reasonable security procedures and practices, consistent with 4 CCR 904-3, Rule 6.09, in maintaining all required records.
F. Personal Data maintained pursuant to this 4 CCR 904-3, Rule 6.11, where that information is not used for any other purpose, shall not be subject to Data Rights requests.
G. Personal Data maintained for required documentation shall not be used for any other purpose except as reasonably necessary for the business to review and modify its processes for compliance with the Colorado Privacy Act, C.R.S. § 6-1-1301, et seq., and these rules. Personal Data maintained for required documentation shall not be shared with any Third Party except as necessary to comply with a legal obligation or as part of a merger, acquisition, bankruptcy, or other transaction in which a Third Party assumes control of Personal Data.
H. Other than as required by this subsection and 4 CCR 904-3, Rule 4.06, a Controller is not required to retain Personal Data solely for the purpose of fulfilling a Data Rights request made under the Colorado Privacy Act, C.R.S. § 6-1-1301, et seq.
Part 7 Consent
Rule 7.01 Authority and Purpose
A. The statutory authority for the rules in this Part 7 is C.R.S. §§ 6-1-108(1), 6-1-1303(5), 6-1-1306, 6-1-1308, and 6-1-1313. The purpose of the rules in this Part 7 is to provide clarity on the requirements to obtain Consent when Consent is required under the statute, including the prohibition against obtaining agreement through the use of Dark Patterns.
Rule 7.02 Required Consent
A. Pursuant to C.R.S. §§ 6-1-1303(5), 6-1-1306(1)(a)(IV)(C), 6-1-1308(4), and 6-1-1308(7), a Controller must obtain valid Consumer Consent prior to:
- Processing a Consumer’s Sensitive Data;
- Processing Personal Data concerning a known Child, in which case the Child’s parent or lawful guardian must provide Consent;
- Selling a Consumer’s Personal Data, Processing a Consumer’s Personal Data for Targeted Advertising, or Profiling in furtherance of Decisions that Produce Legal or Similarly Significant Effects Concerning a Consumer after the Consumer has exercised the right to opt out of the Processing for those purposes; and
- Processing Personal Data for purposes that are not reasonably necessary to, or compatible with, the original specified purposes for which the Personal Data are Processed.
B. Controllers may rely upon valid consent obtained prior to July 1, 2023, to continue to Process a Consumer’s previously collected Personal Data, including Sensitive Data, collected before July 1, 2023. Consent obtained before July 1, 2023, shall be considered valid only if it would comply with the requirements set forth in C.R.S. §§ 6-1-1303(5), 6-1-1306(1)(a)(IV)(C), 6-1-1308(4), and 6-1-1308(7) and Part 7 of these rules.
- Controllers that do not obtain valid Consent prior to July 1, 2023, to continue to use, store, or otherwise Process Sensitive Data collected prior to this date must obtain valid Consent, as required by C.R.S. §§ 6-1-1303(5), 6-1-1306(1)(a)(IV)(C), 6-1-1308(4), and 6-1-1308(7) and Part 7 of these rules, by July 1, 2024, to continue to Process the previously collected Sensitive Data.
- If a Controller has collected Personal Data prior to July 1, 2023, and the Processing purpose changes after July 1, 2023, such that it is considered a secondary use pursuant to C.R.S. § 6-1-1308(4) and 4 CCR 904-3, Rule 6.08, the Controller must obtain valid Consent, as required by C.R.S. §§ 6-1-1303(5), 6-1-1306(1)(a)(IV)(C), 6-1-1308(4), and 6-1-1308(7) and Part 7 of these rules, at the time the Processing purpose changes to continue to Process the previously collected Personal Data.
C. Notwithstanding the above, a Controller Processing Sensitive Data Inferences is not required to obtain Consent for the Processing activity if the Processing falls within the requirements of 4 CCR 904-3, Rule 6.10.
Rule 7.03 Requirements for Valid Consent
A. To be valid, a Consent must meet each of the following elements: (1) it must be obtained through the Consumer's clear, affirmative action; (2) it must be freely given by the Consumer; (3) it must be specific; (4) it must be informed; and (5) it must reflect the Consumer’s unambiguous agreement.
B. Consent must be obtained through the Consumer’s clear, affirmative action. For purposes of obtaining valid Consent:
- A “clear, affirmative action” means a Consumer’s Consent is communicated through either (a) deliberate and clear conduct, or (b) a statement that clearly indicates their acceptance of the proposed Processing of their Personal Data.
- A blanketed acceptance of general terms and conditions, silence, inactivity or inaction, pre-ticked boxes, and other negative option opt-out constructions that require intervention from the Consumer to prevent agreement are not clear affirmative actions for the purposes of valid Consent.
C. Consent must be freely given. For purposes of obtaining valid Consent:
-
Consent is freely given when Consumers may refuse Consent without detriment and withdraw Consent easily at any time.
-
Consent is not freely given when:
- It reflects acceptance of general or broad terms of use or similar documents that contain descriptions of Personal Data Processing along with other, unrelated information;
- The performance of a contract is dependent on Consent to Process Personal Data that is not necessary to provide the goods or services contemplated by the contract; or
- The Controller denies goods, services, discounts, or promotions to a Consumer who chooses not to provide Consent, unless:
- The Personal Data is necessary to the provision of those goods, services, discounts, or promotions, consistent with 4 CCR 904-3, Rule 6.05; or
- The Consent is otherwise required in connection with a Consumer’s voluntary participation in a Bona Fide Loyalty Program, consistent with the requirements in 4 CCR 904-3, Rule 6.05.
-
Example: An online dating application’s terms and conditions tell users that the application will disclose collected Personal Data, including Sensitive Data revealing sexual orientation, with similar applications for advertising purposes. Consent is required for the disclosure of Sensitive Data with similar applications for advertising purposes. Since users cannot accept the required terms and conditions without the opportunity to separately provide or withhold Consent for sharing with similar applications, the Consent is not freely given.
D. Consent must be specific.
-
When Controllers request Consent to Process Personal Data for more than one Processing purpose, and those Processing purposes are not reasonably necessary to or compatible with one another, Consumers must have the ability to separately Consent to each specific purpose.
- Controllers may request Consent to Process Personal Data for multiple Processing purposes that are not reasonably necessary to or compatible with one another using a single Consent request as long there is also an option for more granular Consent within the same Consent interface.
-
Consent to Process Personal Data for one specific purpose does not constitute valid Consent to Process Personal Data for other purposes that are not reasonably necessary to or compatible with that specific purpose.
-
The Sale of Sensitive Data to one specific party is not necessary to or compatible with the Sale of Sensitive Data to a different party.
- Example: A cosmetic retailer asks a customer for Consent to use Sensitive Data revealing the customer’s racial origin in order to provide first-party targeted offers to the customer and to Sell the customer’s racial origin information to Data Brokers. This Consent is not specific as there is no opportunity to provide separate Consent for the two separate Processing purposes. Therefore, Consent in this example would not be valid.
- Example: In the example above, the Controller requests Consent only to Sell Sensitive Data revealing the customer’s racial origin with commercial partners. The Controller lists “Fashion Co. #1” and “Make Up Co. #1” as commercial partners who will receive Sensitive Data. Consent would be deemed valid for only these two Third Parties because their identity was provided to the Consumer at the time that his or her Consent was collected. Consent would not be deemed valid for Selling with another Third Party whose identity has not been provided.
E. Consent must be informed.
- When requesting Consent, a Controller must provide the following information, at a minimum:
- The Controller’s identity;
- The plain-language reason that Consent is required;
- The Processing purpose(s) for which Consent is sought;
- The categories of Personal Data that the Controller shall Process to effectuate the Processing purpose(s);
- Names of all Third Parties receiving the Sensitive Data through Sale, if applicable;
- A description of the Consumer’s right to withdraw Consent for the identified Processing purpose at any time in accordance with 4 CCR 904-3, Rule 7.07 and details of how and where to do so; and
- Any disclosures required by 4 CCR 904-3, Rules 6.05 and 9.05.
F. Consent may not be obtained using Dark Patterns as defined in C.R.S § 6-1-1309(9) and prohibited by 4 CCR 904-3, Rule 7.09. Pursuant to C.R.S. § 6-1-1303(5)(c) and 4 CCR 904-3, Rule 7.09, any agreement obtained through Dark Patterns is not valid Consent.
Rule 7.04 Requests for Consent
A. Controllers shall provide a simple form or mechanism to enable a Consumer to provide Consent when required, including Consent to Processing purposes from which the Consumer has previously opted out. Such a form or mechanism should be easy for a reasonable Consumer to locate and should comply with the other requirements set forth in Part 7 of these rules.
B. Requests for Consent shall be prominent, concise, and separate and distinct from other terms and conditions, and shall comply with all requirements for disclosures and communications to Consumers set forth in 4 CCR 904-3, Rule 3.02.
C. Any Consent request by a Controller must contain the disclosures required by 4 CCR 904-3, Rule 7.03(E)(1) either directly or through a link. Where possible, the request interface itself should contain the disclosures required by 4 CCR 904-3, Rule 7.03(E)(1)(a)-(d). Alternatively, the Controller may provide the Consumer with a link to a webpage containing the required Consent disclosures, provided the request clearly states the title and heading of the webpage section containing the relevant disclosures. If technically feasible, the request method must also link the Consumer directly to the relevant section of the disclosure.
D. Example: A mobile application requests Consent to Process Sensitive Data. The Consent request provides a link to the application’s privacy notice which contains the required Consent disclosures. However, the Consent request does not direct or bring the Consumer to the relevant section of the privacy notice. Consent is not valid because the Consent request does not clearly indicate the title and section where the Consumer can find the required disclosures and did not link the Consumer directly to the relevant section of the privacy notice.
E. Example: Acme Toy Store collects customer email addresses in order to send customers information about product recalls, and maintains those email addresses in a recall email distribution list. Acme Toy Store wants to Sell the recall email distribution list to a Third Party partner to enable that partner to send those customers promotional materials. Acme Toy Store must obtain customer consent prior to Selling the recall email distribution list because Selling the recall email distribution list is not reasonably necessary to or compatible with providing product recall information. Acme Toy Store emails its customers attaching a revised privacy notice disclosing the new Processing purpose and asks customers to Consent to the new privacy notice, but does not state the new purpose in the email, and does not direct customers to the section of the privacy notice disclosing the secondary purpose. Consent is not valid because the email did not contain the required Consent disclosures or direct the customers to a document containing the required Consent disclosures.
-
Example: Under the same circumstances, Acme Toy Store emails its customers on the recall distribution list informing those customers that Consent is required for the Acme Toy Store to Process email addresses for the secondary purpose of Selling the recall distribution list to a Third Party partner to enable that partner to send promotional materials, providing all other required disclosures and including a mechanism that enables the customers to provide Consent and to revoke Consent through the same user interface. Consent is valid because the email contained all required Consent disclosures in an acceptable form.
-
Example: Under the same circumstances, Acme Toy Store emails the product recall email distribution list informing those customers that it would like to use their email addresses for the secondary purpose of Selling the recall distribution list to a Third Party partner as contemplated in section B.2.e. of its privacy notice, explains that it cannot use the customers’ email addresses for that secondary purpose without their consent, and requests the customers’ Consent to Process their email address for that secondary purpose. It then provides a link directly to section B.2.e. of its privacy notice which explains that Acme Toy Store Sells customer email addresses, including those Processed for the purpose of product recall notifications, to marketing partners, in addition to all other disclosures. The email provides a Consent mechanism that enables the customers to provide or revoke consent through the same user interface. Consent is valid because the email and linked page together contained all required disclosures, the email provided the specific section of the relevant disclosures, and the link brought the customers directly to the relevant disclosures.
Rule 7.05 Consent After Opt-Out
A. The Consumer’s decision to Consent to Processing activities from which the Consumer has previously opted-out using either a Universal Opt-Out Mechanism or directly with a particular Controller is subject to the requirements for Consent under 4 CCR 904-3, Rules 7.03 and 7.04.
B. A Controller that wishes to obtain Consent to Process Personal Data for an Opt-Out Purpose after the Consumer has opted out of Processing for that Purpose shall not request Consent using schemes that cause consent fatigue, such as interface-dominating cookie banners, high-frequency requests, cookie walls, pop-ups, or any other interstitials that degrade or obstruct the Consumer’s experience on the Controller’s web page or application.
- A Controller may proactively request Consent to Process Personal Data for an Opt-Out Purpose after the Consumer has opted out, by providing a link to a privacy settings page, menu, or similar interface, or comparable offline method, that enables the Consumer to Consent to the Controller Processing the Personal Data for the Opt-Out Purpose, so long as the request for Consent meets all other requirements for valid Consent under this Part 7.
- If a Controller has a reasonable belief that a Consumer intended to opt back into the Sale of Personal Data or Processing of Personal Data for Targeted Advertising, the Controller may proactively send a link to a privacy settings page or other method to enable the Consumer to Consent to the Controller Processing the Personal Data for the Opt-Out Purpose directly to a Consumer.
C. If a Controller conspicuously displays the status of the Consumer’s opt-out choice on the website pursuant to 4 CCR 904-3, Rule 5.08(E), the link to provide Consent may appear beside or in conjunction with the Consumer’s opt-out status.
D. If a Consumer has opted-out of the Processing of Personal Data for the Opt-Out Purposes, and then initiates a transaction or attempts to use a product or service inconsistent with the request to opt-out, such as signing up for a Bona Fide Loyalty Program that also involves the Sale of Personal Data to a Bona Fide Loyalty Program Partner, the Controller may request the Consumer’s Consent to Process the Consumer’s Personal Data for that purpose, so long as the request for Consent complies with all provisions of 4 CCR 904-3, Rules 7.03 and 7.04.
E. Example: A Consumer opts out of the use of Personal Data for Sale or Targeted Advertising using a Universal Opt-Out Mechanism. The Consumer visits the website of a fashion retailer that routinely shares Consumer Personal Data for Targeted Advertising. The fashion retailer must obtain the Consumer’s Consent because the Consumer has already opted out of Processing for that purpose. The fashion retailer’s website displays a pop-up banner seeking Consent to share the Consumer’s Personal Data for Targeted Advertising. This is not a valid request for Consumer Consent because the request is made through a pop-up banner that degrades or obstructs the Consumer’s experience on the Controller’s web page or application.
F. Example: A Consumer opts out of the use of Personal Data for Sale or Targeted Advertising using a Universal Opt-Out Mechanism. The Consumer visits a fashion retailer’s website. The fashion retailer’s homepage contains a message at the top of the webpage that displays the Consumer’s opt-out status, stating, “You have opted out of targeted advertising” next to a link that states “Opt-in to Data Use”. The linked webpage also meets all requirements of 4 CCR 904-3, Rules 7.03 and 7.04. Consent pursuant to this request is valid.
Rule 7.06 Consent for Children
A. When a Controller engages in Processing activities involving the collection and Processing of Personal Data from a known Child or operates a website or business directed to Children or has actual knowledge that it is collecting or maintaining Personal Data from a Child, the Controller must obtain Consent from the parent or lawful guardian of that Child before collecting or Processing the Child’s Personal Data.
B. A Controller Processing the Personal Data of a Child must make reasonable efforts to obtain verifiable parental Consent, taking into consideration available technology. Any method to obtain verifiable parental Consent must be reasonably calculated, in light of available technology, to ensure that the person providing Consent is the Child's parent or lawful guardian.
C. Reasonably calculated methods for determining that a person Consenting to the Processing of a Child’s Personal Data is the parent or lawful guardian of that Child include, but are not limited to:
- Providing a Consent form to be signed by the parent or guardian under penalty of perjury and returned to the business by postal mail, facsimile, or electronic scan;
- Requiring a parent or guardian, in connection with a monetary transaction, to use a credit card, debit card, or other online payment system that provides notification of each discrete transaction to the primary account holder;
- Having a parent or guardian call a toll-free telephone number staffed by trained personnel;
- Having a parent or guardian connect to trained personnel via videoconference; and
- Verifying a parent or guardian’s identity by checking a form of government-issued identification against databases of such information, as long as the parent or guardian’s identification is deleted by the business from its records promptly after such verification is complete.
D. Any Personal Data collected for purposes of verifying the identity of a parent or legal guardian may not be used for any reason other than Processing these verifications.
Rule 7.07 Refusing or Withdrawing Consent
A. A Consumer shall be able to refuse or revoke Consent as easily and within a similar number of steps as Consent is affirmatively provided.
B. If Consent is obtained through an electronic interface, the Consumer shall be able to refuse or withdraw Consent through the same or similar electronic interface.
C. When using an electronic interface, and when feasible based on the Consumer’s relationship with the Controller, a Controller may allow Consumers to track what Processing activities they have Consented to or opted out of.
D. There shall be no detriment to a Consumer for refusing or withdrawing Consent, consistent with C.R.S. § 6-1-1308(1)(c)(II), and 4 CCR 904-3, Rule 6.05.
- Notwithstanding 4 CCR 904-3 Rule 7.07(D), if a Consumer refuses to Consent to, or withdraws Consent for the Processing of Sensitive Data or Personal Data strictly necessary for a program, product, or service, the Controller is no longer obligated to provide that program, product, or service.
E. If a Consumer withdraws Consent for a Processing activity, subject to Consent under C.R.S. §§ 6-1-1306(1)(a)(IV)(C), 1308(4), and 1308(7), the Controller shall cease that Processing activity and, in the notice required by C.R.S. § 6-1-1306(2), provide the Consumer instructions on how to exercise the right to deletion, provide a link to exercise the right to deletion, or inform the Consumer that information regarding the right to delete their Personal Data can be found in the Controller’s privacy notice.
Rule 7.08 Refreshing Consent
A. When a Consumer has not interacted with a Controller in the prior twenty-four (24) months, the Controller must refresh Consent in compliance with all requirements of this Part 7 to:
- Continue Processing Sensitive Data pursuant to C.R.S. § 6-1-1308(7); or
- Continue Processing Personal Data for a Secondary Use pursuant to C.R.S. § 1308(4), if the Secondary Use involves Profiling for a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services.
B. Controllers are not required to refresh Consent under part A of this section where a Consumer has access and ability to update their opt-out preferences at any time through a user-controlled interface.
C. If a Processing purpose materially evolves such that the new purpose becomes a secondary use pursuant to C.R.S. § 6-1-1308(4), the Consumer’s original Consent is no longer valid, and the Controller must obtain new Consent pursuant to Part 7 of these rules.
Rule 7.09 User Interface Design, Choice Architecture, and Dark Patterns
A. The following principles should be considered when designing a user interface or a choice architecture used to obtain Consent when required under C.R.S. §§ 6-1-1303(5), 6-1-1306(1)(a)(IV)(C), 6-1-1308(4), and 6-1-1308(7):
-
Consent choice options should be presented to Consumers in a symmetrical way that does not impose unequal weight or focus on one available choice over another such that a Consumer’s ability to consent is impaired or subverted.
- Example: One choice should not be presented with less prominent size, font, or styling than the other choice. Presenting an “I accept” button in a larger size than the “I do not accept” button would not be considered equal or symmetrical. Presenting an “I do not accept” button in a greyed-out color while the “I accept” button is presented in a bright or obvious color would not be considered equal or symmetrical.
- Example: If multiple choices are offered to a Consumer, it should be equally easy to accept or reject all options. Presenting the option to “accept all” when offering a Consumer the choice to Consent to the use of Sensitive Data for multiple purposes without an option to “reject all” would not be considered equal or symmetrical.
-
Consent choice options should avoid the use of emotionally manipulative language or visuals to unfairly, fraudulently, or deceptively coerce or steer Consumer choice or Consent.
- Example: One choice should not be presented in a way that creates unnecessary guilt or shames the user into selecting a specific choice. Presenting the choices “I accept, I want to help endangered species” vs. “No, I don’t care about animals” may be considered unfairly emotionally manipulative.
- Example: The explanation of the choice to Consumers should not include gratuitous information to emotionally manipulate Consumers. Explaining that a mobile application “helps save lives” when asking for Consent to collect Sensitive Data for Targeted Advertising may be considered deceptively emotionally manipulative if the Targeted Advertising is not critical to the lifesaving functionality of the application.
-
A Consumer’s silence or failure to take an affirmative action should not be interpreted as acceptance or Consent.
- Example: A Consumer closing a pop-up window which requests Consent without first affirmatively selecting the equivalent of an “I accept” button should not be interpreted as Consent.
- Example: A Consumer navigating forward on a webpage after a Consent choice has been presented without selecting the equivalent of an “I accept” button should not be interpreted as affirmative Consent.
- Example: A Consumer continuing to use a Smart TV without replying “I accept” or “I consent” in reply to a verbal request for Consent should not be interpreted as affirmative Consent.
-
Consent choice options should not be presented with a preselected or default option.
- Example: Checkboxes or radio buttons should not be selected automatically when presented to a Consumer.
-
A Consumer should be able to select either Consent choice option within a similar number of steps. A Consumer’s ability to exercise a more privacy-protective option shall not be unduly longer, more difficult, or time-consuming than the path to exercise a less privacy-protective option.
- Example: Consumers should be presented with all choices at the same time. Presenting an "I accept” button next to a “Learn More” button which requires Consumers to take an extra step before they are given the option of an “I do not accept” button could be considered an unnecessary restriction.
- Example: Describing the choice before Consumers and placing both the “I accept” and “I do not accept” buttons after a “select preferences” button would not be considered an unnecessary restriction.
-
A Consumer’s expected interaction with a website, application, or product should not be unnecessarily interrupted or intruded upon to request Consent.
- Example: Consumers should not be interrupted multiple times in one visit to a website to Consent if they have declined the Consent choice offered when they arrived at the page.
- Example: Consumers should not be redirected away from the content or service they are attempting to interact with because they declined the Consent choice offered, unless Consent to process the requested data is strictly necessary to provide the website or application content or experience.
- Example: Consumers should not be forced to navigate through multiple pop-ups which cover or otherwise disrupt the content or service they are attempting to interact with because they declined the Consent choice offered.
-
Consent choice options should not include misleading statements, omissions, affirmative misstatements, or intentionally confusing language to obtain Consent.
- Example: Choices should not be driven by a false sense of urgency. A countdown clock displayed next to a Consent choice option which states “time is running out to Consent to this data use and receive a limited discount” where the discount is not actually limited by time or availability would be considered creating a false sense of urgency.
- Example: Choices should avoid the use of double negatives when describing Consent choice options to Consumers.
- Example: Consent choice options should not be presented with confusing or unexpected syntax. “Please do not check this box if you wish to Consent to this data use” would be considered confusing syntax.
- Example: The language used for choice options should logically follow the question presented to the Consumer. Offering the options of “Yes” or “No” to the question “Do you wish to provide or decline Consent for the described purposes” would be considered an illogical choice option. The choice options “provide” and “decline” would be considered to logically follow the same question.
-
The vulnerabilities or unique characteristics of the target audience of a product, service, or website should be considered when deciding how to present Consent choice options.
- Example: A website or service that primarily interacts with Consumers under the age of 18 should consider the simplicity of the language used to explain the choice options or the way in which cartoon imagery or endorsements might unduly influence their choice.
- Example: A website or service that primarily interacts with the elderly should consider font size and space between buttons to ensure readability and ease of interaction with design elements.
-
User interface design and Consent choice architecture should operate in a substantially similar manner when accessed through digital accessibility tools.
- Example: If it takes two clicks for a Consumer to Consent through a website, it should take no more than two actions for a Consumer using a digital accessibility tool to complete the same Consent process.
B. In addition to the principles included in this part 4 CCR 904-3, Rule 7.09(A), Controllers may consider statutes, administrative rules, and administrative guidance concerning Dark Patterns from other jurisdictions when evaluating the appropriateness of the user interface or choice architecture used to obtain required Consent.
C. Controllers shall not use an interface design or choice architecture to obtain required Consent that has been designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making or choice, or unfairly, fraudulently, or deceptively manipulating or coercing a Consumer into providing Consent.
- The principles outlined in 4 CCR 904-3, Rule 7.09(A) and (B) are factors to be considered when determining if a consent interface design or choice architecture has been designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making or choice, or unfairly, fraudulently, or deceptively manipulating or coercing a Consumer into providing Consent.
D. Consent obtained in violation of this part 4 CCR 904-3, Rule 7.09(C) may be considered a Dark Pattern, as defined in C.R.S. § 6-1-1303(9).
E. The fact that a design or practice is commonly used is not, alone, enough to demonstrate that any particular design or practice is not a Dark Pattern.
F. Consent obtained through Dark Patterns does not constitute valid Consent in compliance with C.R.S. §§ 6-1-1303, 6-1-1306, and 6-1-1308.
Part 8 Data Protection Assessments
Rule 8.01 Authority and Purpose
A. The statutory authority for the rules in this Part 8 is C.R.S. §§ 6-1-108(1), 6-1-1309, and 6-1-1313. The purpose of the rules in this Part 8 is to provide clarity on the requirements and timing of data protection assessments.
Rule 8.02 Scope
A. A data protection assessment shall be a genuine, thoughtful analysis of each Personal Data Processing activity that presents a heightened risk of harm to a Consumer, pursuant to C.R.S. § 6-1-1309(3), that:
- Identifies and describes the risks to the rights of consumers associated with the Processing;
- Documents measures considered and taken to address and offset those risks, including those duties required by C.R.S. § 6-1-1308;
- Contemplates the benefits of the Processing; and
- Demonstrates that the benefits of the Processing outweigh the risks offset by safeguards in place.
B. If a Controller conducts a data protection assessment for the purpose of complying with another jurisdiction’s law or regulation, the assessment shall satisfy the requirements established in this section if such data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted pursuant to this section.
- If a data protection assessment conducted for the purpose of complying with another jurisdiction’s law or regulation is not similar in scope and effect to a data protection assessment created pursuant to this section, a Controller may submit that assessment with a supplement that contains any additional information required by this jurisdiction.
C. The depth, level of detail, and scope of data protection assessments should take into account the scope of risk presented, the size of the Controller, amount and sensitivity of Personal Data Processed, Personal Data Processing activities subject to the assessment, and complexity of safeguards applied.
D. A “comparable set of Processing operations” that can be addressed by a single data protection assessment pursuant to C.R.S. § 6-1-1309(5) is a set of similar Processing operations including similar activities that present heightened risks of similar harm to a Consumer.
- Example: The ACME Toy Store chain is considering using in-store paper forms to collect names, mailing addresses, and birthdays from Children that visit their stores, and using that information to mail a coupon and list of age-appropriate toys to each child during the Child’s birth month and every November. ACME uses the same Processors and Processing systems for each category of mailings across all stores. ACME must conduct and document a data protection assessment because it is Processing Personal Data from known Children, which is Sensitive Data. ACME can use the same data protection assessment for Processing the Personal Data for the birthday mailing and November mailing across all stores because in each case it is collecting the same categories of Personal Data in the same way for the purpose of sending coupons and age-appropriate toy lists to Children.
Rule 8.03 Stakeholder Involvement
A. A data protection assessment shall involve all relevant internal actors from across the Controller's organizational structure, and where appropriate, relevant external parties, to identify, assess, and address the data protection risks.
Rule 8.04 Data Protection Assessment Content
A. At a minimum, a data protection assessment must include the following information:
-
A short summary of the Processing activity;
-
The categories of Personal Data to be Processed and whether they include Sensitive Data, including Personal Data from a known Child as described in C.R.S. § 6-1-1303(24);
-
The context of the Processing activity, including the relationship between the Controller and the Consumers whose Personal Data will be Processed, and the reasonable expectations of those Consumers;
-
The nature and operational elements of the Processing activity. In determining the level of detail and specificity to provide pursuant to this section, the Controller shall consider the type, amount, and sensitivity of Personal Data Processed, the impacts that operational elements will have on the level of risk presented by the Processing activity, and any relevant unique relationships. Relevant operational elements may include:
- Sources of Personal Data;
- Technology or Processors to be used;
- Names or categories of Personal Data recipients, including Third Parties, Affiliates, and Processors that will have access to the Personal Data, the processing purpose for which the Personal Data will be provided to those recipients, and categorical compliance processes that the Controller uses to evaluate that type of recipient;
- Operational details about the Processing, including planned processes for Personal Data collection, use, storage, retention, and sharing;
- Specific types of Personal Data to be processed.
-
The core purposes of the Processing activity, as well as other benefits of the Processing that may flow, directly and indirectly, to the Controller, Consumer, other expected stakeholders, and the public;
-
The sources and nature of risks to the rights of Consumers associated with the Processing activity posed by the Processing activity. The source and nature of the risks may differ based on the processing activity and type of Personal Data processed. Risks to the rights of Consumers that a Controller may consider in a data protection assessment include, for example, risks of:
- Constitutional harms, such as speech harms or associational harms;
- Intellectual privacy harms, such as the creation of negative inferences about an individual based on what an individual reads, learns, or debates;
- Data security harms, such as unauthorized access or adversarial use;
- Discrimination harms, such as a violation of federal antidiscrimination laws or antidiscrimination laws of any state or political subdivision thereof, or unlawful disparate impact;
- Unfair, unconscionable, or deceptive treatment;
- A negative outcome or decision with respect to an individual’s eligibility for a right, privilege, or benefit related to financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services;
- Financial injury or economic harm;
- Physical injury, harassment, or threat to an individual or property;
- Privacy harms, such as physical or other intrusion upon the solitude or seclusion or the private affairs or concerns of Consumers, stigmatization or reputational injury;
- Psychological harm, including anxiety, embarrassment, fear, and other mental trauma;
- Other detrimental or negative consequences that affect an individual’s private life, private affairs, private family matters or similar concerns, including actions and communications within an individual’s home or similar physical, online, or digital location, where an individual has a reasonable expectation that Personal Data or other data will not be collected, observed, or used.
-
Measures and safeguards the Controller will employ to reduce the risks identified by the Controller pursuant to 4 CCR 904-3, Rule 8.04(A)(6). Measures shall include the following, as applicable:
- The use of De-identified Data;
- Measures taken pursuant to the Controller duties in C.R.S. § 6-1-1308, including an overview of data security practices the Controller has implemented, any data security assessments that have been completed pursuant to C.R.S. § 6-1-1308(5), and any measures taken to comply with the consent requirements of 4 CCR 904-3, Rule 7; and
- Measures taken to ensure that Consumers have access to the rights provided in C.R.S. § 6-1-1306.
-
A description of how the benefits of the Processing outweigh the risks identified pursuant to 4 CCR 904-3, Rule 8.04(A)(6), as mitigated by the safeguards identified pursuant to 4 CCR 904-3, Rule 8.04(A)(7).
- Contractual agreements in place to ensure that Personal Data in the possession of a Processor or other Third Party remains secure; or
- Any other practices, policies, or trainings intended to mitigate Processing risks.
-
If a Controller is Processing Personal Data for Profiling as contemplated in C.R.S. § 6-1-1309(2)(a), a data protection assessment of that Processing activity must also comply with 4 CCR 904-3, Rule 9.06;
-
If a Controller is Processing Sensitive Data pursuant to the exception in section 4 CCR 904-3, Rule 6.10, the details of the process implemented to ensure that Personal Data and Sensitive Data Inferences are not transferred and are deleted within twenty-four (24) hours of the Personal Data Processing activity;
-
Relevant internal actors and external parties contributing to the data protection assessment;
-
Any internal or external audit conducted in relation to the data protection assessment, including the name of the auditor, the names and positions of individuals involved in the review process, and the details of the audit process; and
-
Dates the data protection assessment was reviewed and approved, and names, positions, and signatures of the individuals responsible for the review and approval.
Rule 8.05 Timing
A. A Controller shall conduct and document a data protection assessment before initiating a Processing activity that Presents a Heightened Risk of Harm to a Consumer, as defined at C.R.S. § 6-1-1309(2).
B. A Controller shall review and update the data protection assessment as often as appropriate considering the type, amount, and sensitivity of Personal Data Processed and level of risk presented by the Processing, throughout the Processing activity’s lifecycle in order to:
- Monitor for harm caused by the Processing and adjust safeguards accordingly; and
- Ensure that data protection and privacy are considered as the Controller makes new decisions with respect to the Processing.
C. Data protection assessments containing Processing for Profiling in furtherance of Decisions that Produce Legal or Similarly Significant Effects Concerning a Consumer shall be reviewed and updated at least annually, and include an updated evaluation for fairness and disparate impact and the results of any such evaluation.
D. A new data Processing activity is generated when existing Processing activities are modified in a way that materially changes the level of risk presented. When a new data Processing activity is generated, a data protection assessment must reflect changes to the pre-existing activity and additional considerations and safeguards to offset the new risk level.
- Modifications that may materially change the level of risk of a Processing activity may include, without limitation, changes to any of the following:
- The way that existing systems or Processes handle Personal Data;
- Processing purpose;
- Personal data Processed or sources of Personal Data;
- Method of collection of Personal Data;
- Personal Data recipients;
- Processor roles or Processors;
- Algorithm applied or algorithmic result; or
- Software or other systems used for Processing.
E. Data protection assessments, including prior versions which have been revised when a new data Processing activity is generated, shall be stored for as long as the Processing activity continues, and for at least three (3) years after the conclusion of the Processing activity. Data protection assessments shall be held in an electronic, transferable form.
F. Data protection assessments shall be required for activities created or generated after July 1, 2023. This requirement is not retroactive.
Rule 8.06 Attorney General Requests
A. A Controller shall make the data protection assessment available to the Attorney General within thirty (30) days of the Attorney General’s request.
Part 9 Profiling
Rule 9.01 Authority and Purpose
A. The statutory authority for the rules in this Part 9 is C.R.S. §§ 6-1-108(1), 6-1-1302(1)(c)(II)(B), 6-1-1303, 6-1-1306, 6-1-1309, and 6-1-1313. The purpose of the rules in this Part 9 is to provide clarity on the duties and rights related to Profiling.
Rule 9.02 Scope
A. Controllers have an affirmative obligation to provide clear, understandable, and transparent information to Consumers about how their Personal Data is used, including for Profiling, pursuant to C.R.S. § 6-1-1302(1)(c)(II)(B).
B. Consumers have the right to opt out of Profiling as defined in C.R.S. § 6-1-1303(20) and 4 CCR 904-3, Rule 2.02 when the Profiling is done in furtherance of a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services, pursuant to C.R.S. §§ 6-1-1306(1)(a)(I).
C. Controllers must conduct and document a data protection assessment compliant with C.R.S. § 6-1-1309 and Parts 8 and 9 of these rules before Processing Personal Data for Profiling that presents specific, reasonably foreseeable risks contemplated in C.R.S. § 6-1-1309(2)(a).
Rule 9.03 Profiling Opt-Out Transparency
A. To ensure that Consumers understand how their Personal Data is used for Profiling in furtherance of Decisions that Produce Legal or Other Similarly Significant Effects Concerning a Consumer, Controllers that Process Personal Data for Profiling for a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services and subject to C.R.S. § 6-1-1306(1)(a)(I) shall provide clear, understandable, and transparent information to Consumers in the required privacy notice, including at a minimum:
- What decision(s) is (are) subject to Profiling;
- The categories of Personal Data that were or will be Processed as part of the Profiling in Furtherance of Decisions that Produce Legal or Other Similarly Significant Effects;
- A non-technical, plain language explanation of the logic used in the Profiling process;
- A non-technical, plain language explanation of how Profiling is used in the decision-making process, including the role of human involvement, if any;
- If the system has been evaluated for accuracy, fairness, or bias, including the impact of the use of Sensitive Data, and the outcome of any such evaluation;
- The benefits and potential consequences of the decision based on the Profiling; and
- Information about how a Consumer may exercise the right to opt out of the Processing of Personal Data concerning the Consumer for Profiling in Furtherance of Decisions that Produce Legal or Other Similarly Significant Effects.
B. Notwithstanding the requirements in 4 CCR 904-3, Rule 9.03(A), nothing in 4 CCR 904-3, Rule 9.03 shall be construed as requiring the Controller to provide information to a Consumer in a manner that would disclose the Controller’s trade secrets.
Rule 9.04 Opting Out of Profiling in Furtherance of Decisions That Produce Legal or Similarly Significant Effects Concerning a Consumer
A. Consumers have the right to opt out of Profiling in furtherance of Decisions that Produce Legal or other Similarly Significant Effects Concerning a Consumer through the method specified by the Controller in the required privacy notice, pursuant to C.R.S. § 6-1-1306(1)(a) and 4 CCR 904-3, Rule 4.03.
B. Requests to opt out of Profiling in furtherance of Decisions that Produce Legal or other Similarly Significant Effects Concerning a Consumer based on Solely Automated Processing or Human Reviewed Automated Processing shall be honored pursuant to C.R.S. § 6-1-1306(2).
C. A Controller may decide not to take action on a request to opt out of Profiling in furtherance of Decisions that Produce Legal or other Similarly Significant Effects Concerning a Consumer if the Profiling used is based on Human Involved Automated Processing. If a Controller does not take action based on this reason, the Controller shall inform the Consumer pursuant to C.R.S. § 6-1-1306(2)(b) and include the following information, or share a link to such information if it is included in the Controller’s privacy notice:
- The decision subject to the Profiling;
- The categories of Personal Data that were or will be used as part of the Profiling used in Furtherance of Decisions that Produce Legal or Other Similarly Significant Effects;
- A non-technical, plain language explanation of the logic used in the Profiling process;
- A non-technical, plain language explanation of the role of meaningful human involvement in Profiling and the decision-making process;
- How Profiling is used in the decision-making process;
- The benefits and potential consequences of the decision based on the Profiling; and
- An explanation of how Consumers can correct or delete the Personal Data used in the Profiling used in the decision-making process.
D. In order to ensure that Consumers have an opportunity to exercise their right to opt out of Profiling in furtherance of Decisions that Produce Legal or Other Similarly Significant Effects Concerning a Consumer, Controllers that Process Personal Data for Profiling covered by C.R.S. §§ 6-1-1303(10) and 6-1-1306(1)(a)(I) shall provide a method to exercise the right to opt out of Profiling in furtherance of Decision that Produce Legal or Other similarly Significant Effects Concerning a Consumer clearly and conspicuously at or before the time such Processing occurs.
E. Notwithstanding the requirements in 4 CCR 904-3, Rule 9.04(C), nothing in 4 CCR 904-3, Rule 9.04 shall be construed as requiring the Controller to provide information to a Consumer in a manner that would disclose the Controller’s trade secrets.
Rule 9.05 Consent for Profiling in Furtherance of Decisions That Produce Legal or Similarly Significant Effects Concerning a Consumer
A. When a Consumer has opted out of Profiling in furtherance of Decisions that Produce Legal or Similarly Significant Effects Concerning a Consumer as defined by C.R.S. § 6-1-1303(10), the Controller may request that a Consumer provide Consent after opting out subject to 4 CCR 904-3, Rule 7.05.
B. If a Controller decides to begin Processing Personal Data for Profiling in furtherance of Decisions that Produce Legal or Similarly Significant Effects Concerning a Consumer and such Processing is not reasonably necessary to or compatible with the original specified purposes for which the Personal Data was Processed, the Controller shall request the Consumer provide Consent prior to such Processing, subject to C.R.S. § 6-1-1308(4) and Part 7 of these rules.
C. Any request for Consent to Profiling in furtherance of Decisions that Produce Legal or Similarly Significant Effects Concerning a Consumer must include meaningful information about the Profiling that allows a Consumer to make an informed, freely given, and specific choice, including, at a minimum:
- The decision subject to the Profiling;
- The categories of Personal Data used in the Profiling;
- A non-technical, plain language explanation of the logic used in the Profiling, or a link to such information if it is included in the Controller’s privacy notice;
- How Profiling is used in the decision-making process, including the role of human involvement, if any;
- Why the Profiling is relevant to the decision-making process;
- Potential benefits and consequences of the decision based on the Profiling; and
- Any applicable links to where Consumers can find any additional information about the Profiling and decision-making process and their associated rights.
D. Notwithstanding the requirements in 4 CCR 904-3, Rule 9.05(C), nothing in 4 CCR 904-3, Rule 9.05 shall be construed as requiring the Controller to provide information to a Consumer in a manner that would disclose the Controller’s trade secrets.
Rule 9.06 Data Protection Assessments for Profiling
A. Controllers must conduct and document a data protection assessment compliant with C.R.S. § 6-1-1309 and 4 CCR 904-3, Part 8 before Processing Personal Data for Profiling if the Profiling presents a reasonably foreseeable risk of:
- Unfair or deceptive treatment of, or unlawful disparate impact on Consumers;
- Financial or physical injury to Consumers;
- A physical or other intrusion upon the solitude or seclusion, or private affairs or concerns, of Consumers if the intrusion would be offensive to a reasonable person; or
- Other substantial injury to Consumers.
B. Profiling under C.R.S. § 6-1-1309(2)(a) and covered by required data protection assessment obligations includes Profiling using Solely Automated Processing, Human Reviewed Automated Processing, and Human Involved Automated Processing.
C. “Unfair or deceptive treatment” as used in C.R.S. § 6-1-1309 and 4 CCR 904-3, Rule 9.06 includes conduct or activity which violates state or federal laws that prohibit unfair and deceptive commercial practices.
D. “Unlawful disparate impact” as used in C.R.S. § 6-1-1309 and 4 CCR 904-3, Rule 9.06 includes conduct or activity which violates state or federal laws that prohibit unlawful discrimination against Consumers.
E. Controllers should consider both the type and degree of potential harm to Consumers when determining if Profiling presents a reasonably foreseeable risk of “other substantial injury” to Consumers as used in C.R.S. § 6-1-1309 and 4 CCR 904-3, Rule 9.06(A). For example, a small harm to a large number of Consumers may constitute “other substantial injury.”
F. If a Controller is Processing Personal Data for Profiling under C.R.S. § 6-1-1309(2)(a), a data protection assessment of that Processing activity must include the elements listed at 4 CCR 904-3, Rule 8.04 as well as each of the following as applicable to the assessed reasonably foreseeable risk:
- The specific types of Personal Data that were or will be used in the Profiling or decision-making process;
- The decision to be made using Profiling;
- The benefits of automated processing over manual processing for the stated purpose;
- A plain language explanation of why the Profiling directly and reasonably relates to the Controller’s goods and services;
- An explanation of the training data and logic used to create the Profiling system, including any statistics used in the analysis, either created by the Controller or provided by a Third Party which created the applicable Profiling system or software;
- If the Profiling is conducted by Third Party software purchased by the Controller, the name of the software and copies of any internal or external evaluations sufficient to show the accuracy and reliability of the software where relevant to the risks described in C.R.S. § 6-1-1309(2)(a)(I)-(IV);
- A plain language description of the outputs secured from the Profiling process;
- A plain language description of how the outputs from the Profiling process are or will be used, including whether and how they are used to make a decision to provide or deny or substantially contribute to the provision or denial of financial or lending services, housing, insurance, education, enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services;
- If there is human involvement in the Profiling process, the degree and details of any human involvement;
- How the Profiling system is evaluated for fairness and disparate impact, and the results of any such evaluation;
- Safeguards used to reduce the risk of harms identified; and
- Safeguards for any data sets produced by or derived from the Profiling.
G. If a Controller conducts a data protection assessment which includes an assessment of relevant Profiling for the purpose of complying with another jurisdiction’s law or regulation, the assessment shall satisfy the requirements established in this section if such data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted pursuant to this section. A Controller may also submit an assessment with a supplement that contains any additional information required by this regulation.
Part 10 Enforcement
Rule 10.01 Authority and Purpose
A. The statutory authority for the rules in this Part 10 is C.R.S. §§ 6-1-1310 and 6-1-1311. The purpose of the rules in this Part 10 is to clarify enforcement considerations related to the Colorado Privacy Act, C.R.S. § 6-1-1303, et seq., and these Colorado Privacy Act Rules, 4 CCR 904-3.
Rule 10.02 Enforcement Considerations
A. Nothing in the Colorado Privacy Act, C.R.S. § 6-1-1303, et seq., or these Colorado Privacy Act Rules, 4 CCR 904-3, provides the Colorado Attorney General or District Attorney, as applicable, with enforcement powers that would infringe upon rights protected by the United States Constitution or Colorado Constitution, including the right to freedom of speech or freedom of the press.
Part 11 Materials Incorporated by Reference
Rule 11.01 Authority and Purpose
A. The statutory authority for the rules in this Part 11 is C.R.S. §§ 6-1-108(1) and 6-1-1313. The purpose of the rules in this Part 11 is to incorporate by reference the guidelines that are referred to in 4 CCR 904-3, Rule 3.02(A)(2).
Rule 11.02 Web Content Accessibility Guidelines
A. The Web Content Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium, are hereby incorporated into 4 CCR 904-3, Rule 3.02(A)(2) by reference pursuant to C.R.S. § 24-4-103(12.5), and do not include any later amendments.
B. Copies of the Web Content Accessibility Guidelines that are incorporated by reference into these rules may be obtained by sending a written request to the following address by U.S. mail:
Colorado Department of Law
Ralph L. Carr Judicial Center
1300 Broadway, 9th Floor
Denver, CO 80203
C. The Web Content Accessibility Guidelines published by the World Wide Web Consortium incorporated by reference into these rules are available at no cost in an electronic form online at https://www.w3.org/TR/WCAG21.
D. The Colorado Department of Law also maintains a copy of the Web Content Accessibility Guidelines that are incorporated by reference into these rules that is available for public inspection at the Colorado Department of Law’s office during regular business hours.
Table of contents
Questions?
If you would like to learn more, our compliance experts are happy to support you..
Leave us a Message