4 Colo. Code Regs. § 904-3-2.02

Current through Register Vol. 47, No. 20, October 25, 2024
Section 4 CCR 904-3-2.02 - DEFINED TERMS

The following definitions of terms, in addition to those set forth in C.R.S. § 6-1-1303, apply to these Colorado Privacy Act Rules, 4 CCR 904-3, promulgated pursuant to the Colorado Privacy Act, unless the context requires otherwise:

"Authorized Agent" as referred to in C.R.S. § 6-1-1306(1)(a)(II) means a person or entity authorized by the Consumer to act on the Consumer's behalf.

"Biometric Data" as referred to in C.R.S. § 6-1-1303(24)(b) means Biometric Identifiers that are used or intended to be used, singly or in combination with each other or with other Personal Data, for identification purposes. Unless such data is used for identification purposes, "Biometric Data" does not include (a) a digital or physical photograph, (b) an audio or voice recording, or (c) any data generated from a digital or physical photograph or an audio or video recording.

"Biometric Identifiers" means data generated by the technological processing, measurement, or analysis of an individual's biological, physical, or behavioral characteristics that can be Processed for the purpose of uniquely identifying an individual, including but not limited to a fingerprint, a voiceprint, scans or records of eye retinas or irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics.

"Bona Fide Loyalty Program" as referred to in C.R.S. §1-6-1308(1)(d) is defined as a loyalty, rewards, premium feature, discount, or club card program established for the genuine purpose of providing Bona Fide Loyalty Program Benefits to Consumers that voluntarily participate in that program, such that the primary purpose of Processing Personal Data through the program is solely to provide Bona Fide Loyalty Program Benefits to participating Consumers.

"Bona Fide Loyalty Program Benefit" is defined as an offer of superior price, rate, level, quality, or selection of goods or services provided to a Consumer through a Bona Fide Loyalty Program. Such benefits may be provided directly by a Controller or through a Bona Fide Loyalty Program Partner.

"Bona Fide Loyalty Program Partner" is defined as a Third Party that provides Bona Fide Loyalty Program Benefits to Consumers through a Controller's Bona Fide Loyalty Program, either alone or in partnership with the Controller.

"Commercial product or service" as referred to in C.R.S. § 6-1-1304(1)(a) means a product or service bought, sold, leased, joined, provided, subscribed to, or delivered in exchange for monetary or other valuable consideration in the course of a Controller's business, vocation, or occupation.

"Controller" is defined as set forth in C.R.S. § 6-1-1303(7), and means a person that, alone or jointly with others, determines the purposes for and means of Processing Personal Data.

"Data Broker" is defined as a Controller that knowingly collects and sells to Third Parties the Personal Data of a Consumer with whom the Controller does not have a direct relationship.

"Data Right" or "Data Rights" means the Consumer Personal Data rights granted in C.R.S. § 6-1-1306(1).

"Disability" or "Disabilities" has the same meaning as set forth in C.R.S. § 24-85-102 (2.3).

"Employee" means any person, acting as a job applicant to, or performing labor or services for the benefit of an Employer, including contingent and temporary workers and migratory laborers.

"Employer" means every person, entity, firm, partnership, association, corporation, migratory field labor contractor or crew leader, receiver, or other officer of court, and any agent or officer thereof, of the above-mentioned classes, employing any person.

"Employment Records" as referred to in C.R.S. § 6-1-1304(2)(k) means the records of an Employee, maintained by the Employer in the context of the Employer-Employee relationship having to do with hiring, promotion, demotion, transfer, lay-off or termination, rates of pay or other terms of compensation, as well as other information maintained because of the Employer-Employee relationship.

"Human Involved Automated Processing" means the automated processing of Personal Data where a human (1) engages in a meaningful consideration of available data used in the Processing or any output of the Processing and (2) has the authority to change or influence the outcome of the Processing.

"Human Reviewed Automated Processing" means the automated processing of Personal Data where a human reviews the automated processing, but the level of human engagement does not rise to the level required for Human Involved Automated Processing. Reviewing the output of the automated processing with no meaningful consideration does not rise to the level of Human Involved Automated Processing.

"Information that a Controller has a reasonable basis to believe the Consumer has lawfully made available to the general public" as referred to in C.R.S. § 6-1-1303(17)(b) means information that a Consumer has intentionally made available to the general public or information that a Consumer has made available under federal or state law, which may include but is not limited to:

1. Personal Data found in a telephone book, a television or radio program, or a national or local news publication;
2. Personal Data that has been intentionally made available by the Consumer through a website or online service where the Consumer has not restricted the information to a specific audience;
3. A visual observation of an individual's physical presence in a public place by another person, not including data collected by a device in the individual's possession; and
4. A disclosure that has been made to the general public as required by federal, state, or local law.

"Intimate Image" means any visual depiction, photograph, film, video, recording, picture, or computer or computer-generated image or picture, whether made or produced by electronic, mechanical, or other means, that depicts an identified or identifiable person's private parts, or a person engaged in a private act, in circumstances in which a reasonable person would reasonably expect to be afforded privacy.

"Noncommercial Purpose" as referred to in C.R.S. § 6-1-1304(2)(o) includes, but is not limited to, the following activities when conducted by:

(a) a state institution of higher education, as defined in C.R.S. § 23-18-102(10), the state, the judicial department of the state, or a county, city and county, or municipality; or
(b) a Processor acting on behalf of one or more of the foregoing:
1. Processing activities related to the delivery of services and benefits;
2. Research purposes;
3. Budgeting;
4. Improving operations or the delivery services or benefits;
5. Auditing operations or service or benefit delivery;
6. Sharing Personal Data between these categories of entities for any of these purposes; or
7. Any other purpose related to speech that state or federal courts have recognized as noncommercial speech, including political speech and journalism.

"Opt-Out Purpose" or "Opt-Out Purposes" means the categories of Personal Data Processing from which the Consumer may opt out pursuant to C.R.S. § 6-1-1306(1)(a).

"Personal Data" is defined as set forth in C.R.S. § 6-1-1303(17), and (a) means information that is linked or reasonably linkable to an identified or identifiable individual; and (b) does not include de-identified data or Publicly Available Information as used in (17)(b).

"Process" or "Processing" is defined as set forth in C.R.S. § 6-1-1303(18), and means the collection, use, sale, storage, disclosure, analysis, deletion, or modification of Personal Data and includes the actions of a Controller directing a Processor to Process Personal Data.

"Processor" is defined as set forth in C.R.S. § 6-1-1303(19), and means a person that Processes Personal Data on behalf of a Controller.

"Profiling" is defined as set forth in C.R.S. § 6-1-1303(20), and means any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

"Publicly Available Information" is defined as set forth in C.R.S. § 6-1-1303(17), and does not include:

1. Any Personal Data obtained or processed in in violation of C.R.S. §§ 18-7-107 or 18-7-801;
2. Biometric Data;
3. Genetic Information; or
4. Nonconsensual Intimate Images known to the Controller.

"Revealing" as referred to in C.R.S. § 6-1-1303(24)(a) includes Sensitive Data Inferences. For example:

1. While precise geolocation information at a high level may not be considered Sensitive Data, precise geolocation data which is used to infer an individual visited a mosque and is used to infer that individual's religious beliefs is considered Sensitive Data under C.R.S. § 6-1-1303(24)(a). Similarly, precise geolocation data which is used to infer an individual visited a reproductive health clinic and is used to infer an individual's health condition or sex life is considered Sensitive Data under C.R.S. § 6-1-1303(24)(a).
2. While web browsing data at a high level may not be considered Sensitive Data, web browsing data which, alone or in combination with other Personal Data, infers an individual's sexual orientation is considered Sensitive Data under C.R.S. § 6-1-1303(24)(a).

"Sensitive Data Inference" or "Sensitive Data Inferences" means inferences made by a Controller based on Personal Data, alone or in combination with other data, which are used to indicate an individual's racial or ethnic origin; religious beliefs; mental or physical health condition or diagnosis; sex life or sexual orientation; or citizenship or citizenship status.

"Solely Automated Processing" means the automated processing of Personal Data with no human review, oversight, involvement, or intervention.

"Universal Opt-Out Mechanism" or "Universal Opt-Out Mechanisms" means mechanisms that clearly communicate a Consumer's affirmative, freely given, and unambiguous choice to opt out of the Processing of Personal Data for purposes of Targeted Advertising or the Sale of Personal Data pursuant to C.R.S. § 6-1-1306(1)(a)(I)(A) or (1)(a)(I)(B), which meets the technical specifications set forth in 4 CCR 904-3, Rule 5.06 pursuant to C.R.S. § 6-1-1313(2).

4 CCR 904-3-2.02

46 CR 06, March 25, 2023, effective 7/1/2023