Statutes, codes, and regulations
Colorado Administrative Code
Department 900 - Department of LawDivision 904 - Attorney General-Consumer Protection SectionRule 4 CCR 904-3 - Colorado Privacy Act Rules
Part 4 CCR 904-3-4 - CONSUMER PERSONAL DATA RIGHTS
Section 4 CCR 904-3-4.05 - RIGHT TO CORRECTION

4 Colo. Code Regs. § 904-3-4.05

Download
PDF
Current through Register Vol. 47, No. 16, August 25, 2024
Section 4 CCR 904-3-4.05 - RIGHT TO CORRECTION
A. Consumers have the right to correct inaccuracies in their Personal Data subject to C.R.S. § 6-1-1306(c).
B. A Controller shall comply with a Consumer's correction request by correcting the Consumer's Personal Data in its existing systems, except archive or backup systems. The Controller shall also use agreed upon technical, organizational, or other measures or processes to instruct its Processors, pursuant to C.R.S. § 6-1-1305(2)(a), to make the necessary corrections in their respective systems.
C. If a Controller or Processor stores any Personal Data on archived or backup systems, it may delay compliance with the Consumer's correction request with respect to an archived or backup system until that system is restored to an active system or is next accessed or used.
D. If a Consumer submits a request to exercise their right to correct Personal Data and the requested correction to that Personal Data could be made by the Consumer through the Consumer's account settings, a Controller may respond to the Consumer's request by providing instructions on how the Consumer may correct the Personal Data so long as:
1. The correction process is not unduly burdensome to the Consumer;
2. The instructions meet all requirements of 4 CCR 904-3, Rule 3.02;
3. The Controller's response is compliant with the timing requirements set forth in C.R.S. § 6-1-1306(2)(a); and
4. The process described in the instructions enable the Consumer to make the specific requested correction.
E. A Controller may require the Consumer to provide documentation if necessary to determine whether the Personal Data, or the Consumer's requested correction to the Personal Data, is accurate.
1. When requesting documentation, the Controller must provide the Consumer with a meaningful understanding of why the documentation is necessary.
2. Any documentation provided by the Consumer in connection with the Consumer's right to correction shall only be Processed by the Controller in considering the accuracy of the Consumer's Personal Data.
3. The Controller shall implement and maintain reasonable data security measures, consistent with 4 CCR 904-3, Rule 6.09 , in Processing any documentation relating to the Consumer's correction request.
4. If the Controller did not receive the Personal Data directly from the Consumer and has no documentation to support the accuracy of the Personal Data, the Consumer's assertion of inaccuracy shall be sufficient to establish that the Personal Data is inaccurate.
5. A Controller, having exhausted the steps above may decide not to act upon a Consumer's correction request if the Controller determines that the contested Personal Data is more likely than not accurate.
a. If a Controller denies a Consumer's correction request based on the Controller's determination that the contested Personal Data is more likely than not accurate, the Controller must describe in documentation required by 4 CCR 904-3, Rule 6.11 , the Consumer's requested correction to the Personal Data, any documentation requested from and provided by the Consumer in support of the correction request, and the reason for the Controller's determination that the Consumer's documentation was not sufficient to support the Consumer's position.

4 CCR 904-3-4.05

46 CR 06, March 25, 2023, effective 7/1/2023