Statutes, codes, and regulations
Colorado Administrative Code
Department 900 - Department of LawDivision 904 - Attorney General-Consumer Protection SectionRule 4 CCR 904-3 - Colorado Privacy Act Rules
Part 4 CCR 904-3-4 - CONSUMER PERSONAL DATA RIGHTS
Section 4 CCR 904-3-4.06 - RIGHT TO DELETION

4 Colo. Code Regs. § 904-3-4.06

Download
PDF
Current through Register Vol. 47, No. 16, August 25, 2024
Section 4 CCR 904-3-4.06 - RIGHT TO DELETION
A. A Controller shall comply with a Consumer's deletion request by:
1. Permanently and completely erasing the Personal Data from its existing systems, except archive or backup systems, or de-identifying the Personal Data such that it cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, in accordance with C.R.S. § 6-1-1303(11); and
2. Using agreed upon technical, organizational, or other measures, or processes to instruct its Processors pursuant to C.R.S. § 6-1-1305(2)(b) to delete the Consumer's Personal Data held by the Processors.
B. Notwithstanding 4 CCR 904-3, Rule 4.06 , a Controller may maintain records of a Consumer's deletion request consistent with 4 CCR 904-3, Rule 6.11 and as needed to effectuate the deletion request.
C. If a Controller or Processor stores any Personal Data on archived or backup systems, it may delay compliance with the Consumer's deletion request with respect to an archived or backup system until that system is restored to an active system or is next accessed or used.
D. A Controller that has obtained Personal Data about a Consumer from a source other than the Consumer shall comply with a Consumer's deletion request with respect to that Personal Data pursuant to C.R.S. § 6-1-1306(d) by (i) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the Consumer's Personal Data remains deleted from the Consumer's records and not using such retained data for any other purpose, or (ii) opting the Consumer out of the Processing of such Personal Data for any purpose except for those exempted pursuant to the provisions of C.R.S. § 6-1-1304.
E. If a Controller complies with a deletion request by opting the Consumer out of Processing under 4.06(D) or does not opt the Consumer out of some Processing of Personal Data because the Processing purpose is exempted pursuant to the provisions of C.R.S. § 6-1-1304, the Controller shall provide the Consumer with the categories of Personal Data that were not deleted along with any applicable exception. The Controller shall not use the Consumer's Personal Data retained for any other purpose than provided for by the applicable exception.

4 CCR 904-3-4.06

46 CR 06, March 25, 2023, effective 7/1/2023