4 Colo. Code Regs. § 904-3-5.05

Current through Register Vol. 47, No. 20, October 25, 2024
Section 4 CCR 904-3-5.05 - PERSONAL DATA USE LIMITATIONS
A. A platform, developer, or provider providing a Universal Opt-Out Mechanism shall not use, disclose, or retain any Personal Data collected from the Consumer in connection with the Consumer's utilization of the mechanism for any purpose other than sending or processing the opt-out preference. For example, the fact that a particular device sends a Universal Opt-Out Mechanism may not be used as part of a digital fingerprint to later identify that device.
B. When processing a Universal Opt-Out Mechanism, a Controller may not require the collection of additional Personal Data beyond that which is strictly necessary to authenticate a Consumer is a resident of Colorado determine that the mechanism represents a legitimate request to opt out of the Processing of Personal Data as permitted by C.R.S. § 6-1-1306(1)(a)(IV), or comply with the authentication mandates of the law of another jurisdiction specifically regarding universal opt-out mechanisms or signals.
1. Example: The law of a state other than Colorado obligates Controllers to gather specific pieces of information from a user before the Controller honors the use of a Universal Opt-Out Mechanism by that user. This additional information may be gathered while processing a Universal Opt-Out Mechanism, even if is not otherwise "strictly necessary to authenticate a Consumer is a resident of Colorado or determine that the mechanism represents a legitimate request".
C. Notwithstanding 4 CCR 904-3, Rule 5.05 , a Controller may provide the Consumer with an option to provide additional Personal Data only if it will extend the recognition of the Consumer's use of the Universal Opt-Out Mechanism across platforms, devices, or offline. For example, a Controller may give the Consumer the option to provide their phone number or email address so that the Universal Opt-Out Mechanism or signal can apply to offline Sale of Personal Data or link the Consumer's opt-out choice across devices. Any information provided by the Consumer for this purpose shall not be used, disclosed, or retained for any purpose other than processing the opt-out request.
D. The Controller shall implement and maintain reasonable data security measures, consistent with 4 CCR 904-3, Rule 6.09 , in Processing any Personal Data relating to the Consumer's use of a Universal Opt-Out Mechanism.

4 CCR 904-3-5.05

46 CR 06, March 25, 2023, effective 7/1/2023