Statutes, codes, and regulations
Colorado Administrative Code
Department 900 - Department of LawDivision 904 - Attorney General-Consumer Protection SectionRule 4 CCR 904-3 - Colorado Privacy Act Rules
Part 4 CCR 904-3-6 - DUTIES OF CONTROLLERS
Section 4 CCR 904-3-6.02 - PRIVACY NOTICE PRINCIPLES

4 Colo. Code Regs. § 904-3-6.02

Download
PDF
Current through Register Vol. 47, No. 20, October 25, 2024
Section 4 CCR 904-3-6.02 - PRIVACY NOTICE PRINCIPLES
A. A privacy notice shall provide Consumers with a meaningful understanding and accurate expectations of how their Personal Data will be Processed. It shall also inform Consumers about their rights under the Colorado Privacy Act and provide any information necessary for Consumers to exercise those rights.
B. A Controller is not required to provide a separate Colorado-specific privacy notice or section of a privacy notice as long as the Controller's privacy notice meets all requirements of this section and makes clear that Colorado Consumers are entitled to the rights provided by C.R.S. § 6-1-1306.
C. A privacy notice shall comply with all requirements for disclosures and communications to Consumers provided in 4 CCR 904-3, Rule 3.02.
D. A privacy notice must be clear. Information contained in a privacy notice shall be:
1. Concrete and definitive, avoiding abstract or ambivalent terms that may lead to varying interpretations.
2. Clearly labeled, such that Consumers seeking to understand a Controller's Processing activities or how to exercise their Data Rights can easily access the section of the privacy notice containing relevant information.
E. A privacy notice must be easily accessible. A privacy notice must be:
1. Posted online through a conspicuous link using the word "privacy" on the Controller's website homepage or on a mobile application's app store page or download page. A Controller that maintains an application on a mobile or other device shall also include a link to the privacy notice in the application's settings menu.
a. A Controller that does not operate a website shall make the privacy notice conspicuously available to Consumers through a medium regularly used by the Controller to interact with Consumers. For instance, if a Controller interacts with a Consumer offline, an offline version of the privacy notice must be available to the Consumer.
F. A privacy notice must be specific. The level of specificity in a privacy notice should enable a Consumer to understand, in advance or at the time of the Processing, the scope of the Controller's Processing operations, such that a Consumer should not be taken by surprise at a later point about Personal Data that has been collected and the ways in which Personal Data has been Processed.

4 CCR 904-3-6.02

46 CR 06, March 25, 2023, effective 7/1/2023