Statutes, codes, and regulations
Colorado Administrative Code
Department 900 - Department of LawDivision 904 - Attorney General-Consumer Protection SectionRule 4 CCR 904-3 - Colorado Privacy Act Rules
Part 4 CCR 904-3-6 - DUTIES OF CONTROLLERS
Section 4 CCR 904-3-6.03 - PRIVACY NOTICE CONTENT

4 Colo. Code Regs. § 904-3-6.03

Download
PDF
Current through Register Vol. 47, No. 20, October 25, 2024
Section 4 CCR 904-3-6.03 - PRIVACY NOTICE CONTENT
A. A privacy notice must include the following information:
1. A comprehensive description of the Controller's online and offline Personal Data Processing practices, including but not limited to the following, linked in a way that gives Consumers a meaningful understanding of how each category of their Personal Data will be used when they provide that Personal Data to the Controller for a specified purpose:
a. The categories of Personal Data Processed, including, but not limited to, whether Personal Data of a Child or other Sensitive Data is Processed.
i. Categories shall be described in a level of detail that provides Consumers a meaningful understanding of the type of Personal Data Processed. For example, categories of Personal Data described at a sufficiently granular level of detail include, but are not limited to: "contact information," "government issued identification numbers," "payment information", "Information from Cookies," "data revealing religious affiliation," and "medical data."
b. The Processing purpose described in a level of detail that gives Consumers a meaningful understanding of how each category of their Personal Data is used when provided for that Processing purpose.
c. Whether the Personal Data provided for a specific purpose will be sold or used for Targeted Advertising or Profiling in furtherance of Decisions that Produce Legal or Similarly Significant Effects Concerning a Consumer.
d. Categories of Personal Data that the Controller Sells to or shares with Third Parties, if any.
e. Categories of Third Parties to whom the Controller sells, or with whom the Controller shares Personal Data, if any. Categories of Third Parties must be described in a level of detail that gives Consumers a meaningful understanding of the type of, business model of, or processing conducted by the Third Party.
i. For example, categories of Third Parties described in a sufficiently granular level of detail include, but are not limited to: "analytics companies," "data brokers," "third-party advertisers," "payment processors," "lenders," "other merchants," and "government agencies."
2. If a Controller's Processing activity involves the Processing of Personal Data for the purpose of Profiling in furtherance of Decisions that Produce Legal or Similarly Significant Effects Concerning a Consumer, all disclosures required by 4 CCR 904-3, Rule 9.03.
3. A list of the Data Rights available.
4. A description of the methods through which a Consumer may submit requests to exercise Data Rights, as required by C.R.S. § 6-1-1306(1) and 4 CCR 904-3, Rule 4.02, including:
a. Instructions on how to use each method.
b. Instructions on how an Authorized Agent may submit a request to opt out of the Processing of Consumer Personal Data on a Consumer's behalf pursuant to C.R.S. § 6-1-1306(1)(a)(II).
c. A clear and conspicuous method to exercise the right to opt out of the Processing of Personal Data concerning the Consumer pursuant to C.R.S. § 6-1-1306(1)(a)(I) and (1)(a)(III), or links to any online method, such as a webform or portal, consistent with 4 CCR 904-3, Rule 4.03.
d. A description of the commercially reasonable process the Controller uses to Authenticate the identity of a Consumer exercising a Data Right request or to Authenticate the authority of an Authorized Agent exercising the right to opt out on a Consumer's behalf.
e. Effective July 1, 2024, an explanation of how requests to opt out using Universal Opt-Out Mechanisms will be processed.
5. If a Controller will delete Sensitive Data Inferences within twenty-four (24) hours pursuant to 4 CCR 904-3, Rule 6.10 , a description of the Sensitive Data Inferences subject to this provision and the retention and deletion timeline for such Sensitive Data Inferences.
6. A Controller's contact information.
7. Instructions on how a Consumer may appeal a Controller's action in response to the Consumer's request, as contemplated by C.R.S. § 6-1-1306(3).
8. The date the privacy notice was last updated.

4 CCR 904-3-6.03

46 CR 06, March 25, 2023, effective 7/1/2023