Current through Register Vol. 47, No. 20, October 25, 2024
Section 4 CCR 904-3-6.06 - PURPOSE SPECIFICATIONA. Controllers shall specify the express purposes for which each category of Personal Data is collected and Processed in both external disclosures to Consumers, including privacy notices required by C.R.S. § 6-1-1308(1), as well as in any internal documentation required by this Part 6.B. The express purpose must be described in a level of detail that gives Consumers a meaningful understanding of how each category of their Personal Data is used when provided for that Processing purpose.C. If Personal Data is collected and Processed for more than one purpose, Controllers should specify each unrelated purpose with enough detail to allow Consumers to understand each individual, unrelated purpose.1. Controllers should not identify one broad purpose to justify numerous Processing activities that are only remotely related.2. Controllers should not specify one broad purpose to cover potential future Processing activities that are only remotely related.3. Controllers should not specify so many purposes for which Personal Data could potentially be processed to cover potential future processing activities that the purpose becomes unclear or uninformative.D. If the Processing purpose has evolved beyond the original express purpose such that it becomes a distinct purpose that is no longer reasonably necessary to or compatible with the original express purpose, the Controller must review and update all related disclosures and documentation as necessary.46 CR 06, March 25, 2023, effective 7/1/2023