Statutes, codes, and regulations
Colorado Administrative Code
Department 900 - Department of LawDivision 904 - Attorney General-Consumer Protection SectionRule 4 CCR 904-3 - Colorado Privacy Act Rules
Part 4 CCR 904-3-6 - DUTIES OF CONTROLLERS
Section 4 CCR 904-3-6.10 - DUTY REGARDING SENSITIVE DATA

4 Colo. Code Regs. § 904-3-6.10

Download
PDF
Current through Register Vol. 47, No. 16, August 25, 2024
Section 4 CCR 904-3-6.10 - DUTY REGARDING SENSITIVE DATA
A. Controllers must obtain Consent to Process Sensitive Data, including Sensitive Data Inferences, consistent with C.R.S. § 6-1-1308(7) and 4 CCR 904-3, Rules 7.02-7.05.
B. Controllers may be exempt from obtaining Consent to Process Sensitive Data Inferences from Consumers over the age of thirteen (13) only if:
1. The Processing purpose of such Personal Data would be obvious to a reasonable Consumer based on the context of the collection and use of the Personal Data, and the relationship between the Controller and Consumer;
2. Sensitive Data Inferences are permanently deleted within twenty-four (24) hours of collection or of the completion of the Processing activity, whichever comes first;
3. Sensitive Data Inferences are not transferred, sold, or shared with any Processors, Affiliates, or Third-Parties; and
4. The Personal Data and any Sensitive Data Inferences are not Processed for any purpose other than the express purpose disclosed to the Consumer.
C. If a Controller will delete Sensitive Data Inferences within twenty-four (24) hours, pursuant to this section, they must (1) include description of the Sensitive Data Inferences subject to this provision and the retention and deletion timeline for such Sensitive Data Inferences in its privacy notice, pursuant to 4 CCR 904-3, Rule 6.03 , and (2) include the details of the deletion and verification process in the Controller's Data Protection Assessment, pursuant to 4 CCR 904-3, Rule 8.04.

4 CCR 904-3-6.10

46 CR 06, March 25, 2023, effective 7/1/2023