Statutes, codes, and regulations
Colorado Administrative Code
Department 900 - Department of LawDivision 904 - Attorney General-Consumer Protection SectionRule 4 CCR 904-3 - Colorado Privacy Act Rules
Part 4 CCR 904-3-7 - CONSENT
Section 4 CCR 904-3-7.03 - REQUIREMENTS FOR VALID CONSENT

4 Colo. Code Regs. § 904-3-7.03

Download
PDF
Current through Register Vol. 47, No. 16, August 25, 2024
Section 4 CCR 904-3-7.03 - REQUIREMENTS FOR VALID CONSENT
A. To be valid, a Consent must meet each of the following elements:
(1) it must be obtained through the Consumer's clear, affirmative action;
(2) it must be freely given by the Consumer;
(3) it must be specific;
(4) it must be informed; and
(5) it must reflect the Consumer's unambiguous agreement.
B. Consent must be obtained through the Consumer's clear, affirmative action. For purposes of obtaining valid Consent:
1. A "clear, affirmative action" means a Consumer's Consent is communicated through either (a) deliberate and clear conduct, or (b) a statement that clearly indicates their acceptance of the proposed Processing of their Personal Data.
2. A blanketed acceptance of general terms and conditions, silence, inactivity or in action, pre-ticked boxes, and other negative option opt-out constructions that require intervention from the Consumer to prevent agreement are not clear affirmative actions for the purposes of valid Consent.
C. Consent must be freely given. For purposes of obtaining valid Consent:
1. Consent is freely given when Consumers may refuse Consent without detriment and withdraw Consent easily at any time.
2. Consent is not freely given when:
a. It reflects acceptance of a general or broad terms of use or similar document that contains descriptions of Personal Data Processing along with other, unrelated information;
b. The performance of a contract is dependent on Consent to Process Personal Data that is not necessary to provide the goods or services contemplated by the contract; or
c. The Controller denies goods, services, discounts, or promotions to a Consumer who chooses not to provide Consent, unless:
i. The Personal Data is necessary to the provision of those goods, services, discounts, or promotions, consistent with 4 CCR 904-3, Rule 6.05; or
ii. The Consent is otherwise required in connection with a Consumer's voluntary participation in a Bona Fide Loyalty Program, consistent with the requirements in 4 CCR 904-3, Rule 6.05.
3. Example: An online dating application's terms and conditions tells users that the application will disclose collected Personal Data, including Sensitive Data revealing sexual orientation, with similar applications for advertising purposes. Consent is required for the disclosure of Sensitive Data with similar applications for advertising purposes. Since users cannot accept the required terms and conditions without the opportunity to separately provide or withhold Consent for sharing with similar applications, the Consent is not freely given.
D. Consent must be specific.
1. When Controllers request Consent to Process Personal Data for more than one Processing purpose, and those Processing purposes are not reasonably necessary to or compatible with one another, Consumers must have the ability to separately Consent to each specific purpose.
a. Controllers may request Consent to Process Personal Data for multiple Processing purposes that are not reasonably necessary to or compatible with one another using a single Consent request as long there is also an option for more granular Consent within the same Consent interface.
2. Consent to Process Personal Data for one specific purpose does not constitute valid Consent to Process Personal Data for other purposes that are not reasonably necessary to or compatible with that specific purpose.
3. The Sale of Sensitive Data to one specific party is not necessary to or compatible with the Sale of Sensitive Data to a different party.
a. Example: A cosmetic retailer asks a customer for Consent to use Sensitive Data revealing the customer's racial origin in order to provide first-party targeted offers to the customer and to Sell the customer's racial origin information to Data Brokers. This Consent is not specific as there is no opportunity to provide separate Consent for the two separate Processing purposes. Therefore, Consent in this example would not be valid.
b. Example: In the example above, the Controller requests Consent only to Sell Sensitive Data revealing the customer's racial origin with commercial partners. The Controller lists "Fashion Co. #1" and "Make Up Co. #1" as commercial partners who will receive Sensitive Data. Consent would be deemed valid for only these two Third Parties because their identity was provided to the Consumer at the time that his or her Consent was collected. Consent would not be deemed valid for Selling with another Third Party whose identity has not been provided.
E. Consent must be informed.
1. When requesting Consent, a Controller must provide the following information, at a minimum:
a. The Controller's identity;
b. The plain-language reason that Consent is required;
c. The Processing purpose(s) for which Consent is sought;
d. The categories of Personal Data that the Controller shall Process to effectuate the Processing purpose(s);
e. Names of all Third Parties receiving the Sensitive Data through Sale, if applicable;
f. A description of the Consumer's right to withdraw Consent for the identified Processing purpose at any time in accordance with 4 CCR 904-3, Rule 7.07 and details of how and where to do so; and
g. Any disclosures required by 4 CCR 904-3, Rules 6.05 and 9.05.
F. Consent may not be obtained using Dark Patterns as defined in C.R.S § 6-1-1309(9) and prohibited by 4 CCR 904-3, Rule 7.09 . Pursuant to C.R.S. § 6-1-1303(5)(c) and 4 CCR 904-3, Rule 7.09 , any agreement obtained through Dark Patterns is not valid Consent.

4 CCR 904-3-7.03

46 CR 06, March 25, 2023, effective 7/1/2023