Section 6-1-1308 - Duties of controllers(1)Duty of transparency.(a) A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: (I) The categories of personal data collected or processed by the controller or a processor;(II) The purposes for which the categories of personal data are processed;(III) How and where consumers may exercise the rights pursuant to section 6-1-1306, including the controller's contact information and how a consumer may appeal a controller's action with regard to the consumer's request;(IV) The categories of personal data that the controller shares with third parties, if any; and(V) The categories of third parties, if any, with whom the controller shares personal data.(b) If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing.(c) A controller shall not:(I) Require a consumer to create a new account in order to exercise a right; or(II) Based solely on the exercise of a right and unrelated to feasibility or the value of a service, increase the cost of, or decrease the availability of, the product or service.(d) Nothing in this part 13 shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discount, or club card program.(2)Duty of purpose specification. A controller shall specify the express purposes for which personal data are collected and processed.(3)Duty of data minimization. A controller's collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed.(4)Duty to avoid secondary use. A controller shall not process personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed, unless the controller first obtains the consumer's consent.(5)Duty of care. A controller shall take reasonable measures to secure personal data during both storage and use from unauthorized acquisition. The data security practices must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business.(6)Duty to avoid unlawful discrimination. A controller shall not process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers.(7)Duty regarding sensitive data. A controller shall not process a consumer's sensitive data without first obtaining the consumer's consent or, in the case of the processing of personal data concerning a known child, without first obtaining consent from the child's parent or lawful guardian.Added by 2021 Ch. 483, § 1, eff. 7/1/2023.