C.R.S. Section 6-1-1306
Consumer personal data rights

  • repeal

(1)

Consumers may exercise the following rights by submitting a request using the methods specified by the controller in the privacy notice required under section 6-1-1308 (1)(a). The method must take into account the ways in which consumers normally interact with the controller, the need for secure and reliable communication relating to the request, and the ability of the controller to authenticate the identity of the consumer making the request. Controllers shall not require a consumer to create a new account in order to exercise consumer rights pursuant to this section but may require a consumer to use an existing account. A consumer may submit a request at any time to a controller specifying which of the following rights the consumer wishes to exercise:

(a)

Right to opt out.

(I)

A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of:

(A)

Targeted advertising;

(B)

The sale of personal data; or

(C)

Profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.

(II)

A consumer may authorize another person, acting on the consumer’s behalf, to opt out of the processing of the consumer’s personal data for one or more of the purposes specified in subsection (1)(a)(I) of this section, including through a technology indicating the consumer’s intent to opt out such as a web link indicating a preference or browser setting, browser extension, or global device setting. A controller shall comply with an opt-out request received from a person authorized by the consumer to act on the consumer’s behalf if the controller is able to authenticate, with commercially reasonable effort, the identity of the consumer and the authorized agent’s authority to act on the consumer’s behalf.

(III)

A controller that processes personal data for purposes of targeted advertising or the sale of personal data shall provide a clear and conspicuous method to exercise the right to opt out of the processing of personal data concerning the consumer pursuant to subsection (1)(a)(I) of this section. The controller shall provide the opt-out method clearly and conspicuously in any privacy notice required to be provided to consumers under this part 13, and in a clear, conspicuous, and readily accessible location outside the privacy notice.

(IV)

Intentionally left blank —Ed.

(A)

A controller that processes personal data for purposes of targeted advertising or the sale of personal data may allow consumers to exercise the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising or the sale of personal data pursuant to subsections (1)(a)(I)(A) and (1)(a)(I)(B) of this section by controllers through a user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general pursuant to section 6-1-1313. This subsection (1)(a)(IV)(A) is repealed, effective July 1, 2024.

(B)

Effective July 1, 2024, a controller that processes personal data for purposes of targeted advertising or the sale of personal data shall allow consumers to exercise the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising or the sale of personal data pursuant to subsections (1)(a)(I)(A) and (1)(a)(I)(B) of this section by controllers through a user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general pursuant to section 6-1-1313.

(C)

Notwithstanding a consumer’s decision to exercise the right to opt out of the processing of personal data through a universal opt-out mechanism pursuant to subsection (1)(a)(IV)(B) of this section, a controller may enable the consumer to consent, through a web page, application, or a similar method, to the processing of the consumer’s personal data for purposes of targeted advertising or the sale of personal data, and the consent takes precedence over any choice reflected through the universal opt-out mechanism. Before obtaining a consumer’s consent to process personal data for purposes of targeted advertising or the sale of personal data pursuant to this subsection (1)(a)(IV)(C), a controller shall provide the consumer with a clear and conspicuous notice informing the consumer about the choices available under this section, describing the categories of personal data to be processed and the purposes for which they will be processed, and explaining how and where the consumer may withdraw consent. The web page, application, or other means by which a controller obtains a consumer’s consent to process personal data for purposes of targeted advertising or the sale of personal data must also allow the consumer to revoke the consent as easily as it is affirmatively provided.

(b)

Right of access.
A consumer has the right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer’s personal data.

(c)

Right to correction.
A consumer has the right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data.

(d)

Right to deletion.
A consumer has the right to delete personal data concerning the consumer.

(e)

Right to data portability.
When exercising the right to access personal data pursuant to subsection (1)(b) of this section, a consumer has the right to obtain the personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance. A consumer may exercise this right no more than two times per calendar year. Nothing in this subsection (1)(e) requires a controller to provide the data to the consumer in a manner that would disclose the controller’s trade secrets.

(2)

Responding to consumer requests.

(a)

A controller shall inform a consumer of any action taken on a request under subsection (1) of this section without undue delay and, in any event, within forty-five days after receipt of the request. The controller may extend the forty-five-day period by forty-five additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller shall inform the consumer of an extension within forty-five days after receipt of the request, together with the reasons for the delay.

(b)

If a controller does not take action on the request of a consumer, the controller shall inform the consumer, without undue delay and, at the latest, within forty-five days after receipt of the request, of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subsection (3) of this section.

(c)

Upon request, a controller shall provide to the consumer the information specified in this section free of charge; except that, for a second or subsequent request within a twelve-month period, the controller may charge an amount calculated in the manner specified in section 24-72-205 (5)(a).

(d)

A controller is not required to comply with a request to exercise any of the rights under subsection (1) of this section if the controller is unable to authenticate the request using commercially reasonable efforts, in which case the controller may request the provision of additional information reasonably necessary to authenticate the request.

(3)

Intentionally left blank —Ed.

(a)

A controller shall establish an internal process whereby consumers may appeal a refusal to take action on a request to exercise any of the rights under subsection (1) of this section within a reasonable period after the consumer’s receipt of the notice sent by the controller under subsection (2)(b) of this section. The appeal process must be conspicuously available and as easy to use as the process for submitting a request under this section.

(b)

Within forty-five days after receipt of an appeal, a controller shall inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support of the response. The controller may extend the forty-five-day period by sixty additional days where reasonably necessary, taking into account the complexity and number of requests serving as the basis for the appeal. The controller shall inform the consumer of an extension within forty-five days after receipt of the appeal, together with the reasons for the delay.

(c)

The controller shall inform the consumer of the consumer’s ability to contact the attorney general if the consumer has concerns about the result of the appeal.

Source: Section 6-1-1306 — Consumer personal data rights - repeal, https://leg.­colorado.­gov/sites/default/files/images/olls/crs2023-title-06.­pdf (accessed Oct. 20, 2023).

6‑1‑101
Short title
6‑1‑102
Definitions
6‑1‑103
Attorney general and district attorneys concurrently responsible for enforcement
6‑1‑104
Cooperative reporting
6‑1‑105
Unfair or deceptive trade practices
6‑1‑106
Exclusions
6‑1‑107
Powers of attorney general and district attorneys
6‑1‑108
Subpoenas - hearings - rules
6‑1‑109
Remedies
6‑1‑110
Restraining orders - injunctions - assurances of discontinuance
6‑1‑111
Information and evidence confidential and inadmissible - when
6‑1‑112
Civil penalties
6‑1‑113
Civil actions - damages - other relief - class actions
6‑1‑114
Criminal penalties
6‑1‑115
Limitations
6‑1‑116
Investigation of unfair business practices by regulated persons - district attorney requests for records from licensing authorities - interagency agreements with attorney general - legislative declaration - definitions
6‑1‑201
Definitions
6‑1‑202
Prohibited act
6‑1‑203
Collision damage waiver form - requirements - failure to comply
6‑1‑204
Prohibited exclusion
6‑1‑205
Information to be disclosed in advertisements for rental agreements for rental motor vehicles
6‑1‑206
Additional mandatory charges - required disclosures - definitions
6‑1‑207
Adaptive equipment in rental motor vehicles - requirements - failure to comply - legislative declaration - definitions
6‑1‑301
Legislative declaration
6‑1‑302
Definitions
6‑1‑303
Registration of commercial telephone sellers
6‑1‑304
Unlawful telemarketing practices
6‑1‑305
Penalties
6‑1‑401
Legislative intent
6‑1‑402
Definitions
6‑1‑403
Express warranty required - authorized servicers
6‑1‑404
Remedies
6‑1‑405
Remedies for consumers of purchased wheelchairs - conditions
6‑1‑406
Remedies for consumers of leased wheelchairs - conditions
6‑1‑407
Resale of a returned wheelchair - disclosure required
6‑1‑408
Other remedies - waiver of rights void
6‑1‑409
Fraudulent acts
6‑1‑410
Arbitration
6‑1‑411
Defect notification
6‑1‑412
Disclosures
6‑1‑501
Definitions
6‑1‑502
Express warranty required - authorized servicers
6‑1‑503
Remedies
6‑1‑504
Remedies for consumers of purchased facilitative devices - conditions
6‑1‑505
Remedies for consumers of leased facilitative devices - conditions
6‑1‑506
Resale of a returned facilitative device - disclosure required
6‑1‑507
Other remedies - waiver of rights void - limitation of coverage
6‑1‑508
Fraudulent acts
6‑1‑509
Arbitration
6‑1‑510
Defect notification
6‑1‑511
Disclosures
6‑1‑701
Dispensing hearing aids - deceptive trade practices - definitions
6‑1‑702
Unsolicited facsimiles - deceptive trade practice - definitions
6‑1‑702.5
Commercial electronic mail messages - deceptive trade practice - remedies - definitions - short title - legislative declaration
6‑1‑703
Time shares and resale time shares - deceptive trade practices
6‑1‑703.5
Time share resale transfer agreements - deceptive trade practices
6‑1‑704
Health clubs - deceptive trade practices
6‑1‑705
Dance studios - deceptive trade practices
6‑1‑706
Buyers’ clubs - deceptive trade practices
6‑1‑707
Use of title or degree - deceptive trade practice
6‑1‑708
Vehicle sales and leases - deceptive trade practice - definition
6‑1‑709
Sales of manufactured and tiny homes - deceptive trade practices
6‑1‑710
Trafficking of false airbag - deceptive trade practices - criminal liability - definitions
6‑1‑711
Restrictions on credit card receipts - legislative declaration - application - definitions
6‑1‑712
Discount health plan and cards - deceptive trade practices - definitions
6‑1‑713
Disposal of personal identifying information - policy - definitions
6‑1‑713.5
Protection of personal identifying information - definition
6‑1‑714
Unfair drug pricing practice - deceptive trade practice - definitions
6‑1‑715
Confidentiality of social security numbers
6‑1‑716
Notification of security breach
6‑1‑717
Influencing a real estate appraisal - deceptive trade practice
6‑1‑718
Ticket sales and resales - prohibitions - unlawful conditions - definitions
6‑1‑719
Truth in music advertising
6‑1‑720
Online event ticket sales - deceptive trade practice - definitions
6‑1‑721
Like-kind exchanges by exchange facilitators - deceptive trade practice - definitions
6‑1‑722
Gift certificates - validity - exemptions - definitions
6‑1‑723
Cathinone bath salts - deceptive trade practice
6‑1‑724
Unlicensed alternative health-care practitioners - deceptive trade practices - short title - legislative declaration - definitions
6‑1‑725
Synthetic cannabinoids - incense - deceptive trade practice
6‑1‑726
Sale of public services - deceptive trade practice - definition
6‑1‑727
Immigration-related services provided by nonattorneys - deceptive trade practice - definitions
6‑1‑728
Solicitation of fee for a deed or deed of trust - definitions
6‑1‑729
Assisted living residence referral - disclosures - penalty - fine - definitions
6‑1‑730
Price gouging during declared disaster prohibited - deceptive trade practice - legislative declaration - definitions
6‑1‑731
Contracts for dating services and online dating services - right of cancellation - remedy for violations - required notice regarding fraud bans - definitions
6‑1‑732
Automatic renewal contracts - unlawful acts - required disclosures - right to cancel - trial period offers - exemptions - definitions
6‑1‑733
Solicitations to file a secretary of state document or retrieve a copy of a public record for a fee - requirements - definition
6‑1‑734
Access to abortion services and emergency contraception - deceptive trade practice - definitions
6‑1‑801
Legislative finding, declaration, and intent
6‑1‑802
Definitions
6‑1‑803
Prohibited practices and required disclosures
6‑1‑804
Exemptions
6‑1‑901
Short title
6‑1‑902
Legislative declaration
6‑1‑903
Definitions
6‑1‑904
Unlawful to make telephone solicitations to subscribers on the Colorado no-call list - requirements for telephone solicitations generally
6‑1‑905
Establishment and operation of a Colorado no-call list
6‑1‑906
Enforcement - penalties - defenses
6‑1‑907
Acceptance of gifts, grants, and donations
6‑1‑908
Severability
6‑1‑1001
Restrictions on use of loan information for solicitations - definition
6‑1‑1101
Short title
6‑1‑1102
Legislative declaration
6‑1‑1103
Definitions
6‑1‑1104
Foreclosure consulting contract
6‑1‑1105
Right of cancellation
6‑1‑1106
Waiver of rights - void
6‑1‑1107
Prohibited acts
6‑1‑1108
Criminal penalties
6‑1‑1109
Unconscionability
6‑1‑1110
Language
6‑1‑1111
Written contract required
6‑1‑1112
Written contract - contents - notice
6‑1‑1113
Cancellation
6‑1‑1114
Notice of cancellation
6‑1‑1115
Options through reconveyances
6‑1‑1116
Waiver of rights - void
6‑1‑1117
Prohibited conduct
6‑1‑1118
Criminal penalties
6‑1‑1119
Unconscionability
6‑1‑1120
Language
6‑1‑1121
Short sales - subsequent purchaser - definition
6‑1‑1201
Short title
6‑1‑1202
Definitions
6‑1‑1203
Insurance coverage during car sharing period
6‑1‑1204
Notification of implications of lien
6‑1‑1205
Liability - exclusions for personal automobile liability insurance policy - indemnification
6‑1‑1206
Prohibition on exclusion of coverage for car sharing
6‑1‑1207
Record keeping
6‑1‑1208
Federal law - vicarious liability
6‑1‑1209
Insurable interest
6‑1‑1210
Required disclosures and notices
6‑1‑1211
Driver’s license verification and data retention
6‑1‑1212
Shared car equipment
6‑1‑1213
Safety recalls
6‑1‑1214
Enabling operation at airport
6‑1‑1301
Short title
6‑1‑1302
Legislative declaration
6‑1‑1303
Definitions
6‑1‑1304
Applicability of part
6‑1‑1305
Responsibility according to role
6‑1‑1306
Consumer personal data rights - repeal
6‑1‑1307
Processing de-identified data
6‑1‑1308
Duties of controllers
6‑1‑1309
Data protection assessments - attorney general access and evaluation - definition
6‑1‑1310
Liability
6‑1‑1311
Enforcement - penalties - repeal
6‑1‑1312
Preemption - local governments
6‑1‑1313
Rules - opt-out mechanism
6‑1‑1401
Definitions
6‑1‑1402
Disclosure of information by online marketplaces to inform consumers
6‑1‑1403
Enforcement
6‑1‑1404
Preemption
6‑1‑1501
Short title
6‑1‑1502
Definitions
6‑1‑1503
Powered wheelchair manufacturer obligations regarding services - exemptions
6‑1‑1504
Limitations
6‑1‑1505
Federal legislation on right to repair agricultural equipment - repeal - notice to revisor
Green check means up to date. Up to date

Current through Fall 2024

§ 6-1-1306’s source at colorado​.gov