Page 106 - GDPR and US States General Privacy Laws Deskbook
P. 106

6-1-1303. Definitions.
As used in this Part 13, unless the context otherwise requires:
(1)  “Affiliate” means a legal entity that controls, is controlled by, or is under common control with another legal entity. As used
in this subsection (1), “control” means:
(a)  ownership of, control of, or power to vote twenty-five percent or more of the outstanding shares of any class of voting
security of the entity, directly or indirectly, or acting through one or more other persons; Page 3-senate bill 21-190
(b)  control in any manner over the election of a majority of the directors, trustees, or general partners of the entity or of
individuals exercising similar functions; or
(c)  the power to exercise, directly or indirectly, a controlling influence over the management or policies of the entity as
determined by the applicable prudential regulator, as that term is defined in 12 U.S.C. SEC. 5481 (24), if any.
(2)  “authenticate” means to use reasonable means to determine that a request to exercise any of the rights in section 6-1-
1306 (1) is being made by or on behalf of the consumer who is entitled to exercise the rights.
(3) “Business Associate” has the meaning established in 45 Cfr 160.103.
(4) “Child” means an individual under thirteen years of age.
(5)  “Consent” means a clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous
agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the
consumer signifies agreement to the processing of personal data. The following does not constitute consent:
(a)  acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing
along with other, unrelated information;
(b) hovering over, muting, pausing, or closing a given piece of content; and
(c) agreement obtained through dark patterns.
(6) “Consumer”:
(a)  means an individual who is a Colorado resident acting only in an individual or household context; and Page 4-senate
bill 21-190
(b)  does not include an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of
someone acting in an employment context.
(7)  “Controller” means a person that, alone or jointly with others, determines the purposes for and means of processing
personal data.
(8) “Covered Entity” has the meaning established in 45 cfr 160.103.
(9)  “Dark Pattern” means a user interface designed or manipulated with the substantial effect of subverting or impairing user
autonomy, decision-making, or choice.
(10)  “Decisions that produce legal or similarly significant effects concerning a consumer” means a decision that results in the
provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal
justice, employment opportunities, health-care services, or access to essential goods or services.
106 | Colorado Privacy Act
































































   104   105   106   107   108