123 | Colorado Privacy Act Rules
3. Genetic Information; or
4. Nonconsensual Intimate Images known to the Controller.
“Revealing” as referred to in C.R.S. § 6-1-1303(24)(a) includes Sensitive Data Inferences. For example:
1.  While precise geolocation information at a high level may not be considered Sensitive Data, precise geolocation data
which is used to infer an individual visited a mosque and is used to infer that individual’s religious beliefs is considered
Sensitive Data under C.R.S. § 6-1-1303(24)(a). Similarly, precise geolocation data which is used to infer an individual
visited a reproductive health clinic and is used to infer an individual’s health condition or sex life is considered Sensitive
Data under C.R.S. § 6-1-1303(24)(a).
2.  While web browsing data at a high level may not be considered Sensitive Data, web browsing data which, alone or in
combination with other Personal Data, infers an individual’s sexual orientation is considered Sensitive Data under C.R.S.
§ 6-1- 1303(24)(a).
“Sensitive Data Inference” or “Sensitive Data Inferences” means inferences made by a Controller based on Personal Data,
alone or in combination with other data, which are used to indicate an individual’s racial or ethnic origin; religious beliefs;
mental or physical health condition or diagnosis; sex life or sexual orientation; or citizenship or citizenship status.
“Solely Automated Processing” means the automated processing of Personal Data with no human review, oversight,
involvement, or intervention.
“Universal Opt-Out Mechanism” or “Universal Opt-Out Mechanisms” means mechanisms that clearly communicate a
Consumer’s affirmative, freely given, and unambiguous choice to opt out of the Processing of Personal Data for purposes
of Targeted Advertising or the Sale of Personal Data pursuant to C.R.S. § 6-1-1306 (1)(a)(I)(A) or (1)(a)(I)(B), which meets the
technical specifications set forth in 4 CCR 904-3, Rule 5.06 pursuant to C.R.S. § 6-1-1313(2).
PART 3 CONSUMER DISCLOSURES
Rule 3.02	 REQUIREMENTS FOR DISCLOSURES, NOTIFICATIONS, AND OTHER
COMMUNICATIONS TO CONSUMERS
A.  Disclosures, notifications, and other communications to Consumers pursuant to 4 CCR 904-3, Rules 4.02, 4.05(D), 5.03,
6.02, 6.05, and 7.04 must be:
1.  Designed to be understandable and accessible to a Controller’s target audiences, considering the vulnerabilities or
unique characteristics of the audience and paying particular attention to the vulnerabilities of children. For example,
they shall use plain, straightforward language and avoid technical or legal jargon.
2.  Reasonably accessible to Consumers with Disabilities, including through the use of digital accessibility tools. For
notices provided online, the Controller shall follow generally recognized industry standards, such as the Web Content
Accessibility Guidelines, version 2.1 of June 5, 2018, from the World Wide Web Consortium, incorporated herein by
reference as described at 4 CCR 904-3, Rule 11.02. In other contexts, the Controller shall provide information on how
a Consumer with a Disability may access the disclosure or communication or make a request in an alternative format.
3.  Available in the languages in which the Controller in its ordinary course provides web pages, interfaces, contracts,
disclaimers, sale announcements, and other information to Consumers. Disclosures and communications sent directly
to Consumers must be sent in the language in which the Consumer ordinarily interacts with the Controller.
4. Available through a readily accessible interface regularly used in conjunction with the Controller’s product or service.