134 | Colorado Privacy Act Rules
E.  A Controller may display in a conspicuous manner if it has Processed the Consumer’s opt-out preference signal. For example,
the Controller may display on its website “Opt-Out Preference Signal Honored” when a browser, device, or Consumer
utilizing a Universal Opt-Out Mechanism visits the website.
F.  Pursuant to C.R.S. § 6-1-1313(2)(f), a Controller may authenticate that the user sending an opt- out request through a
Universal Opt-Out Mechanism is a Resident of Colorado, but they are not obligated to do so.
Rule 5.09 CONSENT AFTER UNIVERSAL OPT-OUT
A.  A Controller may enable a Consumer to Consent to Processing that the Consumer has opted-out of using a Universal Opt-
Out mechanism, so long as the Controller’s request for Consent complies with the Consent requirements provided in C.R.S.
§ 6-1-1306(1)(a)(IV)(C), and 4 CCR 904-3, Rule 7.05.
B.  A Controller shall not interpret the absence of a Universal Opt-Out Mechanism signal after the Consumer previously
utilized a Universal Opt-Out Mechanism as Consent to opt back in.
PART 6 DUTIES OF CONTROLLERS
Rule 6.02 PRIVACY NOTICE PRINCIPLES
A.  A privacy notice shall provide Consumers with a meaningful understanding and accurate expectations of how their Personal
Data will be Processed. It shall also inform Consumers about their rights under the Colorado Privacy Act and provide any
information necessary for Consumers to exercise those rights.
B.  A Controller is not required to provide a separate Colorado-specific privacy notice or section of a privacy notice as long as
the Controller’s privacy notice meets all requirements of this section and makes clear that Colorado Consumers are entitled
to the rights provided by C.R.S. § 6-1-1306.
C.  A privacy notice shall comply with all requirements for disclosures and communications to Consumers provided in 4 CCR
904-3, Rule 3.02.
D.  A privacy notice must be clear. Information contained in a privacy notice shall be:
1. Concrete and definitive, avoiding abstract or ambivalent terms that may lead to varying interpretations.
2.  Clearly labeled, such that Consumers seeking to understand a Controller’s Processing activities or how to exercise their
Data Rights can easily access the section of the privacy notice containing relevant information.
E. A privacy notice must be easily accessible. A privacy notice must be:
1.  Posted online through a conspicuous link using the word “privacy” on the Controller’s website homepage or on a mobile
application’s app store page or download page. A Controller that maintains an application on a mobile or other device
shall also include a link to the privacy notice in the application’s settings menu.
a.  A Controller that does not operate a website shall make the privacy notice conspicuously available to Consumers
through a medium regularly used by the Controller to interact with Consumers. For instance, if a Controller interacts
with a Consumer offline, an offline version of the privacy notice must be available to the Consumer.
F.  A privacy notice must be specific. The level of specificity in a privacy notice should enable a Consumer to understand, in
advance or at the time of the Processing, the scope of the Controller’s Processing operations, such that a Consumer should
not be taken by surprise at a later point about Personal Data that has been collected and the ways in which Personal Data
has been Processed.