Page 136 - GDPR and US States General Privacy Laws Deskbook
P. 136

Rule 6.03 PRIVACY NOTICE CONTENT
A. A privacy notice must include the following information:
1.  A comprehensive description of the Controller’s online and offline Personal Data Processing practices, including but not
limited to the following, linked in a way that gives Consumers a meaningful understanding of how each category of their
Personal Data will be used when they provide that Personal Data to the Controller for a specified purpose:
a.  The categories of Personal Data Processed, including, but not limited to, whether Personal Data of a Child or other
Sensitive Data is Processed.
i.  Categories shall be described in a level of detail that provides Consumers a meaningful understanding of the type
of Personal Data Processed. For example, categories of Personal Data described at a sufficiently granular level of
detail include, but are not limited to: “contact information,” “government issued identification numbers,” “payment
information”, “Information from Cookies,” “data revealing religious affiliation,” and “medical data.”
b.  The Processing purpose described in a level of detail that gives Consumers a meaningful understanding of how each
category of their Personal Data is used when provided for that Processing purpose.
c.  Whether the Personal Data provided for a specific purpose will be sold or used for Targeted Advertising or Profiling
in furtherance of Decisions that Produce Legal or Similarly Significant Effects Concerning a Consumer.
d.  Categories of Personal Data that the Controller Sells to or shares with Third Parties, if any.
e.  Categories of Third Parties to whom the Controller sells, or with whom the Controller shares Personal Data, if any.
Categories of Third Parties must be described in a level of detail that gives Consumers a meaningful understanding
of the type of, business model of, or processing conducted by the Third Party.
i.  For example, categories of Third Parties described in a sufficiently granular level of detail include, but are not
limited to: “analytics companies,” “data brokers,” “third-party advertisers,” “payment processors,” “lenders,” “other
merchants,” and “government agencies.”
2.  If a Controller’s Processing activity involves the Processing of Personal Data for the purpose of Profiling in furtherance
of Decisions that Produce Legal or Similarly Significant Effects Concerning a Consumer, all disclosures required by 4 CCR
904-3, Rule 9.03.
3.  A list of the Data Rights available.
4.  A description of the methods through which a Consumer may submit requests to exercise Data Rights, as required by
C.R.S. § 6-1-1306(1) and 4 CCR 904-3, Rule 4.02, including:
a.  Instructions on how to use each method.
b.  Instructions on how an Authorized Agent may submit a request to opt out of the Processing of Consumer Personal
Data on a Consumer’s behalf pursuant to C.R.S. § 6-1-1306(1)(a)(II).
c.  A clear and conspicuous method to exercise the right to opt out of the Processing of Personal Data concerning the
Consumer pursuant to C.R.S. § 6-1- 1306(1)(a)(I) and (1)(a)(III), or links to any online method, such as a webform or
portal, consistent with 4 CCR 904-3, Rule 4.03.
d.  A description of the commercially reasonable process the Controller uses to Authenticate the identity of a Consumer
exercising a Data Right request or to Authenticate the authority of an Authorized Agent exercising the right to opt
out on a Consumer’s behalf.
136 | Colorado Privacy Act Rules





























































   134   135   136   137   138