137 | Colorado Privacy Act Rules
D.  If a Consumer refuses to Consent to the Processing of Sensitive Data necessary for a personalized Bona Fide Loyalty
Program Benefit, the Controller is no longer obligated to provide that personalized Bona Fide Loyalty Program Benefit.
However, the Controller shall provide any available, non-personalized Bona Fide Loyalty Program Benefit for which the
Sensitive Data is not necessary. A Controller may not condition a Consumer’s participation in a Bona Fide Loyalty Program
on the Consumer’s Consent to Process Sensitive Data unless the Sensitive Data is required for all Bona Fide Loyalty
Program Benefits.
E.  If a Consumer’s decision to exercise a Data Right impacts the Consumer’s membership in a Bona Fide Loyalty Program,
the Controller shall notify the Consumer of the impact of the Consumer’s decision in conformance with 4 CCR 904-3,
Rule 3.02 and at least twenty-four (24) hours before discontinuing the Consumer’s Bona Fide Loyalty Program Benefit or
membership, and must provide a reference or link to the information required by subparagraph F, below.
F.  Loyalty Program Disclosures
1.  In addition to all other disclosures required by 4 CCR 904-3, Rules 6.03 and 7.03, a Controller maintaining a Bona Fide
Loyalty Program must provide the following disclosures at the point of program registration, either directly, or in the
form of a link to the specific section of a privacy notice or terms and conditions containing such information:
a.  The categories of Personal Data or Sensitive Data collected through the Bona Fide Loyalty Program that will be Sold
or Processed for Targeted Advertising, if any;
b.  Categories of Third Parties that will receive the Consumer’s Personal Data and Sensitive Data, provided in the level
the detail described in 4 CCR 904-3, Rule 6.03(a)(1)(e), including whether Personal Data will be provided to Data
Brokers;
c.  A list of any Bona Fide Loyalty Program Partners, and the Bona Fide Loyalty Program Benefits provided by each Bona
Fide Loyalty Program Partner.
d.  If a Controller claims that a Consumer’s decision to delete Personal Data makes it impossible to provide a Bona Fide
Loyalty Program Benefit, then the Controller shall provide an explanation of why the deletion of Personal Data makes
it impossible to provide a Bona Fide Loyalty Program Benefit.
e.  If a Controller claims that a Consumer’s Sensitive Data is required for a Bona Fide Loyalty Program Benefit, then the
Controller shall provide an explanation of why the Sensitive Data is required for a Bona Fide Loyalty Program Benefit.
2.  Bona Fide Loyalty Program terms and requests for Consent to Process Sensitive Data or Personal Data in connection
with the Bona Fide Loyalty Program shall also include a link to the Controller’s privacy notice.
G.  Example: A Consumer joins a grocery store’s Bona Fide Loyalty Program that includes both personalized and non-
personalized Bona Fide Loyalty Program Benefits. The grocery store asks the Consumer for Consent to collect Sensitive
Data about the Consumer in order to provide personalized Bona Fide Loyalty Program Benefits. When the Consumer
refuses Consent, the Controller gives timely notice to the Consumer that it will not provide the personalized Bona Fide
Loyalty Program Benefits, but will continue to provide non-personalized Bona Fide Loyalty Program Benefits. Moving
forward, the Controller provides only the non-personalized Bona Fide Loyalty Program Benefits following the Consumer’s
decision to continue to refuse Consent to the collection of Sensitive Data. The Controller is not acting impermissibly
because the grocery store is still providing all available non-personalized Bona Fide Loyalty Program Benefits and did not
condition the Consumer’s participation in the Bona Fide Loyalty Program on the Consumers Consent to process Sensitive
Data that is not required for personalized Bona Fide Loyalty Program Benefits.
H.  Example: A Consumer joins a hotel chain’s Bona Fide Loyalty Program, which provides points that can be applied to obtain
discounts for that hotel chain, and for a popular restaurant chain that is not otherwise affiliated with the hotel chain. The
restaurant chain requires the hotel chain to provide the Personal Data of each Consumer who wishes to apply the hotel
chain’s points to obtain restaurant discounts. When the Consumer opts out of the Sale of Personal Data and Processing
of Personal Data for Targeted Advertising, the Controller is unable to provide the required information to the restaurant