141 | Colorado Privacy Act Rules
Rule 6.11 DOCUMENTATION CONCERNING DUTIES OF CONTROLLERS
A.  Controllers shall maintain records of all Consumer Data Rights requests made pursuant to C.R.S. § 6-1-1306 for at least
twenty-four (24) months. Such records shall include, at a minimum, each of the following:
1. The date of request;
2. The Consumer Data Rights request type;
3. The date of the Controller’s response;
4. The nature of the Controller’s response;
5. The basis for the denial of the request if the request is denied in whole or in part; and
6. The existence and resolution of any Consumer appeal to a denied request.
B.  Controllers shall maintain a record of all Data Rights requests made pursuant to C.R.S. § 6-1- 1306 with which the Controller
has previously complied. Such records shall be retained for at least twenty-four (24) months and shall be made available
at the completion of a merger, acquisition, bankruptcy, or other transaction in which a Third Party assumes control of
Personal Data to ensure any new Controller continues to recognize the Consumer’s previously exercised Data Rights.
C.  Controllers shall maintain documents sufficient to demonstrate compliance with 4 CCR 904-3, Rules 6.07, 6.08, and 7.06
for as long as the Processing activity continues, and for at least twenty-four (24) months after the conclusion of Processing
activity.
D.  Required records shall be maintained in a readable format, appropriate to the sophistication and size of the Controller’s
business.
E.  The Controller shall implement and maintain reasonable security procedures and practices, consistent with 4 CCR 904-3,
Rule 6.09, in maintaining all required records.
F.  Personal Data maintained pursuant to this 4 CCR 904-3, Rule 6.11, where that information is not used for any other
purpose, shall not be subject to Data Rights requests.
G.  Personal Data maintained for required documentation shall not be used for any other purpose except as reasonably
necessary for the business to review and modify its processes for compliance with the Colorado Privacy Act, C.R.S. §
6-1-1301, et seq., and these rules. Personal Data maintained for required documentation shall not be shared with any
Third Party except as necessary to comply with a legal obligation or as part of a merger, acquisition, bankruptcy, or other
transaction in which a Third Party assumes control of Personal Data.
H.  Other than as required by this subsection and 4 CCR 904-3, Rule 4.06, a Controller is not required to retain Personal Data
solely for the purpose of fulfilling a Data Rights request made under the Colorado Privacy Act, C.R.S. § 6-1-1301, et seq.
PART 7 CONSENT
Rule 7.02 REQUIRED CONSENT
A.  Pursuant to C.R.S. §§ 6-1-1303(5), 6-1-1306(1)(a)(IV)(C), 6-1-1308(4), and 6-1-1308(7), a Controller must obtain valid
Consumer Consent prior to:
1. Processing a Consumer’s Sensitive Data;