(a) Right to opt out. (I) A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of: (A) Targeted advertising; (B) The sale of personal data; or (C) Profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer. (II) A consumer may authorize another person, acting on the consumer's behalf, to opt out of the processing of the consumer's personal data for one or more of the purposes specified in subsection (1)(a)(I) of this section, including through a technology indicating the consumer's intent to opt out such as a web link indicating a preference or browser setting, browser extension, or global device setting. A controller shall comply with an opt-out request received from a person authorized by the consumer to act on the consumer's behalf if the controller is able to authenticate, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf. (III) A controller that processes personal data for purposes of targeted advertising or the sale of personal data shall provide a clear and conspicuous method to exercise the right to opt out of the processing of personal data concerning the consumer pursuant to subsection (1)(a)(I) of this section. The controller shall provide the opt-out method clearly and conspicuously in any privacy notice required to be provided to consumers under this part 13, and in a clear, conspicuous, and readily accessible location outside the privacy notice. (IV) (A) A controller that processes personal data for purposes of targeted advertising or the sale of personal data may allow consumers to exercise the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising or the sale of personal data pursuant to subsections (1)(a)(I)(A) and (1)(a)(I)(B) of this section by controllers through a user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general pursuant to section 6-1-1313. This subsection (1)(a)(IV)(A) is repealed, effective July 1, 2024. (B) Effective July 1, 2024, a controller that processes personal data for purposes of targeted advertising or the sale of personal data shall allow consumers to exercise the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising or the sale of personal data pursuant to subsections (1)(a)(I)(A) and (1)(a)(I)(B) of this section by controllers through a user-selected universal opt-out mechanism that meets the technical specifications established by the attorney general pursuant to section 6-1-1313. (C) Notwithstanding a consumer's decision to exercise the right to opt out of the processing of personal data through a universal opt-out mechanism pursuant to subsection (1)(a)(IV)(B) of this section, a controller may enable the consumer to consent, through a web page, application, or a similar method, to the processing of the consumer's personal data for purposes of targeted advertising or the sale of personal data, and the consent takes precedence over any choice reflected through the universal opt-out mechanism. Before obtaining a consumer's consent to process personal data for purposes of targeted advertising or the sale of personal data pursuant to this subsection (1)(a)(IV)(C), a controller shall provide the consumer with a clear and conspicuous notice informing the consumer about the choices available under this section, describing the categories of personal data to be processed and the purposes for which they will be processed, and explaining how and where the consumer may withdraw consent. The web page, application, or other means by which a controller obtains a consumer's consent to process personal data for purposes of targeted advertising or the sale of personal data must also allow the consumer to revoke the consent as easily as it is affirmatively provided.

(b) Right of access. A consumer has the right to confirm whether a controller is processing personal data concerning the consumer and to access the consumer's personal data. (c) Right to correction. A consumer has the right to correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data. (d) Right to deletion. A consumer has the right to delete personal data concerning the consumer. (e) Right to data portability. When exercising the right to access personal data pursuant to subsection (1)(b) of this section, a consumer has the right to obtain the personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another entity without hindrance. A consumer may exercise this right no more than two times per calendar year. Nothing in this subsection (1)(e) requires a controller to provide the data to the consumer in a manner that would disclose the controller's trade secrets.

(3) Duty of data minimization. A controller's collection of personal data must be adequate, relevant, and limited to what is reasonably necessary in relation to the specified purposes for which the data are processed. (4) Duty to avoid secondary use. A controller shall not process personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data are processed, unless the controller first obtains the consumer's consent.

(7) Duty regarding sensitive data. A controller shall not process a consumer's sensitive data without first obtaining the consumer's consent or, in the case of the processing of personal data concerning a known child, without first obtaining consent from the child's parent or lawful guardian.

(1) Duty of transparency. (a) A controller shall provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes: (I) The categories of personal data collected or processed by the controller or a processor; (II) The purposes for which the categories of personal data are processed; (III) How and where consumers may exercise the rights pursuant to section 6-1-1306, including the controller's contact information and how a consumer may appeal a controller's action with regard to the consumer's request; (IV) The categories of personal data that the controller shares with third parties, if any; and (V) The categories of third parties, if any, with whom the controller shares personal data. (b) If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose the sale or processing, as well as the manner in which a consumer may exercise the right to opt out of the sale or processing.

(c) A controller shall not: (I) Require a consumer to create a new account in order to exercise a right; or (II) Based solely on the exercise of a right and unrelated to feasibility or the value of a service, increase the cost of, or decrease the availability of, the product or service. (d) Nothing in this part 13 shall be construed to require a controller to provide a product or service that requires the personal data of a consumer that the controller does not collect or maintain or to prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offer is related to a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discount, or club card program.

(2) Responding to consumer requests. (a) A controller shall inform a consumer of any action taken on a request under subsection (1) of this section without undue delay and, in any event, within forty-five days after receipt of the request. The controller may extend the forty-five-day period by forty-five additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller shall inform the consumer of an extension within forty-five days after receipt of the request, together with the reasons for the delay. (b) If a controller does not take action on the request of a consumer, the controller shall inform the consumer, without undue delay and, at the latest, within forty-five days after receipt of the request, of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subsection (3) of this section. (c) Upon request, a controller shall provide to the consumer the information specified in this section free of charge; except that, for a second or subsequent request within a twelve-month period, the controller may charge an amount calculated in the manner specified in section 24-72-205 (5)(a). (d) A controller is not required to comply with a request to exercise any of the rights under subsection (1) of this section if the controller is unable to authenticate the request using commercially reasonable efforts, in which case the controller may request the provision of additional information reasonably necessary to authenticate the request. (3) (a) A controller shall establish an internal process whereby consumers may appeal a refusal to take action on a request to exercise any of the rights under subsection (1) of this section within a reasonable period after the consumer's receipt of the notice sent by the controller under subsection (2)(b) of this section. The appeal process must be conspicuously available and as easy to use as the process for submitting a request under this section. (b) Within forty-five days after receipt of an appeal, a controller shall inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support of the response. The controller may extend the forty-five-day period by sixty additional days where reasonably necessary, taking into account the complexity and number of requests serving as the basis for the appeal. The controller shall inform the consumer of an extension within forty-five days after receipt of the appeal, together with the reasons for the delay. (c) The controller shall inform the consumer of the consumer's ability to contact the attorney general if the consumer has concerns about the result of the appeal.

(2) Duty of purpose specification. A controller shall specify the express purposes for which personal data are collected and processed.

(5) Duty of care. A controller shall take reasonable measures to secure personal data during both storage and use from unauthorized acquisition. The data security practices must be appropriate to the volume, scope, and nature of the personal data processed and the nature of the business.

(1) A controller shall not conduct processing that presents a heightened risk of harm to a consumer without conducting and documenting a data protection assessment of each of its processing activities that involve personal data acquired on or after the effective date of this section that present a heightened risk of harm to a consumer. (2) For purposes of this section, "processing that presents a heightened risk of harm to a consumer" includes the following: (a) Processing personal data for purposes of targeted advertising or for profiling if the profiling presents a reasonably foreseeable risk of: (I) Unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (II) Financial or physical injury to consumers; (III) A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers if the intrusion would be offensive to a reasonable person; or (IV) Other substantial injury to consumers; (b) Selling personal data; and (c) Processing sensitive data. (3) Data protection assessments must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks. The controller shall factor into this assessment the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed. (4) A controller shall make the data protection assessment available to the attorney general upon request. The attorney general may evaluate the data protection assessment for compliance with the duties contained in section 6-1-1308 and with other laws, including this article 1. Data protection assessments are confidential and exempt from public inspection and copying under the "Colorado Open Records Act", part 2 of article 72 of title 24. The disclosure of a data protection assessment pursuant to a request from the attorney general under this subsection (4) does not constitute a waiver of any attorney-client privilege or work-product protection that might otherwise exist with respect to the assessment and any information contained in the assessment. (5) A single data protection assessment may address a comparable set of processing operations that include similar activities. (6) Data protection assessment requirements apply to processing activities created or generated after July 1, 2023, and are not retroactive.

(2) Processors shall adhere to the instructions of the controller and assist the controller to meet its obligations under this part 13. Taking into account the nature of processing and the information available to the processor, the processor shall assist the controller by: (a) Taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to consumer requests to exercise their rights pursuant to section 6-1-1306; (b) Helping to meet the controller's obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to section 6-1-716; and (c) Providing information to the controller necessary to enable the controller to conduct and document any data protection assessments required by section 6-1-1309. The controller and processor are each responsible for only the measures allocated to them. (3) Notwithstanding the instructions of the controller, a processor shall: (a) Ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data; and (b) Engage a subcontractor only after providing the controller with an opportunity to object and pursuant to a written contract in accordance with subsection (5) of this section that requires the subcontractor to meet the obligations of the processor with respect to the personal data. (4) Taking into account the context of processing, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures. (5) Processing by a processor must be governed by a contract between the controller and the processor that is binding on both parties and that sets out: (a) The processing instructions to which the processor is bound, including the nature and purpose of the processing; (b) The type of personal data subject to the processing, and the duration of the processing; (c) The requirements imposed by this subsection (5) and subsections (3) and (4) of this section; and (d) The following requirements: (I) At the choice of the controller, the processor shall delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; (II) (A) The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations in this part 13; and (B) The processor shall allow for, and contribute to, reasonable audits and inspections by the controller or the controller's designated auditor. Alternatively, the processor may, with the controller's consent, arrange for a qualified and independent auditor to conduct, at least annually and at the processor's expense, an audit of the processor's policies and technical and organizational measures in support of the obligations under this part 13 using an appropriate and accepted control standard or framework and audit procedure for the audits as applicable. The processor shall provide a report of the audit to the controller upon request.

(6) Duty to avoid unlawful discrimination. A controller shall not process personal data in violation of state or federal laws that prohibit unlawful discrimination against consumers.

(4) A controller shall make the data protection assessment available to the attorney general upon request. The attorney general may evaluate the data protection assessment for compliance with the duties contained in section 6-1-1308 and with other laws, including this article 1. Data protection assessments are confidential and exempt from public inspection and copying under the "Colorado Open Records Act", part 2 of article 72 of title 24. The disclosure of a data protection assessment pursuant to a request from the attorney general under this subsection (4) does not constitute a waiver of any attorney-client privilege or work-product protection that might otherwise exist with respect to the assessment and any information contained in the assessment.

6-1-1310. Liability. (1) Notwithstanding any provision in part 1 of this article 1, this part 13 does not authorize a private right of action for a violation of this part 13 or any other provision of law. This subsection (1) neither relieves any party from any duties or obligations imposed, nor alters any independent rights that consumers have, under other laws, including this article 1, the state constitution, or the United States constitution. 6-1-1311. Enforcement - penalties - repeal. (1) (a) Notwithstanding any other provision of this article 1, the attorney general and district attorneys have exclusive authority to enforce this part 13 by bringing an action in the name of the state or as parens patriae on behalf of persons residing in the state to enforce this part 13 as provided in this article 1, including seeking an injunction to enjoin a violation of this part 13. (b) Notwithstanding any other provision of this article 1, nothing in this part 13 shall be construed as providing the basis for, or being subject to, a private right of action for violations of this part 13 or any other law. (c) For purposes only of enforcement of this part 13 by the attorney general or a district attorney, a violation of this part 13 is a deceptive trade practice. (d) Prior to any enforcement action pursuant to subsection (1)(a) of this section, the attorney general or district attorney must issue a notice of violation to the controller if a cure is deemed possible. If the controller fails to cure the violation within sixty days after receipt of the notice of violation, an action may be brought pursuant to this section. This subsection (1)(d) is repealed, effective January 1, 2025.