Code of Colorado Regulations
900 - Department of Law
904 - Attorney General-Consumer Protection Section
4 CCR 904-3 - Colorado Privacy Act Rules
Part 4 - CONSUMER PERSONAL DATA RIGHTS
Section 4 CCR 904-3-4.08 - AUTHENTICATION

Universal Citation: 900 CO Code Regs 4 CCR 904-3-4.08

Current through Register Vol. 47, No. 17, September 10, 2024

A. Pursuant to C.R.S. § 6-1-1306(1), a Controller shall use a commercially reasonable method for authenticating the identity of every Consumer submitting any Data Right request, and the authority of every Authorized Agent submitting an opt-out request on behalf of a Consumer pursuant to C.R.S. § 6-1-1306(1)(a)(II).

1. To determine if an authentication method is commercially reasonable, the Controller shall consider the Data Rights exercised, the type, sensitivity, value, and volume of Personal Data involved, the level of possible harm that improper access or use could cause to the Consumer submitting the Data Right request and the cost of authentication to the Controller. A Controller must avoid methods that place an unreasonable burden on the Consumer submitting a Data Right request, or Authorized Agent submitting an opt-out request on behalf of a Consumer.

B. When possible, a Controller shall avoid requesting additional Personal Data to Authenticate a Consumer unless the Controller cannot Authenticate the Consumer using the Personal Data already maintained by the Controller.

C. Personal Data obtained to Authenticate a Consumer may only be used to Authenticate the Consumer submitting the Data Right request, pursuant to C.R.S. § 6-1-1306(1), or to Authenticate an Authorized Agent's authority, pursuant C.R.S. § 6-1-1306(1)(a)(II), and must be deleted as soon as practical after Processing the Consumer's request, except as required by 4 CCR 904-3, Rule 6.11 , or as otherwise required.

D. A Controller shall implement reasonable security measures, consistent with 4 CCR 904-3, Rule 6.09 , to protect Personal Data exchanged to Authenticate a Consumer or to Authenticate an Authorized Agent's authority, considering the type, value, sensitivity, and volume of information exchanged and the level of possible harm improper access or use could cause to the Consumer submitting a Data Right request.

E. A Controller shall not require the Consumer or Authorized Agent to pay a fee for authentication. For example, a Controller may not require a Consumer to provide a notarized affidavit for authentication unless the Controller compensates the Consumer for the cost of notarization.

F. If a Controller cannot Authenticate the Consumer submitting a Data Right request using commercially reasonable efforts, the Controller is not required to comply with the Consumer's request. The Controller shall inform the Consumer that their identity could not be authenticated, provide information on how to remedy any deficiencies, and may request additional Personal Data if reasonably necessary to Authenticate the Consumer.

Disclaimer: These regulations may not be the most recent version. Colorado may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.