Code of Colorado Regulations
900 - Department of Law
904 - Attorney General-Consumer Protection Section
4 CCR 904-3 - Colorado Privacy Act Rules
Part 5 - UNIVERSAL OPT-OUT MECHANISM
Section 4 CCR 904-3-5.08 - OBLIGATIONS ON CONTROLLERS

Universal Citation: 900 CO Code Regs 4 CCR 904-3-5.08

Current through Register Vol. 47, No. 17, September 10, 2024

A. Effective July 1, 2024,

1. A Controller that receives an opt-out request through a Universal Opt-Out Mechanism shall treat such as a valid request to opt out of the Processing of Personal Data for purposes of Targeted Advertising, Sale of Personal Data, or both purposes, as indicated by the mechanism, for the associated browser or device, and, if known, for the Consumer.

2. After receiving a valid opt-out request through the use of a Universal Opt-Out Mechanism, a Controller shall continue to treat the browser, device, and Consumer as having exercised opt-out rights until the Consumer Consents to the Sale of Personal Data or Processing of Personal Data for Targeted Advertising, as specified in 4 CCR 904-3, Rule 5.09.

3. A Controller shall be capable of recognizing any Universal Opt-Out Mechanism reflected in the public list maintained by the Colorado Department of Law pursuant to subsection 4 CCR 904-3, Rule 5.07 provided the Controller has had at least six months' notice of the addition of new mechanisms. For example, in the case of a recognized Universal Opt-Out Mechanism sent as a signal, the Controller must listen for the signal.

B. A Controller may also recognize Universal Opt-Out Mechanisms that are not reflected in the public list maintained by the Colorado Department of Law pursuant to subsection 4 CCR 904-3, Rule 5.07.

C. Notwithstanding 4 CCR 904-3, Rule 5.08 , a Controller may choose to honor an opt-out request received through a Universal Opt-Out Mechanism prior to July 1, 2024, pursuant to C.R.S. § 6-1-1306(a)(IV)(A).

D. Unless a Controller is Authenticating a Consumer as permitted by C.R.S. § 6-1-1313(2)(f), a Controller may not require a Consumer to login or otherwise Authenticate themself as a condition of recognizing the Consumer's use of a Universal Opt-Out Mechanism. A Controller may not subject a Consumer to undertake any authentication actions that are unnecessary or unnecessarily burdensome.

E. A Controller may display in a conspicuous manner if it has Processed the Consumer's opt-out preference signal. For example, the Controller may display on its website "Opt-Out Preference Signal Honored" when a browser, device, or Consumer utilizing a Universal Opt-Out Mechanism visits the website.

F. Pursuant to C.R.S. § 6-1-1313(2)(f), a Controller may authenticate that the user sending an opt-out request through a Universal Opt-Out Mechanism is a Resident of Colorado, but they are not obligated to do so.

Disclaimer: These regulations may not be the most recent version. Colorado may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.