Code of Colorado Regulations
900 - Department of Law
904 - Attorney General-Consumer Protection Section
4 CCR 904-3 - Colorado Privacy Act Rules
Part 6 - DUTIES OF CONTROLLERS
Section 4 CCR 904-3-6.11 - DOCUMENTATION CONCERNING DUTIES OF CONTROLLERS

Current through Register Vol. 47, No. 17, September 10, 2024

A. Controllers shall maintain records of all Consumer Data Rights requests made pursuant to C.R.S. § 6-1-1306 for at least twenty-four (24) months. Such records shall include, at a minimum, each of the following:

1. The date of request;

2. The Consumer Data Rights request type;

3. The date of the Controller's response;

4. The nature of the Controller's response;

5. The basis for the denial of the request if the request is denied in whole or in part; and

6. The existence and resolution of any Consumer appeal to a denied request.

B. Controllers shall maintain a record of all Data Rights requests made pursuant to C.R.S. § 6-1-1306 with which the Controller has previously complied. Such records shall be retained for at least twenty-four (24) months and shall be made available at the completion of a merger, acquisition, bankruptcy, or other transaction in which a Third Party assumes control of Personal Data to ensure any new Controller continues to recognize the Consumer's previously exercised Data Rights.

C. Controllers shall maintain documents sufficient to demonstrate compliance with 4 CCR 904-3, Rules 6.07 , 6.08 , and 7.06 for as long as the Processing activity continues, and for at least twenty-four (24) months after the conclusion of Processing activity.

D. Required records shall be maintained in a readable format, appropriate to the sophistication and size of the Controller's business.

E. The Controller shall implement and maintain reasonable security procedures and practices, consistent with 4 CCR 904-3, Rule 6.09 , in maintaining all required records.

F. Personal Data maintained pursuant to this 4 CCR 904-3, Rule 6.11 , where that information is not used for any other purpose, shall not be subject to Data Rights requests.

G. Personal Data maintained for required documentation shall not be used for any other purpose except as reasonably necessary for the business to review and modify its processes for compliance with the Colorado Privacy Act, C.R.S. § 6-1-1301, et seq., and these rules. Personal Data maintained for required documentation shall not be shared with any Third Party except as necessary to comply with a legal obligation or as part of a merger, acquisition, bankruptcy, or other transaction in which a Third Party assumes control of Personal Data.

H. Other than as required by this subsection and 4 CCR 904-3, Rule 4.06 , a Controller is not required to retain Personal Data solely for the purpose of fulfilling a Data Rights request made under the Colorado Privacy Act, C.R.S. § 6-1-1301, et seq.

Disclaimer: These regulations may not be the most recent version. Colorado may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.