Code of Colorado Regulations
900 - Department of Law
904 - Attorney General-Consumer Protection Section
4 CCR 904-3 - Colorado Privacy Act Rules
Part 7 - CONSENT
Section 4 CCR 904-3-7.03 - REQUIREMENTS FOR VALID CONSENT
Universal Citation: 900 CO Code Regs 4 CCR 904-3-7.03
Current through Register Vol. 47, No. 17, September 10, 2024
A. To be valid, a Consent must meet each of the following elements:
(1) it must be obtained through the
Consumer's clear, affirmative action;
(2) it must be freely given by the
Consumer;
(3) it must be
specific;
(4) it must be informed;
and
(5) it must reflect the
Consumer's unambiguous agreement.
B. Consent must be obtained through the Consumer's clear, affirmative action. For purposes of obtaining valid Consent:
1. A "clear, affirmative action" means a
Consumer's Consent is communicated through either (a) deliberate and clear
conduct, or (b) a statement that clearly indicates their acceptance of the
proposed Processing of their Personal Data.
2. A blanketed acceptance of general terms
and conditions, silence, inactivity or in action, pre-ticked boxes, and other
negative option opt-out constructions that require intervention from the
Consumer to prevent agreement are not clear affirmative actions for the
purposes of valid Consent.
C. Consent must be freely given. For purposes of obtaining valid Consent:
1. Consent is
freely given when Consumers may refuse Consent without detriment and withdraw
Consent easily at any time.
2.
Consent is not freely given when:
a. It
reflects acceptance of a general or broad terms of use or similar document that
contains descriptions of Personal Data Processing along with other, unrelated
information;
b. The performance of
a contract is dependent on Consent to Process Personal Data that is not
necessary to provide the goods or services contemplated by the contract;
or
c. The Controller denies goods,
services, discounts, or promotions to a Consumer who chooses not to provide
Consent, unless:
i. The Personal Data is
necessary to the provision of those goods, services, discounts, or promotions,
consistent with 4 CCR 904-3, Rule 6.05;
or
ii. The Consent is otherwise
required in connection with a Consumer's voluntary participation in a Bona Fide
Loyalty Program, consistent with the requirements in
4 CCR 904-3, Rule 6.05.
3. Example: An online dating application's
terms and conditions tells users that the application will disclose collected
Personal Data, including Sensitive Data revealing sexual orientation, with
similar applications for advertising purposes. Consent is required for the
disclosure of Sensitive Data with similar applications for advertising
purposes. Since users cannot accept the required terms and conditions without
the opportunity to separately provide or withhold Consent for sharing with
similar applications, the Consent is not freely given.
D. Consent must be specific.
1. When Controllers request Consent to
Process Personal Data for more than one Processing purpose, and those
Processing purposes are not reasonably necessary to or compatible with one
another, Consumers must have the ability to separately Consent to each specific
purpose.
a. Controllers may request Consent to
Process Personal Data for multiple Processing purposes that are not reasonably
necessary to or compatible with one another using a single Consent request as
long there is also an option for more granular Consent within the same Consent
interface.
2. Consent to
Process Personal Data for one specific purpose does not constitute valid
Consent to Process Personal Data for other purposes that are not reasonably
necessary to or compatible with that specific purpose.
3. The Sale of Sensitive Data to one specific
party is not necessary to or compatible with the Sale of Sensitive Data to a
different party.
a. Example: A cosmetic
retailer asks a customer for Consent to use Sensitive Data revealing the
customer's racial origin in order to provide first-party targeted offers to the
customer and to Sell the customer's racial origin information to Data Brokers.
This Consent is not specific as there is no opportunity to provide separate
Consent for the two separate Processing purposes. Therefore, Consent in this
example would not be valid.
b.
Example: In the example above, the Controller requests Consent only to Sell
Sensitive Data revealing the customer's racial origin with commercial partners.
The Controller lists "Fashion Co. #1" and "Make Up Co. #1" as commercial
partners who will receive Sensitive Data. Consent would be deemed valid for
only these two Third Parties because their identity was provided to the
Consumer at the time that his or her Consent was collected. Consent would not
be deemed valid for Selling with another Third Party whose identity has not
been provided.
E. Consent must be informed.
1. When requesting Consent, a Controller must
provide the following information, at a minimum:
a. The Controller's identity;
b. The plain-language reason that Consent is
required;
c. The Processing
purpose(s) for which Consent is sought;
d. The categories of Personal Data that the
Controller shall Process to effectuate the Processing purpose(s);
e. Names of all Third Parties receiving the
Sensitive Data through Sale, if applicable;
f. A description of the Consumer's right to
withdraw Consent for the identified Processing purpose at any time in
accordance with 4 CCR 904-3, Rule
7.07 and details of how and
where to do so; and
g. Any
disclosures required by
4 CCR 904-3, Rules 6.05 and 9.05.
F. Consent may not be obtained using Dark Patterns as defined in C.R.S § 6-1-1309(9) and prohibited by 4 CCR 904-3, Rule 7.09 . Pursuant to C.R.S. § 6-1-1303(5)(c) and 4 CCR 904-3, Rule 7.09 , any agreement obtained through Dark Patterns is not valid Consent.
Disclaimer: These regulations may not be the most recent version. Colorado may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
