4 Colo. Code Regs. § 904-3-4.04

Current through Register Vol. 47, No. 20, October 25, 2024
Section 4 CCR 904-3-4.04 - RIGHT OF ACCESS
A. A Controller shall comply with an access request by providing the Consumer all the specific pieces of Personal Data it has collected and maintains about the Consumer that are the subject of the request, including without limitation, any Personal Data that the Controller's Processors obtained from the Controller in providing services to the Controller.
1. Specific pieces of Personal Data include final Profiling decisions, inferences, derivative data, marketing profiles, and other Personal Data created by the Controller which is linked or reasonably linkable to an identified or identifiable individual.
B. Personal Data provided in response to an access request must:
1. Be provided in in a form that is concise, transparent and easily intelligible and in an appropriate, commonly used electronic format, depending on the nature of the data;
2. Be available in the language in which the Consumer interacts with the Controller.
3. Avoid incomprehensible internal codes and, if necessary, include explanations that would allow the average Consumer to make an informed decision of whether to exercise deletion, correction, or opt-out rights.
4. Be provided in compliance with the requirements for disclosures, notifications, and other communications, as described in 4 CCR 904-3, Rule 3.02, as applicable.
C. The Controller shall implement and maintain reasonable data security measures, consistent with 4 CCR 904-3, Rule 6.09 , in Processing any documentation relating to a Consumer's access request.
D. A Controller shall not be required to disclose in response to an access request a Consumer's government-issued identification number, financial account number, health insurance or medical identification number, an account password, security questions and answers, Biometric Data, or Biometric Identifiers. The Controller shall, however, inform the Consumer with sufficient particularity that it has collected that type of information. For example, a Controller shall respond that it collects "unique Biometric Data including a fingerprint scan" without disclosing the actual fingerprint scan data.
E. If a Consumer exercises the right to access their Personal Data in a portable format pursuant to C.R.S. § 6-1-1306(1)(e) and the Controller determines the manner of response would reveal the Controller's trade secrets, the Controller must still honor the Consumer's undiminished right of access in a format or manner which would not reveal trade secrets, such as in a nonportable format.

4 CCR 904-3-4.04

46 CR 06, March 25, 2023, effective 7/1/2023