As used in this part 13, unless the context otherwise
requires:
(1) Adult means an individual who is eighteen years of age or older.
(1.5) (a) Affiliate means a legal entity that controls, is controlled by, or is
under common control with another legal entity.
(b) As used in subsection (1.5)(a) of this section, control means:
(I) Ownership of, control of, or power to vote twenty-five percent or more of
the outstanding shares of any class of voting security of the entity, directly or
indirectly, or acting through one or more other persons;
(II) Control in any manner over the election of a majority of the directors,
trustees, or general partners of the entity or of individuals exercising similar
functions; or
(III) The power to exercise, directly or indirectly, a controlling influence over
the management or policies of the entity as determined by the applicable
prudential regulator, as that term is defined in 12 U.S.C. sec. 5481 (24), if any.
(2) Authenticate means to use reasonable means to determine that a
request to exercise any of the rights in section 6-1-1306 (1) is being made by or on
behalf of the consumer who is entitled to exercise the rights.
(2.2) Biological data means data generated by the technological
processing, measurement, or analysis of an individual's biological, genetic,
biochemical, physiological, or neural properties, compositions, or activities or of an
individual's body or bodily functions, which data is used or intended to be used,
singly or in combination with other personal data, for identification purposes.
Biological data includes neural data.
(2.4) (a) Biometric data means one or more biometric identifiers that are
used or intended to be used, singly or in combination with each other or with other
personal data, for identification purposes.
(b) Biometric data does not include the following unless the biometric data
is used for identification purposes:
(I) A digital or physical photograph;
(II) An audio or voice recording; or
(III) Any data generated from a digital or physical photograph or an audio or
video recording.
(2.5) Biometric identifier means data generated by the technological
processing, measurement, or analysis of a consumer's biological, physical, or
behavioral characteristics, which data can be processed for the purpose of uniquely
identifying an individual. Biometric identifier includes:
(a) A fingerprint;
(b) A voiceprint;
(c) A scan or record of an eye retina or iris;
(d) A facial map, facial geometry, or facial template; or
(e) Other unique biological, physical, or behavioral patterns or
characteristics.
(3) Business associate has the meaning established in 45 CFR 160.103.
(4) Child means an individual under thirteen years of age.
(5) Consent means a clear, affirmative act signifying a consumer's freely
given, specific, informed, and unambiguous agreement, such as by a written
statement, including by electronic means, or other clear, affirmative action by
which the consumer signifies agreement to the processing of personal data. The
following does not constitute consent:
(a) Acceptance of a general or broad terms of use or similar document that
contains descriptions of personal data processing along with other, unrelated
information;
(b) Hovering over, muting, pausing, or closing a given piece of content; and
(c) Agreement obtained through dark patterns.
(6) Consumer:
(a) Means an individual who is a Colorado resident acting only in an individual
or household context; and
(b) Does not include an individual acting in a commercial or employment
context, as a job applicant, or as a beneficiary of someone acting in an employment
context.
(7) Controller means a person that, alone or jointly with others, determines
the purposes for and means of processing personal data.
(8) Covered entity has the meaning established in 45 CFR 160.103.
(9) Dark pattern means a user interface designed or manipulated with the
substantial effect of subverting or impairing user autonomy, decision-making, or
choice.
(10) Decisions that produce legal or similarly significant effects concerning
a consumer means a decision that results in the provision or denial of financial or
lending services, housing, insurance, education enrollment or opportunity, criminal
justice, employment opportunities, health-care services, or access to essential
goods or services.
(11) De-identified data means data that cannot reasonably be used to infer
information about, or otherwise be linked to, an identified or identifiable individual,
or a device linked to such an individual, if the controller that possesses the data:
(a) Takes reasonable measures to ensure that the data cannot be associated
with an individual;
(b) Publicly commits to maintain and use the data only in a de-identified
fashion and not attempt to re-identify the data; and
(c) Contractually obligates any recipients of the information to comply with
the requirements of this subsection (11).
(12) Health-care facility means any entity that is licensed, certified, or
otherwise authorized or permitted by law to administer medical treatment in this
state.
(13) Health-care information means individually identifiable information
relating to the past, present, or future health status of an individual.
(14) Health-care provider means a person licensed, certified, or registered
in this state to practice medicine, pharmacy, chiropractic, nursing, physical therapy,
podiatry, dentistry, optometry, occupational therapy, or other healing arts under
title 12.
(14.5) Heightened risk of harm to minors means processing the personal
data of minors in a manner that presents a reasonably foreseeable risk that could
cause:
(a) Unfair or deceptive treatment of, or unlawful disparate impact on, minors;
(b) Financial, physical, or reputational injury to minors;
(c) Unauthorized disclosure of the personal data of minors as a result of a
security breach, as defined in section 6-1-716 (1)(h); or
(d) Physical or other intrusion upon the solitude or seclusion, or the private
affairs or concerns, of minors if the intrusion would be offensive to a reasonable
person.
(15) HIPAA means the federal Health Insurance Portability and
Accountability Act of 1996, as amended, 42 U.S.C. secs. 1320d to 1320d-9.
(16) Identified or identifiable individual means an individual who can be
readily identified, directly or indirectly, in particular by reference to an identifier
such as a name, an identification number, specific geolocation data, or an online
identifier.
(16.5) Minor means any consumer who is under eighteen years of age.
(16.7) Neural data means information that is generated by the
measurement of the activity of an individual's central or peripheral nervous systems
and that can be processed by or with the assistance of a device.
(16.8) Online service, product, or feature:
(a) Means any service, product, or feature that is provided online; and
(b) Does not include:
(I) Telecommunications service, as defined in 47 U.S.C. sec. 153 (53), as
amended;
(II) Broadband internet access service, as defined in 47 CFR 54.400 (l), as
amended; or
(III) The delivery or use of a physical product.
(17) Personal data:
(a) Means information that is linked or reasonably linkable to an identified or
identifiable individual; and
(b) Does not include de-identified data or publicly available information. As
used in this subsection (17)(b), publicly available information means information
that is lawfully made available from federal, state, or local government records and
information that a controller has a reasonable basis to believe the consumer has
lawfully made available to the general public.
(17.4) (a) Precise geolocation data means information derived from
technology that accurately identifies the present or past location of a device that
links or is linkable to an individual within a radius of one thousand eight hundred
fifty feet.
(b) Precise geolocation data includes:
(I) Global positioning system (GPS) coordinates within a radius of one
thousand eight hundred fifty feet; or
(II) Any data derived from a device and that is used or intended to be used to
locate a consumer within a geographic area within a radius of one thousand eight
hundred fifty feet.
(c) Precise geolocation data does not include the content of
communications or any data generated by or connected to advanced utility meeting
infrastructure systems or equipment for use by a utility.
(17.5) Repealed.
(18) Process or processing means the collection, use, sale, storage,
disclosure, analysis, deletion, or modification of personal data and includes the
actions of a controller directing a processor to process personal data.
(19) Processor means a person that processes personal data on behalf of a
controller.
(20) Profiling means any form of automated processing of personal data to
evaluate, analyze, or predict personal aspects concerning an identified or
identifiable individual's economic situation, health, personal preferences, interests,
reliability, behavior, location, or movements.
(21) Protected health information has the meaning established in 45 CFR
160.103.
(22) Pseudonymous data means personal data that can no longer be
attributed to a specific individual without the use of additional information if the
additional information is kept separately and is subject to technical and
organizational measures to ensure that the personal data are not attributed to a
specific individual.
(23) (a) Sale, sell, or sold means the exchange of personal data for
monetary or other valuable consideration by a controller to a third party.
(b) Sale, sell, or sold does not include the following:
(I) The disclosure of personal data to a processor that processes the
personal data on behalf of a controller;
(II) The disclosure of personal data to a third party for purposes of providing
a product or service requested by the consumer;
(III) The disclosure or transfer of personal data to an affiliate of the
controller;
(IV) The disclosure or transfer to a third party of personal data as an asset
that is part of a proposed or actual merger, acquisition, bankruptcy, or other
transaction in which the third party assumes control of all or part of the controller's
assets; or
(V) The disclosure of personal data:
(A) That a consumer directs the controller to disclose or intentionally
discloses by using the controller to interact with a third party; or
(B) Intentionally made available by a consumer to the general public via a
channel of mass media.
(24) Sensitive data means:
(a) Personal data revealing racial or ethnic origin, religious beliefs, a mental
or physical health condition or diagnosis, sex life or sexual orientation, or
citizenship or citizenship status;
(b) Genetic or biometric data that may be processed for the purpose of
uniquely identifying an individual;
(c) Personal data from a known child;
(d) Biological data; or
(e) Precise geolocation data.
(25) Targeted advertising:
(a) Means displaying to a consumer an advertisement that is selected based
on personal data obtained or inferred over time from the consumer's activities
across nonaffiliated websites, applications, or online services to predict consumer
preferences or interests; and
(b) Does not include:
(I) Advertising to a consumer in response to the consumer's request for
information or feedback;
(II) Advertisements based on activities within a controller's own websites or
online applications;
(III) Advertisements based on the context of a consumer's current search
query, visit to a website, or online application; or
(IV) Processing personal data solely for measuring or reporting advertising
performance, reach, or frequency.
(26) Third party means a person, public authority, agency, or body other
than a consumer, controller, processor, or affiliate of the processor or the
controller.