(1) Consumers may exercise the
following rights by submitting a request using the methods specified by the
controller in the privacy notice required under section 6-1-1308 (1)(a). The method
must take into account the ways in which consumers normally interact with the
controller, the need for secure and reliable communication relating to the request,
and the ability of the controller to authenticate the identity of the consumer making
the request. Controllers shall not require a consumer to create a new account in
order to exercise consumer rights pursuant to this section but may require a
consumer to use an existing account. A consumer may submit a request at any time
to a controller specifying which of the following rights the consumer wishes to
exercise:
(a) Right to opt out. (I) A consumer has the right to opt out of the processing
of personal data concerning the consumer for purposes of:
(A) Targeted advertising;
(B) The sale of personal data; or
(C) Profiling in furtherance of decisions that produce legal or similarly
significant effects concerning a consumer.
(II) A consumer may authorize another person, acting on the consumer's
behalf, to opt out of the processing of the consumer's personal data for one or more
of the purposes specified in subsection (1)(a)(I) of this section, including through a
technology indicating the consumer's intent to opt out such as a web link indicating
a preference or browser setting, browser extension, or global device setting. A
controller shall comply with an opt-out request received from a person authorized
by the consumer to act on the consumer's behalf if the controller is able to
authenticate, with commercially reasonable effort, the identity of the consumer and
the authorized agent's authority to act on the consumer's behalf.
(III) A controller that processes personal data for purposes of targeted
advertising or the sale of personal data shall provide a clear and conspicuous
method to exercise the right to opt out of the processing of personal data
concerning the consumer pursuant to subsection (1)(a)(I) of this section. The
controller shall provide the opt-out method clearly and conspicuously in any privacy
notice required to be provided to consumers under this part 13, and in a clear,
conspicuous, and readily accessible location outside the privacy notice.
(IV) (A) Repealed.
(B) Effective July 1, 2024, a controller that processes personal data for
purposes of targeted advertising or the sale of personal data shall allow consumers
to exercise the right to opt out of the processing of personal data concerning the
consumer for purposes of targeted advertising or the sale of personal data
pursuant to subsections (1)(a)(I)(A) and (1)(a)(I)(B) of this section by controllers
through a user-selected universal opt-out mechanism that meets the technical
specifications established by the attorney general pursuant to section 6-1-1313.
(C) Notwithstanding a consumer's decision to exercise the right to opt out of
the processing of personal data through a universal opt-out mechanism pursuant to
subsection (1)(a)(IV)(B) of this section, a controller may enable the consumer to
consent, through a web page, application, or a similar method, to the processing of
the consumer's personal data for purposes of targeted advertising or the sale of
personal data, and the consent takes precedence over any choice reflected through
the universal opt-out mechanism. Before obtaining a consumer's consent to process
personal data for purposes of targeted advertising or the sale of personal data
pursuant to this subsection (1)(a)(IV)(C), a controller shall provide the consumer with
a clear and conspicuous notice informing the consumer about the choices available
under this section, describing the categories of personal data to be processed and
the purposes for which they will be processed, and explaining how and where the
consumer may withdraw consent. The web page, application, or other means by
which a controller obtains a consumer's consent to process personal data for
purposes of targeted advertising or the sale of personal data must also allow the
consumer to revoke the consent as easily as it is affirmatively provided.
(b) Right of access. A consumer has the right to confirm whether a controller
is processing personal data concerning the consumer and to access the consumer's
personal data.
(c) Right to correction. A consumer has the right to correct inaccuracies in
the consumer's personal data, taking into account the nature of the personal data
and the purposes of the processing of the consumer's personal data.
(d) Right to deletion. A consumer has the right to delete personal data
concerning the consumer.
(e) Right to data portability. When exercising the right to access personal
data pursuant to subsection (1)(b) of this section, a consumer has the right to obtain
the personal data in a portable and, to the extent technically feasible, readily
usable format that allows the consumer to transmit the data to another entity
without hindrance. A consumer may exercise this right no more than two times per
calendar year. Nothing in this subsection (1)(e) requires a controller to provide the
data to the consumer in a manner that would disclose the controller's trade secrets.
(2) Responding to consumer requests. (a) A controller shall inform a
consumer of any action taken on a request under subsection (1) of this section
without undue delay and, in any event, within forty-five days after receipt of the
request. The controller may extend the forty-five-day period by forty-five additional
days where reasonably necessary, taking into account the complexity and number
of the requests. The controller shall inform the consumer of an extension within
forty-five days after receipt of the request, together with the reasons for the delay.
(b) If a controller does not take action on the request of a consumer, the
controller shall inform the consumer, without undue delay and, at the latest, within
forty-five days after receipt of the request, of the reasons for not taking action and
instructions for how to appeal the decision with the controller as described in
subsection (3) of this section.
(c) Upon request, a controller shall provide to the consumer the information
specified in this section free of charge; except that, for a second or subsequent
request within a twelve-month period, the controller may charge an amount
calculated in the manner specified in section 24-72-205 (5)(a).
(d) A controller is not required to comply with a request to exercise any of
the rights under subsection (1) of this section if the controller is unable to
authenticate the request using commercially reasonable efforts, in which case the
controller may request the provision of additional information reasonably necessary
to authenticate the request.
(3) (a) A controller shall establish an internal process whereby consumers
may appeal a refusal to take action on a request to exercise any of the rights under
subsection (1) of this section within a reasonable period after the consumer's
receipt of the notice sent by the controller under subsection (2)(b) of this section.
The appeal process must be conspicuously available and as easy to use as the
process for submitting a request under this section.
(b) Within forty-five days after receipt of an appeal, a controller shall inform
the consumer of any action taken or not taken in response to the appeal, along with
a written explanation of the reasons in support of the response. The controller may
extend the forty-five-day period by sixty additional days where reasonably
necessary, taking into account the complexity and number of requests serving as
the basis for the appeal. The controller shall inform the consumer of an extension
within forty-five days after receipt of the appeal, together with the reasons for the
delay.
(c) The controller shall inform the consumer of the consumer's ability to
contact the attorney general if the consumer has concerns about the result of the
appeal.