Definitions

6-1-1303. Definitions. As used in this part 13, unless the context otherwise requires: (1) Adult means an individual who is eighteen years of age or older. (1.5) (a) Affiliate means a legal entity that controls, is controlled by, or is under common control with another legal entity. (b) As used in subsection (1.5)(a) of this section, control means: (I) Ownership of, control of, or power to vote twenty-five percent or more of the outstanding shares of any class of voting security of the entity, directly or indirectly, or acting through one or more other persons; (II) Control in any manner over the election of a majority of the directors, trustees, or general partners of the entity or of individuals exercising similar functions; or (III) The power to exercise, directly or indirectly, a controlling influence over the management or policies of the entity as determined by the applicable prudential regulator, as that term is defined in 12 U.S.C. sec. 5481 (24), if any. (2) Authenticate means to use reasonable means to determine that a request to exercise any of the rights in section 6-1-1306 (1) is being made by or on behalf of the consumer who is entitled to exercise the rights. (2.2) Biological data means data generated by the technological processing, measurement, or analysis of an individual's biological, genetic, biochemical, physiological, or neural properties, compositions, or activities or of an individual's body or bodily functions, which data is used or intended to be used, singly or in combination with other personal data, for identification purposes. Biological data includes neural data. (2.4) (a) Biometric data means one or more biometric identifiers that are used or intended to be used, singly or in combination with each other or with other personal data, for identification purposes. (b) Biometric data does not include the following unless the biometric data is used for identification purposes: (I) A digital or physical photograph; (II) An audio or voice recording; or (III) Any data generated from a digital or physical photograph or an audio or video recording. (2.5) Biometric identifier means data generated by the technological processing, measurement, or analysis of a consumer's biological, physical, or behavioral characteristics, which data can be processed for the purpose of uniquely identifying an individual. Biometric identifier includes: (a) A fingerprint; (b) A voiceprint; (c) A scan or record of an eye retina or iris; (d) A facial map, facial geometry, or facial template; or (e) Other unique biological, physical, or behavioral patterns or characteristics. (3) Business associate has the meaning established in 45 CFR 160.103. (4) Child means an individual under thirteen years of age. (5) Consent means a clear, affirmative act signifying a consumer's freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data. The following does not constitute consent: (a) Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information; (b) Hovering over, muting, pausing, or closing a given piece of content; and (c) Agreement obtained through dark patterns. (6) Consumer: (a) Means an individual who is a Colorado resident acting only in an individual or household context; and (b) Does not include an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context. (7) Controller means a person that, alone or jointly with others, determines the purposes for and means of processing personal data. (8) Covered entity has the meaning established in 45 CFR 160.103. (9) Dark pattern means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice. (10) Decisions that produce legal or similarly significant effects concerning a consumer means a decision that results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services. (11) De-identified data means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such an individual, if the controller that possesses the data: (a) Takes reasonable measures to ensure that the data cannot be associated with an individual; (b) Publicly commits to maintain and use the data only in a de-identified fashion and not attempt to re-identify the data; and (c) Contractually obligates any recipients of the information to comply with the requirements of this subsection (11). (12) Health-care facility means any entity that is licensed, certified, or otherwise authorized or permitted by law to administer medical treatment in this state. (13) Health-care information means individually identifiable information relating to the past, present, or future health status of an individual. (14) Health-care provider means a person licensed, certified, or registered in this state to practice medicine, pharmacy, chiropractic, nursing, physical therapy, podiatry, dentistry, optometry, occupational therapy, or other healing arts under title 12. (14.5) Heightened risk of harm to minors means processing the personal data of minors in a manner that presents a reasonably foreseeable risk that could cause: (a) Unfair or deceptive treatment of, or unlawful disparate impact on, minors; (b) Financial, physical, or reputational injury to minors; (c) Unauthorized disclosure of the personal data of minors as a result of a security breach, as defined in section 6-1-716 (1)(h); or (d) Physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of minors if the intrusion would be offensive to a reasonable person. (15) HIPAA means the federal Health Insurance Portability and Accountability Act of 1996, as amended, 42 U.S.C. secs. 1320d to 1320d-9. (16) Identified or identifiable individual means an individual who can be readily identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, specific geolocation data, or an online identifier. (16.5) Minor means any consumer who is under eighteen years of age. (16.7) Neural data means information that is generated by the measurement of the activity of an individual's central or peripheral nervous systems and that can be processed by or with the assistance of a device. (16.8) Online service, product, or feature: (a) Means any service, product, or feature that is provided online; and (b) Does not include: (I) Telecommunications service, as defined in 47 U.S.C. sec. 153 (53), as amended; (II) Broadband internet access service, as defined in 47 CFR 54.400 (l), as amended; or (III) The delivery or use of a physical product. (17) Personal data: (a) Means information that is linked or reasonably linkable to an identified or identifiable individual; and (b) Does not include de-identified data or publicly available information. As used in this subsection (17)(b), publicly available information means information that is lawfully made available from federal, state, or local government records and information that a controller has a reasonable basis to believe the consumer has lawfully made available to the general public. (17.4) (a) Precise geolocation data means information derived from technology that accurately identifies the present or past location of a device that links or is linkable to an individual within a radius of one thousand eight hundred fifty feet. (b) Precise geolocation data includes: (I) Global positioning system (GPS) coordinates within a radius of one thousand eight hundred fifty feet; or (II) Any data derived from a device and that is used or intended to be used to locate a consumer within a geographic area within a radius of one thousand eight hundred fifty feet. (c) Precise geolocation data does not include the content of communications or any data generated by or connected to advanced utility meeting infrastructure systems or equipment for use by a utility. (17.5) Repealed. (18) Process or processing means the collection, use, sale, storage, disclosure, analysis, deletion, or modification of personal data and includes the actions of a controller directing a processor to process personal data. (19) Processor means a person that processes personal data on behalf of a controller. (20) Profiling means any form of automated processing of personal data to evaluate, analyze, or predict personal aspects concerning an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. (21) Protected health information has the meaning established in 45 CFR 160.103. (22) Pseudonymous data means personal data that can no longer be attributed to a specific individual without the use of additional information if the additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to a specific individual. (23) (a) Sale, sell, or sold means the exchange of personal data for monetary or other valuable consideration by a controller to a third party. (b) Sale, sell, or sold does not include the following: (I) The disclosure of personal data to a processor that processes the personal data on behalf of a controller; (II) The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer; (III) The disclosure or transfer of personal data to an affiliate of the controller; (IV) The disclosure or transfer to a third party of personal data as an asset that is part of a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets; or (V) The disclosure of personal data: (A) That a consumer directs the controller to disclose or intentionally discloses by using the controller to interact with a third party; or (B) Intentionally made available by a consumer to the general public via a channel of mass media. (24) Sensitive data means: (a) Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; (b) Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; (c) Personal data from a known child; (d) Biological data; or (e) Precise geolocation data. (25) Targeted advertising: (a) Means displaying to a consumer an advertisement that is selected based on personal data obtained or inferred over time from the consumer's activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests; and (b) Does not include: (I) Advertising to a consumer in response to the consumer's request for information or feedback; (II) Advertisements based on activities within a controller's own websites or online applications; (III) Advertisements based on the context of a consumer's current search query, visit to a website, or online application; or (IV) Processing personal data solely for measuring or reporting advertising performance, reach, or frequency. (26) Third party means a person, public authority, agency, or body other than a consumer, controller, processor, or affiliate of the processor or the controller. Source: L. 2021: Entire part added, (SB 21-190), ch. 483, p. 3446, � 1, effective July 1, 2023. L. 2024: (2.5), (16.7), and (24)(d) added and (24)(b) and (24)(c) amended, (HB 1058), ch. 68, p. 224, � 2, effective August 7; (2.2) and (2.4) added, (HB 24-1130), ch. 313, p. 2107, � 3, effective July 1, 2025; (1) amended and (1.5), (14.5), (16.5), (16.8), and (17.5) added, (SB 24-041), ch. 296, p. 2019, � 1, effective October 1, 2025. L. 2025: (17.4) and (24)(e) added, (17.5) repealed, and (24)(c) and (24)(d) amended, (SB 25-276), ch. 240, pp. 1220, 1221, �� 18, 19, effective May 23. Editor's note: (1) Subsection (2.2) was numbered as (2.5) in HB 24-1058 but was renumbered on revision for ease of location; subsections (2.4) and (2.5) were numbered as (2.2) and (2.4) in HB 24-1130 but were renumbered on revision for ease of location. (2) Subsections (17.4), (17.4)(a), (17.4)(a)(I), (17.4)(a)(II), and (17.4)(b) were renumbered on revision as subsections (17.4)(a), (17.4)(b), (17.4)(b)(I), (17.4)(b)(II), and (17.4)(c), respectively, in 2025. (3) Subsection (17.5) was added by SB 24-041, effective October 1, 2025. However, those amendments were superseded by the repeal of subsection (17.5) by SB 25-276, effective May 23, 2025. Cross references: For the legislative declaration in HB 24-1058, see section 1 of chapter 68, Session Laws of Colorado 2024. For the legislative declaration in HB 24-1130, see section 1 of chapter 313, Session Laws of Colorado 2024. For the legislative declaration in SB 25-276, see section 1 of chapter 240, Session Laws of Colorado 2025.