2-17-552. Collection of personally identifiable information -- requirements. (1) A government operator may not collect personally identifiable information online from a user unless the operator complies with the provisions of this section.
(2) (a) A government operator shall ensure the information delivery system or platform:
(i) identifies who operates the system;
(ii) provides both physical and electronic means for contacting the operator; and
(iii) generally describes the operator's information practices, including policies to protect the privacy of the user and the steps taken to protect the security of the collected information; and
(b) If the department determines that an agency is not in compliance with the state security policies, framework, controls, standards, procedures, and guidelines provided for in 2-17-534, the department may take appropriate action, in its sole discretion, up to and including terminating the information technology resource and requiring the use of an alternative information technology resource.
(3) In addition to the requirements of subsection (2)(a), if the personally identifiable information may be used for a purpose other than the express purpose for the collection or may be given or sold to a third party, except as required by law, then the operator shall ensure that the information technology resource includes:
(a) a clear and conspicuous notice to the user that the information collected could be used for other than the purposes of the collection;
(b) a general description of the types of third parties that may obtain the information; and
(c) a clear, conspicuous, and easily understood online procedure requiring an affirmative expression of the user's permission before the information is collected.