Key point: Colorado’s Department of Law is soliciting public comments through September 5, 2025, on revised privacy rules to protect minors’ personal data and online privacy.
On July 29, the Colorado Department of Law issued a notice of proposed rulemaking to revise the state’s privacy rules following the legislature’s 2024 amendments to the Colorado Privacy Act (“CPA”). The revised rules include new protections for the personal data of minors and are currently open to public comment. Written comments should be submitted via the CPA rulemaking comment portal by September 5, 2025. Additional comments may be submitted at a public hearing scheduled for September 10, 2025.
The legislative amendments to the CPA (adding C.R.S. § 6-1-1308.5), prohibit data controllers who actually know or “willfully disregard” that a consumer is a minor (under the age of 18) from using “system design features” (“features”) that “significantly increase, sustain, or extend” a minor’s use of an online service, product, or feature (collectively, “service”), without appropriate consent from the minor or, if the minor is a child (under the age of 13), the parent.
Attempts to Clarify when a Controller is in “Willful Disregard” Under the CPA
The CPA’s “willful disregard” standard seeks to regulate the handling of minors’ data, even if the business does not have actual knowledge that a consumer is a minor. However, the statute does not further define what “willful disregard” means, creating uncertainty as to how businesses can achieve compliance without invoking stringent measures, such as age verification or age-gating, to increase the odds of compliance.
The proposed rule offers some clarity in that area. While the proposed rule emphasizes that age verification or age-gating systems are not required under the CPA, it identifies a broad range of facts that can put controllers on notice that they are in “willful disregard” of a consumer’s status as a minor, and that the prohibitions under C.R.S. § 6-1-1308.5 apply. These facts include:
- Information in a consumer’s profile, personal biography, or other “relevant indicia” on the controller’s service, such as the consumer’s date of birth, year of birth, or educational grade level, indicating the consumer is under 18;
- A parent making a “credible report” to the controller that a consumer is under 18;
- A controller “directing” its service to minors, which is based on a subjective assessment of the service’s subject matter, visual content, language, and use of “minor-oriented activities and incentives” that make the service “specifically appeal” to minors; and
- The controller categorizing a consumer as a minor for marketing, advertising, or internal business purposes.
When are a Service’s Features Considered Compulsive for Minors?
Another unclear term in the CPA’s amendments arises when a feature of an online service is considered to “significantly increase, sustain, or extend” a minor’s use of that service (a “compulsive” feature). The proposed rule attempts to clarify this term, defining such features as those:
- Developed or deployed for that specific purpose;
- Shown to have that effect; or
- Shown to increase the addictiveness of the service or otherwise harm the minor in the specific context offered by the controller.
This definition, while helpful, still appears dependent on answering additional factual questions and lacks a clear standard for determining who decides—or how it is determined—that a feature is compulsive, addictive, or otherwise harmful, and whether a controller would have actual or imputed knowledge that any of those factors are applicable to the features.
Beneficially, the proposed rule offers some boundaries around this definition by listing circumstances where a feature is “likely not” considered compulsive. While not an outright safe harbor, these circumstances include when the feature:
- Is necessary to the core functionality of the service;
- Acts in response to the minor expressly and unambiguously requesting specific media or subscribing to a specific author, page, or group featuring specific media, so long as the media is not recommended, selected, or prioritized for display based on other information associated with the minor or the minor’s device;
- Recommends, selects, or prioritizes media only in response to the minor’s specific search request;
- Does not consider the minor’s prior interactions with media generated or shared by other consumers; or
- Is part of a service with “countervailing measures” that could mitigate harm or other negative effects of the feature, such as default time-of-day or time-of-use limits.
Importantly, the proposed rule seeks to provide a safe harbor for compulsive features that are disabled by default. The minor can then opt-in to using the feature, thereby providing implied consent that will satisfy the CPA’s “consent” requirement for a minor’s use of such features. Note, however, that opt-in alone is insufficient for minors who are under 13 years old, unless the child’s parent also opts-in.