Key point: The Colorado attorney general’s (AG’s) office is considering amendments to its Colorado Privacy Act (CPA) rules to provide further guidance to controllers subject to the law’s children’s privacy protections.
In late July, the Colorado AG’s office circulated draft amendments to the CPA rules. The draft amendments modify and supplement the existing CPA rules in reaction to the Colorado legislature passing two bills amending the CPA over the prior two sessions. Below, we provide an overview of the draft amendments and relevant context for the rulemaking.
Rulemaking Background
This is the second time the Colorado AG’s office has revised the CPA rules since they were finalized in March 2023. The office first amended the rules in December 2024 to create a process for issuing opinion letters and interpretative guidance and to implement the biometric (HB 1130) and children’s privacy (SB 41) amendments passed by the Colorado legislature during the 2024 session.
While the office already finalized amendments implementing the children’s privacy law bill, those amendments, for the most part, focused on integrating the bill’s text into the existing rules. The amendments did not address some of the gray areas in the bill’s provisions.
Earlier this year, the AG’s office announced that it was accepting pre-rulemaking comments for additional implementing regulations for the children’s privacy law. According to the office’s website, 10 organizations submitted pre-rulemaking comments. The office then published draft amendments on July 29 and is accepting comments on those amendments until September 10. The office also will hold a public hearing on September 10.
Statutory Background
Effective October 1, 2025, SB 41 amends the CPA to provide additional privacy protections for children under the age of 18. The amendments apply to controllers that conduct business in Colorado or deliver commercial products or services that are intentionally targeted to Colorado residents. A controller that “offers any online service, product or feature to a consumer to whom the controller actually knows or willfully disregards is a minor shall use reasonable care to avoid a heightened risk of harm to minors caused by the online product, service, or feature.” If a controller has actual knowledge or willfully disregards that it is offering its product, service, or feature to a minor, it must obtain the minor’s consent to engage in targeted advertising, the sale of personal data, and certain types of profiling, among other things (or a parent/guardian’s consent if the minor is under 13). As is relevant here, a controller also must obtain a minor’s consent to “use any system design feature to significantly increase, sustain, or extend a minor’s use of the online service, product or feature.”
Separately, during the 2025 legislative session, the Colorado legislature passed SB 276, which amends the CPA’s definition of sensitive data to include precise geolocation and to prohibit controllers from selling sensitive data without obtaining a consumer’s consent.
Draft Amendments to the CPA Rules
The draft amendments do three things. First, they operationalize the children’s privacy law amendments by providing direction for what it means for a controller to “willfully disregard” that a consumer is a minor (under 18 years of age). Second, the amendments flesh out what it means for a system design feature to significantly increase, sustain, or extend a minor’s use of an online service, product, or feature. Finally, the amendments change the rule’s existing definition of “revealing” to address the addition of precise geolocation data as an element of sensitive data. We discuss each of these in turn.
Willfully Disregard
The draft amendments identify three “factors” that can be considered when determining if a controller willfully disregards that a consumer is a minor: (1) if the controller has directly received information from a parent or consumer indicating that the consumer is a minor; (2) if the controller has directed the website or service to minors, considering different factors such as subject matter, visual content, language, and use of minor-oriented activities and incentives; and (3) if the controller has characterized a consumer as a minor for marketing, advertising, or internal business purposes.
The draft amendments provide examples for each of these three factors. For example, as to the third factor, the amendments state that it includes a controller who uses consumer data to estimate a consumer’s age, which indicates that they are a minor, and the controller then serves ads to the minor based on that estimation.
The draft amendments do not specifically discuss shared-user scenarios such as the use of household technologies by multiple family members, including minors. This was an argument raised in the State Privacy & Security Coalition’s comments. However, the three factors developed by the office do not appear to cover those scenarios.
The amendments also state that controllers are not required to implement an age verification or age-gating system or otherwise affirmatively collect the age of consumers. While several organizations asked the office to avoid age verification or age-gating requirements in the amendments, this seemed extremely unlikely given that SB 41 specifically states that those could not be required. See C.R.S. § 6-1-1304(3)(f): “The obligations imposed on controllers or processors under this part 13 do not: Require a controller or processor to implement an age verification or age-gating system or otherwise affirmatively collect the age of consumers….”.
Finally, it is important to note that while the amendments are specific to Colorado’s law, Colorado’s interpretation of “willfully disregard” is likely to impact compliance efforts in other states. That phrase was first used in the California Consumer Privacy Act (CCPA). It was next used in Connecticut’s data privacy law and was chosen specifically to drive interoperability between the two state laws. It has since been adopted in numerous state data privacy laws. Yet, despite the fact that that phrase has been used in the CCPA and several other state’s laws, it has yet to be defined. Therefore, Colorado’s interpretation is likely to be looked at by regulators in other states for guidance, and controllers are likely to point to Colorado’s definition as setting the standard for all state laws including that phrase.
System Design Features
The amendments identify three factors that may be considered when determining if a system design feature significantly increases, sustains, or extends a minor’s use of an online service, product, or feature:
- Whether the controller developed or deployed the system design feature to significantly increase, sustain, or extend a minor’s use of or engagement with an online service, product, or feature;
- Whether the system design feature has been shown to increase use of or engagement with an online service, product, or feature beyond what is reasonably expected of that particular type of online service, product, or feature when it is used without the system design feature; and
- Whether the system design feature has been shown to increase the addictiveness of the online service, product, or feature, or otherwise harm minors when deployed in the specific context offered by the controller.
The second and third factors are likely to be the focus on further industry comments. For example, industry stakeholders are likely to claim that the third factor’s reference to “otherwise harm minors” is ambiguous. They may also look at the second factor’s “reasonably expected” language and ask for clarification about whose reasonable expectation is at issue (e.g., the minor’s, reasonable minors’, parents’, a reasonable person’s, the controller’s).
The draft amendments also identify six situations in which a system design feature will likely not be found to significantly increase, sustain, or extend a minor’s use of an online product, service, or feature:
- If the minor expressly and unambiguously requested specific media; the minor subscribed to specific media by the author, creator, or poster; or the minor has subscribed to a page or group featuring specific media, provided that the media is not recommended, selected, or prioritized for display based, in whole or in part, on other information associated with the minor or the minor’s device;
- If media are recommended, selected, or prioritized only in response to a specific search inquiry by the minor, or is exclusively next in a pre-existing sequence from the same author, creator, poster, or source;
- If the system design feature is one that is necessary to the core functionality of an online service, product, or feature;
- If the system design feature is based on information that is not persistently associated with the minor or the minor’s device;
- If the system design feature does not consider the minor’s previous interactions with media generated or shared by other consumers; or
- If the online service, product, or feature contains countervailing measures that could mitigate the harm or other negative effects of the system design feature, such as default time of day or time use limits.
The final example of controllers setting reasonable day/time limits has been the focus of social media laws, which have required social media companies to turn off alerts and notifications during certain hours. This also was identified in the comments from the Entertainment Software Association (ESA), which encouraged the office to take these mitigating steps into account during the rulemaking.
The amendments also clarify that the fact that a system design feature is commonly used is not, standing alone, enough to demonstrate compliance with the law. The amendments further clarify that if a system design feature is turned off by default and the minor turns it on, that action is considered affirmative consent as contemplated by the law.
Finally, of note, the amendments do not define what constitutes a system design feature. This was a topic discussed in comments provided by the ESA, Colorado Chamber of Commerce, and Chamber of Progress.
Definition of Revealing
Finally, the amendments modify the existing definition of “revealing” to remove the following example: “While precise geolocation information at a high level may not be considered Sensitive Data, precise geolocation data which is used to infer an individual visited a mosque and is used to infer that individual’s religious beliefs is considered Sensitive Data under C.R.S. § 6-1-1303(24)(a). Similarly, precise geolocation data which is used to infer an individual visited a reproductive health clinic and is used to infer an individual’s health condition or sex life is considered Sensitive Data under C.R.S. § 6-1-1303(24)(a).” The office needed to remove the example because the CPA was amended this year to add precise geolocation as an element of sensitive data.
