Colorado AG Proposes Updates to Colorado Privacy Act Rules to Address Minors’ Online Safety

On July 29, 2025, the Colorado Department of Law (CDL) issued a notice of proposed rulemaking to amend the Colorado Privacy Act (CPA) rules (proposed rules) to clarify recent statutory amendments to the CPA that become effective October 1, 2025. The major operational changes that the statutory amendments require are that the age of protection for minors will rise from 13 to 18 and controllers subject to the CPA (see here) that provide an "online service, product, or feature" must obtain affirmative consent from minors (or from parents when minors are under the age of 13) before processing minors' personal data for targeted advertising, sale, or profiling, and also before implementing design features intended to increase user engagement. Controllers must treat consumers as minors when they have actual knowledge that a consumer is a minor and not otherwise "willfully disregard" a consumer's status as a minor. Finally, controllers must use reasonable care to avoid heightened risks of harm to minors and conduct data protection assessments for online services, products, and features used by minors.

The CDL's proposed rules would clarify the "willful disregard" standard and outline specific practices like avoiding design features that increase addictiveness or prolong engagement. Comments are due September 5, 2025, and additional comments may be provided at the public hearing scheduled for September 10, 2025.

Duties Regarding Minors Related to System Design Features:

The CPA amendments require a controller to obtain parental consent if the controller has actual knowledge the user is under 13 years old—or consent of the minor, if the user is at least 13 but under 18 years of age—before using a system design feature (design feature) to significantly increase, sustain, or extend the user's use of the online service, product, or feature (excluding telecommunications and broadband internet access services and delivery or use of physical product). The proposed rules provide "design feature" factors that controllers should consider, including whether:

• The specific purpose of a design feature is to increase, sustain, or extend use or engagement
  • Determining whether a design feature was intentionally developed or deployed to significantly increase minors' use may be highly subjective and controllers may want to consider submitting comments in the rulemaking process to seek clarity or examples for how the Colorado attorney general will determine intent under this factor.
• A design feature has been shown to increase, sustain, or extend use or engagement beyond what is "reasonably expected" of that particular type of service, product, or feature when used without the feature
  • Engagement norms may vary widely across industries (e.g., educational apps vs. gaming platforms), and there is no clear standard for what engagement levels are "reasonably expected" for certain services, products, or features, making it difficult for controllers to comply proactively. Controllers might be held responsible for engagement patterns that only emerge after a feature is launched, even if those patterns were unforeseen or unintended, and should seek clarity from the regulator on how those design features will be addressed.
• The design feature has been shown to increase the addictiveness or otherwise harm minors
  • The term "addictiveness" is not defined in the proposed rules, and its interpretation may vary. Normal features that create enjoyment or repeated use could be mischaracterized as "addictive," which may hinder companies' ability to enhance the user experience. If this rule is promulgated as proposed, controllers may need to determine whether features intended to create positive engagement (e.g., reminders, rewards, or progress trackers) could be mischaracterized as making a service addictive, despite complying with broader laws or industry norms regarding user welfare. Additionally, "harm" as used in this context, does not appear to align with the examples of "heightened risk of harm to minors" as defined in the statutory amendments (i.e., processing minors' personal data in ways that could foreseeably lead to unlawful discrimination; financial, physical, or reputational harm; unauthorized disclosure due to a security breach; or offensive intrusion into private affairs). Controllers may want to submit comments on whether this factor will lead to higher operational and compliance costs related to the need to assess every feature within the specific context of user engagement trends.

• The design feature will likely not be found to significantly increase, sustain, or extend a minor's use of an online service, product, or feature when it:
  • Is specifically requested by the minor, without recommendations based on their data;
  • Is presented only in response to a specific search or as the next item in a pre-existing sequence from the same author, creator, poster, or source;
  • Is necessary to the core functionality;
  • Is based on information that is not persistently associated with the minor or the minor's device;
  • Does not consider the minor's previous interactions with media that is generated or shared by other consumers; or
  • Includes measures to mitigate harm, like time limits.[1]

If a minor turns on or enables a design feature that is turned off by default, the minor will be deemed to have provided consent to the processing activity. The proposed rules state that the common use of a particular design feature will not, alone, be enough to demonstrate that any particular feature does not significantly increase, sustain, or extend a minor's use of an online service, product, or feature. Controllers may want to seek clarity from the CDL regarding what is meant by "commonly used." The proposed rules will also impact features like autoplay, recommendation engines, or gamification.

Knowledge Standard for Duties Regarding Minors:

The CPA amendments also require controllers to treat a consumer as a minor where the controller actually knows the consumer is a minor or willfully disregards information that the consumer is a minor. The proposed rules provide factors and examples that will guide consideration of whether controllers have willfully disregarded that a consumer is a minor. These include:

• Direct information that the controller receives from parents or consumers indicating that the consumer is a minor, such as date of birth or information that the consumer includes in his or her bio on the service.
  • Controllers may need to evaluate and consider providing comments to the CDL on whether current technologies enable automation of safeguards for minors once a user has provided their age. For example, if minors share but then later edit their age in bio or profile sections, it may require constant content scanning by controllers to determine the consumer's correct age, raising privacy concerns and resource allocation challenges. Controllers may also face difficulty verifying the accuracy of user-provided information, especially when minors intentionally misrepresent their age as in one of the examples provided in the proposed rules or when determining when a report from a parent about a minor using the service is credible.
• Targeted content (e.g., subject matter, visuals, language, or minor-oriented activities and promotions) or marketing provided by the controller that specifically appeals to minors.
  • Determining whether a website or service is "directed to minors" based on the examples listed would be highly subjective and open the door to regulatory overreach or inconsistent enforcement, leading to possible scrutiny of controllers even when they do not intend to market to minors. Controllers may want to consider providing comments on whether this factor will lead to a chilling effect on commercial speech, causing controllers to refrain from creating content that appeals to a broad audience (including minors) out of fear that it places them under stricter regulatory scrutiny, potentially stifling business or creative efforts, or whether the need to redesign websites or remove promotional materials that might appeal to minors will escalate compliance costs without clear benefits.
• Categorization of consumers as minors for marketing, advertising, or internal business purposes.
  • The provided example describes a scenario where a controller estimates a consumer's age by using other data (e.g., user-generated content or data provided by a third party), which indicates the user is a minor, and then serves ads to them based on that estimation. Controllers may want to seek clarity from the CDL regarding whether the compliance risks under this factor may be shifted to a processor, e.g., to a marketing vendor the controller has contracted with to implement and process marketing functions on its behalf.
• No Age-Verification Requirement and Safe-Harbor: Notwithstanding the provisions on direct knowledge and "willful disregard," both the statutory amendments and proposed rules clarify that neither a controller nor a processor that processes personal data for a controller is required to implement an age verification or age-gating system or otherwise affirmatively verify the age of consumers, but if a controller conducts a commercially reasonable age estimation, it will not be liable for treating a consumer as an adult.

The proposed rules also state that controllers may consider statutes, administrative rules, and administrative guidance concerning age knowledge standards from other jurisdictions when evaluating the propriety of treating a consumer as a minor.

Other CPA Amendments Concerning Privacy Protections for Children's Online Data

A summary of other key amendments to the CPA to address privacy protections for children's online data follows. With limited exception described below, the proposed rules do not modify these requirements.

• Prohibition on Processing of Minors' Data for Specified Purposes: Unless the minor or, if a minor is under 13 years of age, the minor's parent or legal guardian has provided consent (COPPA's verifiable parental consent requirements will satisfy this requirement), a controller is prohibited from processing a minor's personal data for:
  • Targeted advertising, selling the minor's personal data, or profiling in furtherance of decisions that produce legal or similarly significant consequences;
  • Any processing purpose other than the purpose disclosed at the time the minor's personal data is collected or a purpose reasonably necessary for the disclosed processing purpose; or
  • Longer than reasonably necessary to provide the service, product, or feature.
• Prohibition on Processing a Minor's Precise Geolocation Data
  • Absent consent, a controller is prohibited from collecting a minor's precise geolocation data, unless it is:
    • Reasonably necessary to provide the service, product, or feature;
    • Collected and retained only as long as needed; and
    • Accompanied by a visible signal during collection (this requirement does not apply to ski area operators).
  • Revised Definition: The CPA amendments introduced a definition of "precise geolocation data" that was further modified by another recent bill, SB 25-276. The revised definition of precise geolocation data differs from the previous definition as follows:
    • Sensitive Data: The revised definition characterizes precise geolocation data as sensitive data in all contexts for the purposes of the CPA. In support of this change, the proposed rules remove an example under the definition of the term "revealing" that suggested that precise geolocation data would not be considered sensitive data in certain contexts.
    • Broader Radius: The revised definition specifies a radius of 1,850 feet, which is broader than the previous definition (1,750 feet).
    • Broader Scope of Data Included: The previous definition focused on information derived from technology, such as GPS latitude and longitude coordinates or other mechanisms, that directly identified the specific location of an individual. The revised definition expands the scope to include information derived from technology that identifies the present or past location of a device linked or linkable to an individual. It explicitly includes GPS coordinates, and any data derived from a device used or intended to locate a consumer within the specified radius.
    • Exclusions: Both definitions exclude the content of communications regarding location and data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.
• Controller and Processor Responsibilities and Liabilities: With respect to processing minors' personal data, the statutory amendments require processors to follow controllers' instructions and assist them in meeting obligations under the new duty of care and data protection assessment requirements, including by implementing technical and organizational measures and providing information necessary to conduct and document data protection assessments. The amendment clarifies that liability is based on the roles of the parties, as determined by the context of data processing. The amendment explicitly describes instances where a processor becomes a controller (e.g., if it is not limited in its processing of personal data pursuant to a controller's instructions, if it fails to adhere to the instructions, or if it independently determines the purposes or means of processing).
• Duty and Rebuttable Presumption of Care: The amendment also requires controllers that offer an online service, product, or feature to a consumer whom the controller knows or willfully disregards is a minor to use reasonable care to avoid any heightened risk of harm to minors caused by the service, product, or feature.
• Exceptions for Educational Services: The prohibitions on processing of minors' data for specified purposes do not apply to any service or application that is used by and under the direction of an educational entity, including a learning management system or a student engagement program.
• Prohibition on Sale Without Consent: The amendment also explicitly prohibits controllers from selling a consumer's sensitive data without first obtaining the consumer's consent or, in the case of the processing of personal data concerning a known child, without first obtaining consent from the child's parent or lawful guardian.
• Additional Prohibitions: The statutory amendments prohibit a controller from doing the following when the controller has actual knowledge or willfully disregards whether the consumer is a minor:
  • Using consent mechanisms that undermine user autonomy or decision-making, or
  • Providing direct messaging to minors without readily accessible and easy-to-use safeguards to limit the ability for unsolicited communications from unconnected adults. (The proposed rules provide certain exceptions for an online service, product, or feature of which the predominant or exclusive function is email, or direct messaging consisting of text, photos, or videos that are sent between devices by electronic means, where messages are shared between the sender and the recipient; only visible to the sender and the recipient; and not posted publicly.)
• Data Protection Assessments: The amended statute requires a controller that, on or after October 1, 2025, offers any online service, product, or feature to a consumer who the controller actually knows or willfully disregards is a minor, to conduct assessments for services posing a heightened risk of harm.
  • Assessment Scope: Controllers must adhere to requirements of the CPA's existing data protection assessment requirements and address the service, product, or feature's purpose, categories of minors' data processed, processing purposes, and foreseeable heightened risks of harm.
  • Review & Documentation: Assessments must be updated after material changes and documented for at least three years after the processing ceases or the date on which the controller ceases offering the online service, product, or feature, whichever is later.
  • Consolidation: A single assessment can cover similar processing activities.
  • Compliance: Assessments conducted under other laws may satisfy requirements if they are similar in scope and effect.
  • Risk Mitigation: If heightened risks are identified, controllers must implement plans to mitigate or eliminate them.
  • Confidentiality: Assessments are confidential and exempt from public records but must be available to the attorney general upon request. An attorney general's request does not waive attorney-client privilege or work-product protection that might otherwise exist with respect to the assessment and any information in the assessment.
  • Non-Retroactivity: Requirements apply only to activities initiated after October 1, 2025.
• Notice and Opportunity to Cure: Prior to any enforcement action related to the newly added requirements, the Colorado attorney general or district attorney must issue a notice of violation to the controller if a cure is deemed possible. If the controller fails to cure the violation within sixty days after receiving receipt of the notice of violation, an action may be brought against the controller. This provision will sunset on December 31, 2026.

Next Steps

The Colorado legislature and attorney general have been active in updating the CPA and its implementing rules since the CPA's enactment in 2021. Entities subject to the CPA should review their compliance programs to confirm they incorporate updates regarding minor privacy protections and precise geolocation data discussed in this alert, as well as previous updates addressing biometric privacy. In particular, regulated entities should:

• Assess whether any online service, product, or feature offered may present a heightened risk of harm to minors under the new definition (e.g., foreseeable discriminatory, financial, reputational, or privacy harms) and take steps to mitigate these risks.
• Assess whether any current practices may constitute actual knowledge or willful disregard that a consumer is a minor, including whether they have direct information that a consumer is a minor, whether any content is directed at minors, or whether the consumer has been characterized as a minor for marketing, advertising, or internal business purposes. Controllers should also evaluate whether any processing practices of minors' data is prohibited (e.g., for targeted advertising, sale, profiling, or for undisclosed purposes) or whether minors' data is processed for longer than is permitted. While the statutory amendments make clear that no age-verification is required, controllers should evaluate whether any online tracking technology platforms or vendors used by the controller have the ability to characterize a consumer as a minor and whether the controller has taken any prohibited actions (actively or passively) based on this information or willfully disregarded information suggesting that a consumer is, indeed, a minor.
• Revise data protection agreements (DPAs) to include processor instructions for assisting the controller to meet its obligations under the CPA's new duty of care and data protection assessment requirements.
• Evaluate whether design features could be found to significantly increase use by minors and whether such features should be turned off by default. Features like autoplay or algorithmic recommendations may require opt-in consent or be accompanied by clear consent mechanisms that do not undermine user autonomy or decision making.
• Evaluate whether any online service, product, or feature permits direct messaging to minors without appropriate safeguards.
• Revise data protection assessment practices to incorporate requirements related to heightened risks of harm for collection and processing of minors' data.
• Revise internal practices to treat all precise geolocation data as sensitive and obtain consent before processing or selling it.

[View source.]