The Colorado Attorney General recently published draft rules implementing a new children’s privacy law in the state. Companies have until September 10th to comment on the rules. With the new children’s privacy statute going into effect on October 1st, companies should immediately check for compliance.
The draft rules bear on two central issues, namely when: (i) businesses should have knowledge of a minor’s age (minors are consumers under 18 years old) and (ii) design features are so engaging that a controller’s use of the feature requires consent from the minor.
A. Knowledge Standard.
The rules create a relatively workable set of standards governing when data controllers should know that a user is a minor:
- Many triggers of imputed knowledge amount to “actual knowledge,” such as a user’s self-reported grade level, age listed in the bio section of a user’s profile, or a report from a parent that the user is a minor.
- If the service contains elements that “specifically appeal to minors” then the product is considered directed to a minor. Design elements that appeal to both minors and adults therefore do not suggest that the service is directed towards minors. Such mixed-audience design elements would not be specific to minors. More on design elements is below.
- Finally, if a controller estimates a user to be a minor (including for marketing segmentation or similar use cases), then the controller should proceed as if the user is a minor. Like the first list of items above, estimated age essentially amounts to actual knowledge.
Application of that standard will vary greatly depending on the industry and type of service. But those instances of deemed knowledge are not particularly burdensome for controllers to follow.
B. Engaging Design Elements.
Consistent with other teen online safety laws, the new Colorado regime regulates addictive design features of websites or online services. The Colorado Privacy Act requires controllers to collect minors’ consent before allowing the minor to engage in addictive features that “significantly increase, sustain, or extend” a minor’s use of the service.
A feature is more likely to be considered “addictive” if (i) the controller deployed the feature with the intent to sustain the minor’s use of a service or (ii) the feature had been shown to be addictive or otherwise increases engagement beyond what’s reasonably expected for the product or service.
The Colorado rules are reasonable in that not every feature that increases engagement would be subject to the regime’s consent requirements. Such a standard would mean that the use of any engaging design feature would require a user’s consent (which would of course be unworkable). To view a PDF of the amended draft rules, click here.
