The bill amends the "Colorado Privacy Act" to add enhanced protections when a minor's data is processed and there is a heightened risk of harm to the minor. The bill applies to any entity that controls consumer personal data (controller) and that conducts business in Colorado or delivers products or services that are targeted at Colorado residents, regardless of the volume of or amount of revenue derived from that activity.
A controller that offers an online service, product, or feature to a consumer that the controller knows or willfully disregards is a minor is required to:
- Use reasonable care to avoid any heightened risk of harm to minors caused by the service, product, or feature; and
- Conduct, and review as necessary, a data protection assessment for the service, product, or feature and maintain documentation regarding the assessment for a specified period.
Unless the minor or, for a minor who is under 13 years of age, the minor's parent or legal guardian has consented, a controller is prohibited from processing a minor's personal data:
- For targeted advertising, selling the minor's personal data, or profiling the minor's personal data;
- For any processing purpose other than the purpose disclosed at the time the minor's personal data is collected or a purpose reasonably necessary for the disclosed processing purpose; or
- For longer than reasonably necessary to provide the service, product, or feature.
A controller is also prohibited from:
- Using a system design feature to significantly increase, sustain, or extend a minor's use of the service, product, or feature; or
- Collecting a minor's precise geolocation, except under specified circumstances.
The attorney general and district attorneys are authorized to enforce the requirements of the bill in the same manner as authorized under the "Colorado Privacy Act", including notifying a controller of, and allowing a controller time to cure, a violation.
(Note: This summary applies to this bill as introduced.)