Privacy Protections for Children's Online Data
Effective October 1. 2025, the act amends the "Colorado Privacy Act" to add enhanced protections when a minor's data is processed and there is a heightened risk of harm to minors. The act applies to any entity that controls consumer personal data (controller) and that conducts business in Colorado or delivers products or services that are targeted at Colorado residents, regardless of the volume of or amount of revenue derived from that activity.
A controller that offers an online service, product, or feature to a consumer who the controller knows or willfully disregards is a minor is required to:
- Use reasonable care to avoid any heightened risk of harm to minors caused by the service, product, or feature; and
- Conduct, and review as necessary, a data protection assessment for the service, product, or feature if there is a heightened risk of harm to minors and maintain documentation regarding the assessment for a specified period.
Unless the minor or, for a minor who is under 13 years of age, the minor's parent or legal guardian has consented, a controller is prohibited from processing a minor's personal data:
- For targeted advertising, selling the minor's personal data, or profiling in furtherance of decisions that produce legal or similarly significant consequences;
- For any processing purpose other than the purpose disclosed at the time the minor's personal data is collected or a purpose reasonably necessary for the disclosed processing purpose; or
- For longer than reasonably necessary to provide the service, product, or feature.
Absent consent, a controller is also prohibited from:
- Using a system design feature to significantly increase, sustain, or extend a minor's use of the service, product, or feature; or
- Collecting a minor's precise geolocation, except under specified circumstances.
Neither a controller nor a processor that processes personal data for a controller is required to implement an age verification or age-gating system or otherwise affirmatively verify the age of consumers, and a controller that conducts commercially reasonable age estimation is not liable for an erroneous age estimation.
The attorney general and district attorneys are authorized to enforce the requirements of the act in the same manner as authorized under the "Colorado Privacy Act", including notifying a controller of, and allowing a controller time to cure, a violation.
APPROVED by Governor May 31, 2024
EFFECTIVE October 1, 2025
(Note: This summary applies to this bill as enacted.)