Privacy & Information Security Law Blog

The Colorado Department of Law recently issued a Notice of Proposed Rulemaking with proposed draft amendments to the Colorado Privacy Act rules (“Proposed Rules”). These Proposed Rules are designed to strengthen protections regarding minors’ personal data and clarify a recent amendment to the Colorado Privacy Act (SB24-041) that becomes effective on October 1, 2025.

The recent amendments to the CPA impose requirements and restrictions on controllers that offer an “online service, product or feature” to a consumer the controller actually knows or willfully disregards is a minor (under 18 years old).  Specifically, unless a controller has obtained consent that meets certain requirements (from the minor consumer or the minor’s parent if under 13 years old), the controller is prohibited from using any system design feature to “significantly increase, sustain, or extend” a minor’s use of the online service, product or feature. The Proposed Rules provide additional context on the “willfully disregard” standard and these system design features.  

Willfully Disregard Standard

The following factors may be considered in determining whether a controller willfully disregards that a consumer is a minor:

• if the controller has directly received information from a parent or consumer indicating that the consumer is a minor;
• if the controller has directed the website or service to minors, considering different factors such as subject matter, visual content, language, and use of minor-oriented activities and incentives (similar to the criteria set forth in COPPA); and
• if the controller has categorized a consumer as a minor for marketing, advertising, or internal business purposes.

The Proposed Rules indicate that controllers may consider statutes, administrative rules, and administrative guidance concerning age knowledge standards from other jurisdictions when evaluating the appropriateness of treating a consumer as a minor. 

System Design Features

The following factors may be considered when determining if a system design feature significantly increases, sustains, or extends a minor’s use of an online service, product, or feature and is subject to the law’s consent requirement:

• whether the controller developed or deployed the system design feature to significantly increase, sustain, or extend a minor’s use of or engagement with an online service, product, or feature;
• whether the system design feature has been shown to increase use of or engagement with an online service, product, or feature beyond what is reasonably expected of that particular type of online service, product, or feature when it is used without the system design feature; and
• whether the system design feature has been shown to increase the addictiveness of the online service, product or feature, or otherwise harm minors when deployed in the specific context offered by the Controller. (The Proposed Rules do not define the term “addictiveness.”)

The design feature likely will not be found to significantly increase, sustain, or extend a minor's use of an online service, product, or feature if:

• the minor expressly and unambiguously requested specific media, subscribed to specific media, or subscribed to a page or group featuring specific media;
• media is recommended, selected, or prioritized only in response to a specific search or is exclusively the next item in a pre-existing sequence from the same author, creator, poster, or source;
• the system design feature is necessary to the core functionality of an online service, product, or feature;
• the system design feature is based on information that is not persistently associated with the minor or the minor’s device;
• the system design feature does not consider the minor’s previous interactions with media generated or shared by other consumers; or
• the online service, product, or feature contains measures that could mitigate the harm or other negative effects of the system design feature, such as default time of day or time limits.

Written comments can be submitted until September 5, 2025. A public hearing is scheduled for September 10, 2025.