ARTICLE
11 August 2025

Colorado Proposes Children's Privacy Amendments To Privacy Act Regulations

GP
Goodwin Procter LLP

Contributor

Goodwin Procter LLP logo
At Goodwin, we partner with our clients to practice law with integrity, ingenuity, agility, and ambition. Our 1,600 lawyers across the United States, Europe, and Asia excel at complex transactions, high-stakes litigation and world-class advisory services in the technology, life sciences, real estate, private equity, and financial industries. Our unique combination of deep experience serving both the innovators and investors in a rapidly changing, technology-driven economy sets us apart.
Explore Firm Details
What started as a flurry when California included protections for data about known teens in its 2018 privacy law soon became a blizzard. State after state passed new protections for teens into their own privacy laws, with each version raising the standards above the previous ones
United States Privacy
Jacqueline Klosek,Gabe Maldoff, and Jacob Lee

What started as a flurry when California included protections for data about known teens in its 2018 privacy law soon became a blizzard. State after state passed new protections for teens into their own privacy laws, with each version raising the standards above the previous ones.

Now, even in the depths of summer, an avalanche is forming in Colorado's mountain passes, as amendments to the Colorado Privacy Act (CPA) are set to come into force on October 1, 2025.

Draft rules implementing the CPA amendments (the Proposed Rules) issued July 29, 2025, by the Colorado Department of Law (DOL) aim to extend heightened protections not only to data about known minors under 18 but also any personal information collected on websites or services directed to such minors, even when a business does not know the ages of its users.

Among other things, this will require controllers operating services intended for minor audiences to seek opt-in consent before engaging in many standard business practices, such as targeted advertising, profiling, and extended data retention. Controllers will also need to conduct data protection assessments, implement technical safeguards related to geolocation data and communication tools, and avoid design features intended to increase engagement or addiction by minors.

The DOL has opened the Proposed Rules to public comment from July 29 to September 10, 2025. A public hearing on September 10 will follow the public comment period. The Proposed Rules do not include an effective date, but it is likely that the DOL set the rulemaking timeline with the goal of finalizing the Proposed Rules by October 1, 2025, when the CPA amendments are scheduled to go into effect.

Heightened Protections for Minors Will Become Effective October 1, 2025

The Proposed Rules extend the scope of protections for minors' data that passed last year as part of the amendments. To recap, the CPA amendments (published December 2024) introduced significant changes to the CPA's protections for minors' data, including:

  • Raising the age of protection from 13 to 18, thereby bringing personal information about teens that was not previously regulated by the federal Children's Online Privacy Protection Act into its scope.
  • Requiring controllers to obtain informed, opt-in consent from minors (or parents of minors under 13) before (i) "selling" minors' personal information; (ii) processing such information for targeted advertising; (iii) processing personal data for purposes not compatible with those described at the time of collection; (iv) profiling minors; or (v) retaining personal information longer than reasonably necessary to provide the service.
  • Barring controllers from "using any system design feature to significantly increase, sustain, or extend" a minor's use of an online service without opt-in consent.
  • Imposing additional limitations on precise geolocation data relating to minors, including requirements to (i) use such information only as necessary to provide a service to the minor; (ii) retain such information only for the time necessary to provide the service; and (iii) display an indicator signal when a service is collecting precise geolocation data.
  • Mandating safeguards to restrict adults from sending unsolicited communications to minors whom they have no relationship to.
  • Requiring controllers that process the personal information of minors to conduct, document, and continuously reevaluate data protection assessments if the controller's product or service may create a heightened risk of harm to minors.

The CPA amendments also forbid controllers from providing consent mechanisms designed to substantially subvert, impair, or otherwise manipulate user autonomy, decision-making, or choice.

The Proposed Rules Would Include More Activities Under the Scope of the CPA's Protections for Minors

As drafted, the CPA amendments apply when the controller "knows or willfully disregards" that a user is a minor. The Proposed Rules take a more expansive view, defining "willfully disregard" to include not only instances when a controller receives evidence of a user's age but also any service that is intended for, or likely to attract, minors, even if the controller does not know the age of any specific user.

The Proposed Rules set out several factors that controllers must consider when evaluating whether minors' privacy protections apply, including whether:

  • the online service or website contains designs, features, or other elements directed at, or likely to attract, minors (e.g., child-friendly subject matter, designs, colors);
  • the controller receives direct information from the consumer or a parent revealing that the consumer is a minor (e.g., a consumer enters a date of birth or age in a bio or other content on the service, the "controller receives a credible report from a parent"); and
  • the controller internally categorizes the "consumer as a [m]inor for marketing, advertising, or [other] business purposes" (e.g., by estimating a consumer's age or otherwise placing a consumer into an advertising segment focused on minors).

The Proposed Rules also advise controllers to consult relevant statutes, administrative rules, and guidance from other jurisdictions regarding age determination standards. This provision could require controllers to rely on standards from laws that apply even more broadly than the CPA amendments. For example, age appropriate design code laws in California, Maryland, and Vermont apply to online services "reasonably likely to be accessed" by minors, including services that are routinely accessed by minors.

Notably, because the Proposed Rules focus on the intended audience for an online service, controllers that operate services directed to minors may need to treat all users — including adults — as if they are minors, unless the users' ages are known. Accordingly, while the Proposed Rules do not require controllers to implement age verification or age gating systems or otherwise affirmatively verify the age of consumers, such mechanisms may be useful for circumscribing minors' protections to minors only.

The Proposed Rules Would Restrict Automated Recommender Systems and Other Features Designed or Shown to Encourage Use by Minors

The CPA amendments prohibit controllers from implementing, without the consent of the minor, design features that significantly increase, sustain, or extend a minor's use of an online product or service. The Proposed Rules expand this prohibition to include features that are intended, or have been shown, to increase engagement or addictiveness. At the same time, they also provide more clarity on the practices that are not restricted.

The Proposed Rules identify the following factors for evaluating whether a system's design significantly increases, sustains, or extends use by minors:

  • "Whether the controller developed or deployed" features to "significantly increase, sustain, or extend [...] use of or engagement with an online service, product, or feature."
  • Whether the feature is "shown to increase use of or engagement [...] beyond what is reasonably expected of [a similar] type of online service, product, or feature" that does not contain the design feature in question.
  • Whether the "feature has been shown to increase the addictiveness [...] or otherwise harm [m]inors when deployed [as] offered by the [c]ontroller."

The Proposed Rules also state that a feature will likely not be deemed to increase, sustain, or extend use if

  • the feature is off by default and the minor must explicitly opt in to enable it;
  • with respect to services that provide media (e.g., videos, images):
    • the minor "expressly and unambiguously requested" or "subscribed" to that content, its creator, or a page that displays that content or its creator and the content is "not recommended, selected, or prioritized for display based, in whole or in part, on other information associated with the [m]inor or [their] device"; or
    • the content is "recommended, selected, or prioritized in response to a specific search inquiry by the [m]inor" or it is "next in a pre-existing sequence from the same [...] creator";
  • the feature is necessary for the core functionality of the service;
  • the "feature is based on information [...] not persistently associated with the [m]inor or [their] device";
  • the "feature does not consider the [m]inor's previous interactions with [content] generated or shared by other [c]onsumers"; or
  • the "online service, product, or feature contains countervailing measures [to] mitigate the harm or other negative effects" of the feature (e.g., time of day or usage limitations).

Together, these factors suggest that the DOL will focus particular attention on social media and other online services that make use of personalized systems for conveying tailored recommendations, such as personalized search results and content feeds. How the DOL will determine whether such personalized systems are a "core functionality" of a service — and, therefore, exempt from the prohibition — remains unclear.

The Proposed Rules also clarify that the mere fact that a feature is commonly used by other online services will not, on its own, support finding that the feature is suitable for minors.

Key Implications for Businesses: Brace for the Avalanche

As drafted, the CPA amendments' protections for child and teen users will extend to products or services directed at users under the age of 18, regardless of whether the controller has actual knowledge of the users' ages.

Companies that offer services intended for children and teens should take the following steps to prepare:

  • Analyze whether any offered products or services qualify as directed to minors. For this analysis, consider whether minors are permitted users under any applicable terms and conditions, whether the service contains features likely to attract minor users, and any evidence of the service's actual audience composition. Also look for features through which users might disclose their age, such as interactive chat and free text fields; users that self-identify as minors will be entitled to the minors' protections under the CPA amendments.
  • Review whether personal information is used for targeted advertising, "selling," or "profiling." If so, establish processes to seek appropriate opt-in consent or otherwise exclude minor users.
  • Conduct and document a data protection assessment that analyzes the potential risks of any product or service intended for minors as well as the safeguards in place to manage these risks.
  • Review data retention policies and procedures to ensure that minor personal data is not retained beyond what is necessary to provide services to a minor user without a valid business purpose.
  • Identify any products or services that contain features designed to encourage or increase use by minors and develop appropriate mitigations, such as opt-in consent processes or limitations on use of personal information.

Controllers subject to the CPA amendments should ensure that they can comply with relevant requirements by October 1, 2025.

Conclusion

The Proposed Rules demonstrate a continued commitment by regulators to protect the data of minors. In recent years, children's privacy legislation has advanced rapidly at both the state and federal levels. States including California, Connecticut, Maryland, and New York have introduced or amended laws to establish similar protections. Organizations that process the data of minors should closely monitor the evolving landscape of children's privacy laws.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Jacqueline Klosek
Jacqueline Klosek
Photo of Gabe Maldoff
Gabe Maldoff
Photo of Jacob Lee
Jacob Lee
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More