Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Colorado: Amended bill to address minors protection passed by legislature

On May 14, 2024, Senate Bill 24-041 on Privacy Protections for Children's Online Data was signed by the Speaker of the Colorado House of Representatives and the President of the Colorado State Senate. The bill must now go to the Governor of Colorado for signature.

What is the scope of the bill?

The bill would amend the Colorado Privacy Act (CPA) by adding data protections for a minor's online activity. The bill would apply to any entity considered a data controller that conducts business in Colorado or delivers products or services targeted at Colorado residents. The bill defines a minor as any individual under the age of 18.

A 'heightened risk of harm to minors' is defined in the bill as processing the personal data of minors in a manner that presents a reasonably foreseeable risk that could cause:

  • unfair or deceptive treatment of, or unlawful disparate impact on, minors;
  • financial, physical, or reputational injury to minors;
  • unauthorized disclosure of the personal data of minors as a result of a security breach; or
  • physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of minors if the intrusion would be offensive to a reasonable person.

What are the obligations under the bill?

Under the bill, if a data controller offers a product, service, or feature to an individual known to be a minor or the data controller wilfully disregards that an individual may be a minor, the controller will be required to, among other things:

  • use reasonable care to avoid heightened risk of harm to minors caused by the product, service, or feature; and
  • in any enforcement action brought by the Attorney General (AG), there is a rebuttable presumption that a controller would have used reasonable care to avoid the heightened risk of harm to minors caused by the online service, product, or feature.

You can read the final bill here and track its progress here.