Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Colorado: Amended bill to address minors protection read for a third time

On May 5, 2024, Senate Bill 24-041 on Privacy Protections for Children's Online Data was read for a third time by the Colorado House of Representatives, with the Colorado State Senate concurring, on May 6, 2024, with the amendments made to the bill. The amended bill passed its third reading in the Colorado Senate on April 23, 2024.

What are the amendments to definitions under the bill?

In particular, amendments to the bill redefine 'heightened risk of harm to minors' as processing the personal data of minors in a manner that presents a reasonably foreseeable risk that could cause:

  • unfair or deceptive treatment of, or unlawful disparate impact of minors;
  • financial, physical, or reputational injury to minors;
  • unauthorized disclosure of the personal data of minors as a result of a security breach; or
  • physical or other intrusions upon the solitude or seclusion, or the private affairs or concerns, of minors if the intrusion would be offensive to a reasonable person.

The amendments to the bill also redefine 'precise geolocation data' to not include:

  • the content of communications regarding location; or
  • any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.

How is the scope of the bill amended?

Amendments to the bill specify that its obligations no longer apply to:

  • information made available by a third party that the controller has a reasonable basis to believe is protected speech pursuant to applicable law; and
  • information processed by an individual in the course of a purely personal or household activity.

However, the bill now also stipulates that a controller that offers any online service, product, or feature to a consumer whom the controller actually knows or wilfully disregards is a minor, must conduct a data protection assessment for the online service, product, or feature if there is a heightened risk of harm to minors.

What are the obligations under the bill?

Under the bill, if a data controller offers a product, service, or feature to an individual known to be a minor or the data controller wilfully disregards that an individual may be a minor, the controller will be required to, among other things:

  • use reasonable care to avoid heightened risk of harm to minors caused by the product, service, or feature; and
  • in any enforcement action brought by the Attorney General (AG), there is a rebuttable presumption that a controller would have used reasonable care to avoid the heightened risk of harm to minors caused by the online service, product, or feature.

You can read the amended bill here and track its progress here.