Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Colorado: Bill amending CPA to address minors protection introduced to Senate

On January 10, 2024, Senate Bill 24-041 on Privacy Protections for Children's Online Data was introduced in the Colorado State Senate and assigned to the Business, Labor, and Technology Committee. The bill would amend the Colorado Privacy Act (CPA) by adding data protections for a minor's online activity. The bill would apply to any entity considered a data controller that conducts business in Colorado or delivers products or services targeted at Colorado residents. The bill defines a minor as any individual under the age of 18. 

What are the proposed changes under the bill? 

Under the bill, if a data controller offers a product, service, or feature to an individual known to be a minor or the data controller willfully disregards that an individual may be a minor, the controller will be required to, among other things: 

  • use reasonable care to avoid heightened risk of harm to minors caused by the product, service, or feature;  

  • conduct and review data protection assessments for the product, service, or feature; and 

  • in any enforcement action brought by the Attorney General (AG), there is a rebuttable presumption that a controller would have used reasonable care to avoid the heightened risk of harm to minors caused by the online service, product, or feature. 

The bill also states that without the consent of a minor, or for minors under the age of 13 the consent of a parent or legal guardian, the data controller is prohibited from: 

  • selling a minor's personal data or profiling the minor's data for targeted advertising; 

  • processing data for any purpose other than the disclosed purpose the data was collected or for a purpose reasonably necessary for the disclosed purpose; or 

  • processing data for longer than necessary to provide the product, service, or feature. 

Under the bill, data controllers will also be prohibited from using design features to increase, sustain, or extend a minor's use of the service, product, or feature, or collect a minor's precise geolocation except for specific circumstances. Furthermore, the bill also provides consent requirements and obligations for conducting a data protection assessment when processing minors' data.  

You can read the bill here and track the bill's progress here

Update: April 23, 2024

Amended bill introduced to the House

On April 23, 2024, the amended bill was introduced in the House and was assigned to the House Business Affairs and Labor Committee. The amended bill passed its third reading in the Senate on April 23, 2024.

The amended bill provides several updates including the requirement for controllers to complete a Data Protection Impact Assessment if a feature presents a heightened risk of harm to minors. 

The amended bill also outlines that the obligations imposed on controllers or processors do not apply to: 

  • information made available by a third party that the controller has reason to believe is considered to be protected speech under applicable law;  
  • the processing of personal data by an individual in the course of household or personal activities; 
  • controllers or processors implementing age verification, age-gating systems, or collecting the ages of consumers if controllers collect the information to determine the age of consumers, controllers are not liable for erroneous age estimation; and 
  • any obligations on controllers or processors that will negatively affect the rights of any person to freedom of speech or freedom of the press as guaranteed in the US Constitution. 

You can read the amended bill here and track its progress here.

Update: May 7, 2024

Bill passes third reading

On May 5, 2024, the bill was read for a third time by the House, with the Senate concurring, on May 6, 2024, with the amendments made to the bill. 

In particular, amendments to the bill redefine 'heightened risk of harm to minors' as processing the personal data of minors in a manner that presents a reasonably foreseeable risk that could cause:

  • unfair or deceptive treatment of, or unlawful disparate impact of minors;
  • financial, physical, or reputational injury to minors;
  • unauthorized disclosure of the personal data of minors as a result of a security breach; or
  • physical or other intrusions upon the solitude or seclusion, or the private affairs or concerns, of minors if the intrusion would be offensive to a reasonable person.

The amendments to the bill also redefine 'precise geolocation data' to not include:

  • the content of communications regarding location; or
  • any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.

The bill now also stipulates that a controller that offers any online service, product, or feature to a consumer whom the controller actually knows or wilfully disregards is a minor, must conduct a data protection assessment for the online service, product, or feature if there is a heightened risk of harm to minors.

You can read the amended bill here and track its progress here.

Update: May 15, 2024

Bill passed by legislature

On May 14, 2024, the bill was signed by the Speaker of the House and the President of the Senate. The bill must now go to the Governor of Colorado for signature.

You can read the final bill here and track its progress here.

Update: June 3, 2024

Bill signed by Governor into law

On May 31, 2024, the bill was signed by the Colorado Governor into law. The Act will become effective on October 1, 2025, unless an amendment is filed as described in the Act.

You can read the signed Act here and view its legislative history here.