Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Colorado: Bill amending CPA to address minors protection signed by Governor into law

On May 31, 2024, Senate Bill 24-041 on Privacy Protections for Children's Online Data was signed by the Colorado Governor into law.

Obligations of controllers and processors

The Act stipulates that a controller that offers any online service, product, or feature:

  • to a consumer whom the controller actually knows or wilfully disregards is a minor, must conduct a data protection assessment if there is a heightened risk of harm to minors; and
  • to an individual known to be a minor or the data controller willfully disregards that an individual may be a minor, the controller will be required to: 
    • use reasonable care to avoid heightened risk of harm to minors caused by the product, service, or feature;  
    • conduct and review data protection assessments for the product, service, or feature; and 
    • in any enforcement action brought by the Colorado Attorney General (AG), there is a rebuttable presumption that a controller would have used reasonable care to avoid the heightened risk of harm to minors caused by the online service, product, or feature. 

The Act also states that without the consent of a minor, or for minors under the age of 13 years, the consent of a parent or legal guardian, the controller is prohibited from: 

  • selling a minor's personal data or profiling the minor's data for targeted advertising; 
  • processing data for any purpose other than the disclosed purpose the data was collected or for a purpose reasonably necessary for the disclosed purpose; or 
  • processing data for longer than necessary to provide the product, service, or feature. 

The Act also outlines that the obligations imposed on controllers or processors do not apply to: 

  • information made available by a third party that the controller has reason to believe is considered to be protected speech under applicable law;  
  • the processing of personal data by an individual in the course of household or personal activities; 
  • controllers or processors implementing age verification, age-gating systems, or collecting the ages of consumers if controllers collect the information to determine the age of consumers, controllers are not liable for erroneous age estimation; and 
  • any obligations on controllers or processors that will negatively affect the rights of any person to freedom of speech or freedom of the press as guaranteed in the US Constitution. 

Effective date

The Act will become effective on October 1, 2025, unless an amendment is filed as described in the Act.

You can read the signed Act here and view the legislative history here.