Author
Amanda Anderson
4A's VP, Government Relations
Topic
- Government Relations
- Privacy Law
On May 31, 2024, Colorado Governor Jared Polis signed into law SB 24- 041 which would amend the Colorado Privacy Act (CPA) to add protections for children’s data privacy. The law creates new obligations for entities that offer any online service, product, or feature to minors (defined as under 18). The bill is modeled on Connecticut’s SB 3 which was signed into law in that state last June. The amendments to the CPA take effect on October 1, 2025.
Scope of Applicability
In terms of applicability, the children’s privacy amendments will apply to more entities than the original CPA currently covers because it does not have the same minimum revenue and processing threshold requirements as the original law. More specifically, the children’s privacy specific provisions under the CPA apply to any entity that offers an online service, product, or feature to whom the entity actually knows or willfully disregards are minors (under 18).
Controller Obligations
Controllers offering online services, products, or features to consumers that they know are minors (or willfully ignore their age) must now conduct a data protection assessment if there’s a high risk of harm of commercial data use belonging to a minor. Controllers must also act with reasonable duty care to avoid any heightened risk of harm to minors caused by their service, product, or feature.
Heightened risk of harm under the law is defined as processing the personal data of minors in a manner that presents a reasonably foreseeable risk that could cause:
- Unfair or deceptive treatment of, or unlawful disparate impact on minors.
- Financial, physical, or reputational injury to minors.
- Unauthorized disclosure of personal data of minors due to a security breach
- Physical or other intrusion upon the solitude or seclusion, or private affairs or concerns, of minors if the intrusion would be offensive to a reasonable person
Opt-in consent is required by a parent or legal guardian in order for a controller to collect or process the personal data of a minor aged 13 or under for the following purposes:
- Targeted advertising, selling the child’s personal data, or profiling the minor’s personal data;
- For any processing purpose other than the purpose disclosed at the time the child’s personal data is collected or a purpose reasonably necessary for the disclosed processing purpose;
- For keeping data longer than reasonably necessary to provide the service, product, or feature.
Per the new amendments in SB 24- 041, controllers are also prohibited from collecting a minor’s precise geolocation data (except in certain circumstances) and from using a system design feature to significantly increase, sustain, or extend a minor’s use of the service, product, or feature.
Enforcement and Cure Period
The Colorado Attorney General and state District Attorneys are authorized to enforce the new children’s privacy amendments in the same manner as authorized under the Colorado Privacy Act, including notifying a controller of, and allowing a controller time to cure, a violation. There is explicitly no private right of action enforcement in the law. Overall, in any enforcement action brought by the Attorney General or District Attorney, there is a rebuttable presumption that a controller used reasonable care if the controller complied with its obligations mentioned above.
Controllers have 60 days to cure alleged violations. The cure period for the CPA’s new children’s amendments ends on December 31, 2026, while the cure period for the rest of the CPA provisions ends on January 1, 2025.
Have questions about the children’s privacy amendment to the Colorado Privacy Act? Please contact Amanda Anderson, 4As VP, Government Relations.
