Colorado remains active, proposes amendments to CPA rules

Colorado remains active, proposes amendments to CPA rules

Overview


On July 29, 2025, the Colorado Department of Law (Department) published a draft of its latest proposed Colorado Privacy Act (CPA) regulations, focused on children’s privacy. The Department is seeking comment on the proposed rule amendments by September 10, 2025. Businesses that regularly process the information of Minors (under 18 years of age) should review and consider submitting written comments on the proposed rules.

In Depth


Introduction of “knowledge” standard

A recent amendment to the CPA, SB24-041, which takes effect October 1, 2025, introduces a new definition of a “Minor” to the CPA, which is “any consumer who is under eighteen years of age.” The draft rules provide guidance as to when a business ought to know that a consumer is a minor. Specifically, the rules provide that the following factors will be used to determine if a business is willfully disregarding the fact that a consumer is a Minor: (i) the Controller received the information from a parent or consumer indicating that the consumer was a Minor, (ii) the business has a website or service directed to Minors, and (iii) the business has categorized the consumer as a minor for business purposes.

In addition to these factors, the draft rules would allow the Colorado attorney general to consider other states’ factors when evaluating if a consumer is a Minor. This is an interesting addition, given the proliferation of children’s online-privacy laws.

Significantly, however, the draft rules make clear that businesses are not required to implement age-verification or age-gating systems.

High-engagement features and consent mechanics

An online or app-based design feature requires consent if it was built to “significantly increase, sustain, or extend” a Minor’s use. The draft rules provide that the following factors would be used to evaluate whether the feature meets that standard: (i) whether the feature was designed to increase, sustain, or extend a Minor’s use; (ii) whether the feature has been shown to increase use or engagement; and (iii) whether the feature has been shown to be addictive.

Under the draft rules, a feature would not trigger the consent requirements if (i) the Minor expressly requested the specific media, (ii) media is returned in response to search requests by the user, (iii) the feature is not core to the online service or product, (iv) the feature is based on information that is not persistently associated with a Minor or their device, (v) the feature does not consider the Minor’s previous actions, and (vi) the feature contains mitigation features such as time of day or use limits.

The draft rules also provide that if a feature that significantly increases, sustain, or extends a Minor’s use is off by default, but toggled on by the Minor, that act is considered valid consent.

***

If you have questions about the Colorado Privacy Act, these proposed amendments, or how your business may be affected, or if you would like to submit a comment to the draft rules, please contact your regular McDermott Will & Schulte lawyer or the authors of this client alert.