The existing rules

Under the CPA, if a controller has “actual knowledge” that an individual is a minor, the controller must take measures to avoid any heightened risk of harm to the minor. A controller may not “willfully disregard” knowledge of a consumer’s minor status to avoid taking measures to protect users.

Where a controller uses any system that is designed to significantly “increase, sustain, or extend” the use of an online product, feature, or service, the controller must first obtain consent from the user’s parent or guardian for users under age 13 or from the user if they are age 13 –18.

The revisions introduce new standards for the attorney general to determine whether (1) a controller willfully disregarded that a consumer is a minor and (2) a system design feature increases, sustains, or extends a minor’s use of an online product, feature, or service.

These standards provide a framework for controllers to evaluate compliance with the CPA  when creating and deploying system design features on services to minors.

Knowledge standard

Under the new rules, when determining whether a controller willfully disregards that a user is a minor, the Colorado Attorney General may consider the following factors:

• Whether a controller has directly received credible information from a parent or consumer indicating that the consumer is a minor
• Whether the controller has intentionally directed the website or service to minors
• Whether the controller has categorized the consumer as a minor for purposes of advertising

While the first two are likely well-trod ground for many, the third factor – focused on online advertising – brings a new consideration to the table for many.

The new rules do, however, expressly provide that nothing in the rules should be interpreted as requiring some form of age verification or age gate system.

System design features

When determining whether a system design feature “significantly increases, sustains, or extends” a minor’s use of an online service, product, or feature, the attorney general may consider whether:

• The primary purpose of a system design feature is to increase, sustain, or extend use
• The system design feature has been shown by competent evidence to cause harm due to increased usage
• The system design feature has the substantial effect of subverting or impairing a minor’s autonomy, decision-making, or choice
• The system design feature unfairly, fraudulently, or deceptively manipulates or coerces a minor

In what is likely a relief to some controllers, the revised rules also provide some scenarios that outline when a system design feature will likely not be covered:

• If the minor expressly and unambiguously requested the specific media or category of media provided by the system design feature
• If the media is recommended, selected, or prioritized only in response to a specific search inquiry by the minor or is exclusively next in a preexisting sequence from the same author, creator, poster, or source
• If the system design feature is necessary for the core functionality of an online service, product, or feature
• If the system design feature is based on information that is not persistently associated with the minor or the minor’s device
• If the system design feature does not consider the minor’s previous interactions with media generated or shared by other consumer
• If the online service, product, or feature contains measures to mitigate harm from such system design features, which could include default time of day or time use limits, or required parental controls
• If the system design feature’s primary function is to enhance safety for minors, remove spam, or filter out age-inappropriate content

The “likely not” formulation in the new rules is an important one, as it means that the above scenarios are not necessarily safe harbors. Rather, they are the scenarios under which the Colorado Attorney General likely would not determine that the system or design feature triggered the requirements of the CPA.

Additional consent method

The new rules provide that if a system design feature is turned off by default and later turned on or enabled by a minor, that act by the minor will be considered a valid consent control under the CPA.

What’s next?

The rules will become effective 30 days after they are published in the state register, which we anticipate will be later this year.

Given this short runway, businesses subject to the CPA should begin evaluating whether their current systems are covered under the new definition of system design features and whether the necessary consent mechanisms are in place.

If you have questions or need assistance preparing for new state consumer rules and regulations, please contact your regular McDermott lawyer or reach out to the authors.