Colorado Enhances Online Privacy Protections for Children

The Colorado General Assembly passed a bill that amends the Colorado Privacy Act by enhancing online data privacy protections for children. Senate Bill 24-041 applies to all organizations that control personal data and conduct business in the state. There are no thresholds for the volume of data possessed or the amount of revenue derived.

The amendments will go into effect on October 1, 2025.

Business Obligations

A controller that offers an online service, product, or feature to a consumer that the controller knows or willfully disregards is a minor must meet the following requirements:

• Use reasonable care to avoid any heightened risk of harm to minors (anyone under 18) caused by the online service, product, or feature. Heightened risk of harm is defined as processing the personal data of minors in a manner that presents a reasonably foreseeable risk that could cause:
  • Unfair or deceptive treatment of, or unlawful disparate impact on minors.
  • Financial, physical, or reputational injury to minors.
  • Unauthorized disclosure of personal data of minors due to a security breach
  • Physical or other intrusion upon the solitude or seclusion, or private affairs or concerns, of minors if the intrusion would be offensive to a reasonable person.
• Gain the consent of the minor, or consent from a parent if the child is under 13, to process the minor’s data for any of the following purposes:
  • Targeted advertising
  • The sale of personal data
  • Profiling
  • Any processing purpose other than what was disclosed at the time of collection
  • Processing the data longer than what is necessary to provide the service, product, or feature
• The use of any system design feature to significantly increase, sustain, or extend a minor’s use of the online service, product, or feature is prohibited.
• The collection of a minor’s precise geolocation data is prohibited, unless:
  • The data is necessary to provide the service, product, or feature
  • The data is only retained for the time necessary to provide the service, product, or feature
  • A signal is sent to the minor indicating the controller is collecting the geolocation data
• Controllers must conduct a data protection assessment if their online service, product, or feature poses a heightened risk of harm to minors.

Enforcement

The Colorado Attorney General and district attorneys have the same enforcement authorization with these amendments as the Colorado Privacy Act. There is a 60-day right to cure if a cure is deemed possible. The cure period ends December 31, 2026.

CompliancePoint has a team of privacy experts who can help your organization comply with all state privacy laws, including the Colorado Privacy Act, CCPA, and the GDPR. Contact us at connect@compliancepoint.com to learn more about our services.