Industry: Colorado Should Avoid Requiring Age Verification in Kids Privacy Rulemaking
Colorado shouldn’t use upcoming kids’ privacy regulations as a “back door” to require age verification, retailers warned the state’s law department last week. In addition to warning against requiring verification through possible rules about a company’s “willful disregard” of a user being a minor, industry groups cautioned that any regulation of system design features mustn’t violate the First Amendment.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Pre-rulemaking comments were due Friday on the department’s plan to propose rules to implement a kids privacy amendment (SB 24-041) to Colorado’s comprehensive privacy law (see 2506260035). Privacy Daily reviewed comments that had been posted by the department as of Monday afternoon.
The Colorado Privacy Act (CPA) doesn't require age verification and the department "cannot and should not impose such a requirement by regulation,” the Colorado Retail Council’s board of governors commented. "The willful disregard standard should not provide a ‘back door’ to impose or respect age verification.”
The State Privacy and Security Coalition (SPSC) said similarly that the CPA doesn't require age or parental verification and the department "should not use rulemaking to impose such requirements indirectly.” It noted that CPA data-minimization requirements require "controllers to limit personal data collection and retention to what is necessary to achieve a defined purpose,” so any “interpretation of ‘willfully disregards’ that encourages or compels controllers to infer user age (e.g., by aggregating behavioral signals, linking identifiers across services, or analyzing device-level data) would conflict directly with these statutory obligations.”
The Computer and Communications Industry Association agreed that this standard “should not place an online service in legal jeopardy for failing to verify its users’ ages.” CCIA commented that forcing “online services to collect more data about minors conflicts with data minimization principles ingrained in standard federal and international privacy and data protection compliance practices. Determining a user’s age and verifying parental consent inherently requires collecting additional sensitive data from those users, and any document capable of verifying a user’s age will likely contain sensitive information.”
Echoing others, TechNet said “any rule that effectively compels additional age or identity data would conflict with the CPA’s data minimization requirement and duty to avoid secondary uses, as well as raise serious equity and privacy concerns.”
However, while the Network Advertising Initiative agreed the department shouldn't require companies to verify ages, "the NAI recommends considering age and/or identity verification as a strong indicator to controllers and processors as to whether a consumer may be a minor. For example, if a controller uses a reasonable age verification system that indicates the consumer is not a minor, that should create a rebuttable presumption the controller has not willfully disregarded the minority status of the consumer.”
The industry groups stressed that companies mustn’t be faulted for ignoring less reliable evidence that a consumer is a minor under the willful-disregard standard.
For instance, CCIA said it should be only “upon showing that they have deliberately ignored clear evidence that a consumer is a minor.” Consistent with the Children’s Online Privacy Protection Act (COPPA), “if an online service ignores a user’s direct statement in their own profile that they are a minor, or if the online service’s own marketing materials state that they are treating a consumer as a minor for marketing purposes, it can be said to have willfully disregarded that the consumer is a minor.”
“An online service should not be deemed to have willfully disregarded that a consumer is a minor merely because it makes products or services that minors could use in theory,” CCIA added. “For instance, TVs, phones, and computers may be present in homes with minors and may have multiple user profiles. The mere presence of an internet-enabled device in a home containing minors does not establish that minors are using such devices."
“Willful disregard should be interpreted to mean when a controller consciously ignores concrete indicators -- such as an age field supplied by the user or a controller’s own advertising segmentation -- demonstrating with reasonable certainty that the user is a minor,” concurred TechNet. “The mere possibility that minors use a service, or that content appeals to teens, cannot be enough and should not create constructive knowledge, as adults and minors frequently enjoy the same online platforms and content. To do otherwise would chill lawful speech, undermine constitutional protections, and create practical barriers for mixed-age platforms."
NAI suggested that the department provide a "test with clearly defined factors" to determine when a controller willfully disregarded someone is a minor.
"Regarding a controller’s knowledge, it is important to distinguish first-party publishers from third-party companies such as advertising technology companies that in most cases do not interact directly with users,” added the ad group. While online advertisers can see a "COPPA flag" communicating that a website is targeted to kids younger than 13, that doesn’t flag teenagers. "Most third party companies are not capable of independently determining the intended audience of a website or service, and therefore would be unable to make a fair assumption that the users are predominantly children or minors."
Chamber of Progress said Colorado should avoid any degree of age-verification mandate. “Even if requirements rely on age estimation or other de facto methods, the risk of liability will likely cause platforms to overmoderate content, restricting access to important information and expression while raising significant constitutional concerns regarding free speech and privacy.” The law department must be clear and objective, the tech association added. “It must concentrate on intentional ignorance of unmistakable evidence that a user is a minor, rather than relying on possibility or assumptions."
Consent and Free Speech
"Design is constitutionally protected expression,” reminded the Colorado Retail Council, echoing the sentiments of several other industry commenters. “And although technology has changed, the basic principles of the First Amendment do not vary -- and they apply equally to online speech, including speech mediated via websites, apps, and algorithms.” The Colorado Chamber of Commerce filed nearly identical comments.
Focus on regulating features that significantly extend someone's usage time and do so in a deceptive or misleading way, said the retailers. “Both criteria should be interpreted to give a wide berth for legitimate and constitutional design choices.”
The CPA "already contains definitions of consent that apply to all provisions of the CPA, including limitations on consent obtained via so-called 'dark patterns,’” they added. “There is no statutory basis for consent in this context to differ from any other consent obtained in any other context under the CPA, and the Department’s decision to do so could be viewed as reflecting content-based judgments regarding constitutionally protected expression.”
Don't implement "a separate or heightened consent standard for system design features,” urged the SPSC: Doing so "would deviate from the carefully crafted statutory framework and could raise constitutional concerns by effectively introducing content-based restrictions on protected speech." Adopting the existing COPPA framework for verifiable parental consent "will allow Colorado businesses to rely on tested and legally vetted practices and avoid duplicative, inconsistent, or ambiguous consent obligations,” it added.
The Entertainment Software Association urged the department to tread carefully since video games are designed to engage players with "compelling storylines, interesting characters, and visually appealing settings." Industry is concerned that "without careful consideration in drafting, these elements could be inappropriately considered a ‘system design feature’ that would ‘significantly increase, sustain, or extend a minor's use” of the game.’” Therefore, “ESA requests that the definition of system design features be clear, narrowly tailored, related to privacy and data processing, and consistently applied.”
Also, Colorado regulators should align their approach to parental consent for children younger than 13 with COPPA’s verifiable parental consent framework and “avoid overly prescriptive consent requirements,” said ESA. "Where a minor may provide their own consent, ESA again requests that controllers be given flexibility in determining how to obtain consent directly from minors."
Internet Works said the department should focus on "engagement mechanisms that are demonstrably manipulative or enable compulsive use.” For instance, the Colorado tech association said, “design features that are core platform features, such as addictive infinite scroll, endless algorithmic feeds, or perpetual auto-play video, should be the focus of regulation, rather than broadly restricting features that serve to provide recommendations or facilitate time spent off the feed.”
After the Colorado law department reviews comments, it plans to release a rulemaking notice and a copy of the draft proposal on the state secretary's website, said a June 26 document on pre-rulemaking considerations. The rulemaking phase would include a formal hearing and another round of comments.