Colorado Kids Privacy Draft Rules Wouldn't Require Age Verification

Colorado’s Department of Law proposed draft amendments in a rulemaking for implementing amendments to the Colorado Privacy Act on kids privacy (SB 24-041) and adding precise geolocation to the comprehensive privacy law’s definition of sensitive data (SB 25-276). The department seeks comment on the draft rules by Sept. 10.

In addition, the department scheduled a 10 a.m. MT hearing on the same day as the comments deadline in Denver, according to an email bulletin from the Colorado Office of Policy, Research and Regulatory Reform.

Colorado last month sought early feedback before proposing rules on the kids privacy amendment, which adds a duty to use reasonable care to avoid a heightened risk of harm to those younger than 18 when the controller knows or willfully disregards that the consumer is a minor (see 2506260035).

This month, in pre-rulemaking comments at the law department, retailers urged state regulators not to use the upcoming regulations as a “back door” to require age verification (see 2507140014). In addition, they said the department should be especially careful how it defines a company’s “willful disregard.”

Tuesday’s draft rules clarify that “nothing in this part shall require a Controller or Processor to implement an age verification or age-gating system or otherwise affirmatively collect the age of consumers.”

However, as one factor in considering if a controller willfully disregards that a consumer is a minor, the draft rules say the state could consider whether the controller categorized a consumer as a minor for ad, marketing or internal business purposes.

For example, a controller might employ user-generated content or third-party data “to estimate a Consumer’s age, which indicates that they are a Minor, and the Controller serves ads to them based on that estimation,” says the draft.

Another factor that Colorado enforcers may consider is whether the controller “has directly received information from a parent” or the consumer showing that the consumer is a minor, say the proposed rules.

For example, a consumer might provide a birthdate at signup or edit it later to show she is a minor, or she might put her age in the bio section of their profile, says the draft: Or the consumer might give “relevant indicia that they are a Minor, such as year of birth or grade level, in the profile or account set up of a service.” As another example, a controller might receive a credible report from a parent about a minor using the service, it says.

Also, enforcers may consider if the controller “directed the website or service to Minors, considering different factors such as subject matter, visual content, language, and use of Minor-oriented activities and incentives,” says the draft: That might include, for example, promotional materials for the website that specifically appeal to kids.

In addition, controllers “may consider statutes, administrative rules, and administrative guidance concerning age knowledge standards from other jurisdictions when evaluating the appropriateness of treating a Consumer as a Minor.”

Many state laws on minors use a willful disregard standard without defining it, noted privacy lawyer Odia Kagan of Fox Rothschild in a LinkedIn post Friday. But now, Colorado "comes to the rescue with proposed amendments to Colorado [Privacy Act] provisions on processing the data of minors."

System Design Features

The draft rules also provide factors for considering if a system design feature “significantly increases, sustains, or extends” a minor’s use of a website. In the pre-rulemaking comments, industry warned the department that it should avoid writing rules that run afoul of the First Amendment.

The draft says that Colorado enforcers may consider: (1) if “the controller developed or deployed the system design feature in order to significantly increase, sustain, or extend” a minor’s use or engagement; (2) if “the system design feature has been shown to increase use of or engagement … beyond what is reasonably expected of that particular type of online service, product, or feature when it is used without the system design feature;” and (3) “whether the system design feature has been shown to increase the addictiveness of the online service, product or feature, or otherwise harm Minors when deployed in the specific context offered by the Controller.”

A violation probably won’t be found if the minor “expressly and unambiguously requested” or subscribed to specific media, or if the system design feature is necessary to the online service, product or feature’s “core functionality,” among other reasons, says the draft. There might also not be a problem if the service “contains countervailing measures that could mitigate the harm or other negative effects of the system design feature, such as default time of day or time use limits.”

“The fact that a system design feature is commonly used is not, alone, enough to demonstrate that any particular feature does not significantly increase, sustain, or extend a Minor’s use of an online service, product, or feature,” say the proposed rules. “If a system design feature that significantly increases, sustains, or extends” a minor’s use “is turned off by default and the Minor turns on or enables the feature, such an act will be considered an affirmative action for the purpose of valid Consent.”

Meanwhile, to implement this year's addition of precise geolocation as a form of sensitive data (see 2505050043), the law department proposed deleting from existing rules a paragraph about sensitive data inferences that notes “precise geolocation information at a high level may not be considered Sensitive Data."