Colorado Kids Privacy Draft Rules Are a Reflection of State Trends, Lawyers Say
Colorado's proposed draft amendment on kids' privacy in a rulemaking for implementing changes to the Colorado Privacy Act reflect the ongoing trend of states expanding privacy protections for their constituents beyond federal law, said Morgan Lewis lawyers in a blog post Tuesday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The proposed rules "signal a broader national shift in how states regulate data associated with teens and children," the blog said. "While the federal Children’s Online Privacy Protection Act (COPPA) has long governed data practices for children under 13, Colorado is among a growing number of states extending COPPA-like protections to older minors, complicating compliance for companies with nationwide operations and user bases."
Colorado's children's privacy amendment adds a duty to use reasonable care to avoid a heightened risk of harm to those younger than 18 when the controller knows or willfully disregards that the consumer is a minor (see 2506260035). The state's Department of Law is seeking comment on the draft by Sept. 10 (see 2507300010).
"The most impactful, and potentially burdensome, aspect of the proposed amendments is the expansion of protections for minors under 18," said the lawyers, because they create obligations for a broader age range than what COPPA requires.
"Colorado’s move to expand minor privacy protections is not an outlier," the blog added, noting that Vermont, Nebraska, and Arkansas passed legislation in the first half of 2025 to expand certain privacy rights to teens. In addition, "Connecticut amended its data privacy law to include new safeguards for minors," while "California, New York, and Maryland have all passed 'age-appropriate design' laws, though some face legal challenges."
The Morgan Lewis lawyers said the "ongoing trend of states taking steps to extend privacy protection for their residents beyond more specific and limited protections that have historically existed under federal law ... continues to complicate the compliance burden for companies doing business in the United States."
"Companies that begin preparing now, by mapping age-related data flows, evaluating design features for engagement impact, and building flexible consent infrastructure, as well as evaluating use of biometrics, will be better positioned as more states follow Colorado’s lead."