Colorado Kids Privacy Rules May Not Survive Lawsuit, NetChoice Warns

In July, the department proposed draft amendments in a rulemaking for implementing amendments to the Colorado Privacy Act that address kids privacy (SB 24-041) and adding precise geolocation to the comprehensive privacy law’s definition of sensitive data (SB 25-276). The draft rules wouldn’t require companies to verify users’ ages, but they say the state's attorney general could consider companies’ use of age-estimation technologies (see 2507300010).

The proposed kids privacy rules “are neither clear nor workable,” said Hedger. “More importantly, we fear they are unconstitutional.” The proposed rules may violate the First Amendment by seeking to regulate system design features of online platforms, “which federal courts have repeatedly affirmed is protected editorial discretion.” Hedger cited court decisions in NetChoice challenges to California’s age-appropriate design code law and to Utah and Arkansas age-verification laws.

Also, by creating liability for any design feature that increases user engagement, the draft rules create a “hopelessly vague” standard and a “framework that ultimately punishes success,” said Hedger. “Under this rule, a company that creates … a popular privacy-enhancing feature could be penalized simply because consumers value it and use it more.”

The Computer & Communications Industry Association urged the Colorado attorney general’s office “to refine these rules so they target genuine harms without penalizing safe, beneficial or constitutionally productive practices,” said Aodhan Downey, the group's state policy manager for the West region. CCIA has in the past joined NetChoice in suing states over child online safety laws.

Downey suggested closer alignment of the proposed Colorado rules with standards in the federal Children’s Online Privacy Protection Act. “This avoids confusion for businesses and ensures that compliance expectations are consistent nationwide.”

Other industry groups also raised concerns. “Editorial choices regarding product offerings have been recognized as constitutionally protected,” said William Martinez, representing the State Privacy and Security Coalition (SPSC). “The proposed rule risks sweeping in legitimate features under this protected area [of] free expression.”

Martinez also said the Colorado rules “should make clear that liability arises only when businesses have credible and substantiated indicators that a user is a minor.” The department should narrow the “definition of a ‘credible report’ to intentional notices submitted through designated channels.”

Additionally, Martinez urged the department to delete its proposed test for determining that a site is directed at minors. “General audience platforms could be misclassified as youth-directed simply because they are popular with young people.” The SPSC lobbyist urged the state not to penalize companies “for voluntarily applying safeguards for those individuals they internally categorize as a minor.”

The video game industry seeks revisions as well, said Maya McKenzie, the Entertainment Software Association's senior counsel of tech policy. For instance, the test for determining that a website is directed toward minors isn’t “aligned with the statute and would not accurately distinguish general audience services from minor-directed ones,” she said. “To avoid this issue, the rule should focus on objective factors, like the language a service uses to describe its intended audience, and reliable empirical evidence regarding audience composition.”

The rules shouldn’t “consider age estimates made for internal business purposes in assessing whether a controller has willfully disregarded that a user is a minor,” added McKenzie. “Doing so … disincentivizes controllers from taking voluntary steps to proactively protect minors online.” Under the draft rules, “overinclusive and unreliable estimates could be used against companies employing such voluntary safeguards designed to make video games fun, enjoyable and safe for all.”