Colorado Tightens Rules on Minors’ Online Data—Are You Ready for October 1?

Effective October 1, 2025, Colorado Senate Bill (SB) 24-041 significantly amends the Colorado Privacy Act (CPA) to impose heightened obligations on entities processing personal data of minors—defined as individuals under 18 years of age, particularly where there is a reasonably foreseeable risk of harm. Unlike the original CPA, SB 24-041 applies regardless of revenue or data processing thresholds, extending its reach. 

Who Is Covered

SB 24-041 covers any controllers or processor that offers an online service, product, or feature to Colorado consumers whom the controller knows or willfully disregards are minors. This applies regardless of data volume or revenue thresholds, making it broader than the baseline CPA coverage. A “minor” is defined as anyone under 18. For children under 13, parental or guardian consent is required; those aged 13-17 may consent themselves. The CPA covers anyone doing business in Colorado or targeting Colorado residents.

Key New Duties and Restrictions

• Duty of Reasonable Care: Controllers must exercise reasonable care to avoid any heightened risk of harm to minors caused by their service, product, or feature. “Heightened risk of harm” means “processing personal data of minors in a manner that presents a reasonably foreseeable risk that could cause unfair or deceptive treatment of, or unlawful disparate impact on, minors; financial, physical, or reputational injury to minors; unauthorized disclosure of personal data of minors due to a security breach; or physical or other intrusion upon the solitude or seclusion, or the privacy affairs or concerns, of minors if the intrusion would be offensive to a reasonable person.”
• Data Protection Assessments (DPAs): These assessments are required for online services, products, or features that pose a heightened risk of harm to minors. DPAs must be conducted and reviewed as necessary and retained for a specified period. The Attorney General may request assessments.
• Consent Requirements: Absent consent (from the minor, or from a parent or guardian for children under 13), controllers are prohibited from processing minors’ personal data for targeted advertising, selling minors’ personal data, or profiling in furtherance of decisions with legal or similarly significant effects. They are also prohibited from processing for secondary purposes beyond what was disclosed at collection or beyond what is reasonably necessary for the disclosed purpose, and from retaining minors’ data longer than reasonably necessary to provide the service, product, or feature.
• System Design Features: Absent appropriate consent, controllers may not use any system design feature that significantly increases, sustains, or extends a minor’s use of the service, product, or feature. Proposed rules provide the following factors to assess when a system design feature significantly increases, sustains, or extends a minor’s use of the online service, product, or feature:
  • Whether the controller developed or deployed the system design feature in order to significantly increase, sustain, or extend a minor’s use of or engagement with an online service, product, or feature
  • Whether the system design feature has been shown to increase use of or engagement with an online service, product, or feature beyond what is reasonably expected of that particular type of online service, product, or feature when it is used without the system design feature
  • Whether the system design feature has been shown to increase the addictiveness of the online service, product, or feature, or otherwise harm minors when deployed in the specific context offered by the controller; notably, the proposed amendments do not define what is meant by addictiveness
    
    

The revised rules also state that a system design feature is unlikely to be considered as significantly increasing, sustaining, or extending a minor’s use of an online service, product, or feature if any of the following conditions are met:

• User-Initiated Media Access: The minor has expressly and unambiguously requested specific media, subscribed to media from a particular author, creator, or poster, or joined a page or group featuring such media, provided that the media is not recommended, selected, or prioritized based on information associated with the minor or their device.
• Search-Based or Sequential Content: The media is recommended, selected, or prioritized solely in response to a specific search query initiated by the minor, or is the next item in a preexisting sequence from the same source.
• Core Functionality: The design feature is essential to the core functionality of the online service, product, or feature.
• Nonpersistent Data Use: The feature operates based on information that is not persistently linked to the minor or their device.
• No Behavioral Targeting: The feature does not rely on the minor’s prior interactions with media generated or shared by other users.
• Mitigation Measures: The service includes countermeasures to reduce potential harm or negative effects of the feature, such as default time-of-day restrictions or usage time limits.
• Precise Geolocation: Absent consent, controllers may not collect a minor’s precise geolocation except where it is reasonably necessary to provide the service, it is retained only for the time necessary, and a clear, ongoing signal indicates collection while it occurs.
  
  

Knowledge Standard and Age Estimation

There is no mandate to implement age verification or age-gating. Controllers or processors that process personal data for other controllers are not required to affirmatively verify consumer ages, and controllers are not liable for erroneous age estimation made in a commercially reasonable manner. The revised rules provide the following factors that may be considered in determining whether a controller “willfully disregards” that a consumer is a minor:

• Whether the controller has directly received information from a parent or consumer indicating that the consumer is a minor
• Whether the controller has directed the website or service to minors, considering different factors such as subject matter, visual content, language, and use of minor-oriented activities and incentives
• Whether the controller has categorized a consumer as a minor for marketing, advertising, or internal business purposes
  
  

The revised rules also encourage controllers to consult applicable statutes, administrative regulations, and guidance from other jurisdictions when evaluating age determination standards.

Enforcement and Cure Period

The Colorado Attorney General and District Attorneys may enforce violations. A 60-day cure period is available until December 31, 2026, after which enforcement may proceed without notice.

Practical Compliance Next Steps for Businesses

• Assess Applicability: Identify online services, products, or features that are directed to minors or attract a material teen audience. Map data flows to determine where the business has actual knowledge or may be deemed to willfully disregard that users are minors.
• Implement Age Estimation: Adopt commercially reasonable age estimation methods to route users into appropriate experiences, without requiring formal age verification.
• Default Settings & Consent: Disable by default features that could significantly increase, sustain, or extend minors’ use unless and until valid consent is obtained. Document rationale where a feature is core functionality or will likely not be found to significantly increase, sustain, or extend minors’ use of the online service, product, or feature.
• Redesign Consent Mechanisms: Build opt-in consent flows for minors (13-17) and verifiable parental consent for users under 13 for targeted ads, sale of personal data, profiling with significant consequences, secondary processing purposes, extended data retention, and use of design features that significantly increase, sustain, or extend a minor’s use of the service, product, or feature.
• Suppress Targeted Ads and Sales: Configure systems to block targeted advertising and data sales for minors absent consent, and honor universal opt-out mechanisms.
• Geolocation Controls: Limit collection of precise geolocation data for minors to what is strictly necessary; provide clear, continuous collection signals; and minimize retention periods.
• Data Minimization & Retention: Define and enforce purpose-specific, short retention schedules for minors’ data and conduct regular reviews to ensure data is still necessary.
• Conduct DPAs: Build or refresh minor-focused DPAs for services with heightened risk; assess foreseeable harms, mitigations, and design trade-offs; and maintain documentation and be prepared to provide assessments to the Attorney General upon request.
• Vendor/Processor Agreements: Update agreements with vendors/processors that process minors’ personal data to flow down minor-related restrictions, including no targeted ads, no data sales, limited retention, geolocation limits, and design-feature gating.
  
  

If you have questions about how the CPA affects your products, advertising, data flows, or design features or need help preparing DPAs, consent flows, or age estimation programs, please contact our Data360 team.