The Colorado Attorney General’s Office recently released proposed rule amendments to the Colorado Privacy Act (CPA) that, if adopted, would create some of the most robust protections for minors’ online data in the United States. Building on 2024 legislation, the draft rules expand upon existing CPA obligations by establishing new requirements for biometric data, clarifying when inferred data constitutes “sensitive” information and, most notably, introducing a new framework for protecting the privacy of minors under the age of 18.
The proposed rules, which are open for public comment through September 10, 2025, signal a broader national shift in how states regulate data associated with teens and children. While the federal Children’s Online Privacy Protection Act (COPPA) has long governed data practices for children under 13, Colorado is among a growing number of states extending COPPA-like protections to older minors, complicating compliance for companies with nationwide operations and user bases.
If finalized, the amendments would require businesses to evaluate how they approach system design, advertising, and data collection for users between the ages of 13 and 17.
The CPA was signed into law on July 8, 2021, and the initial set of implementing rules was finalized in March 2023, following a public comment period and hearing process, with most provisions taking effect on July 1, 2023. These initial rules included requirements for universal opt-out mechanisms, profiling restrictions, and data protection assessments.
In 2024, Colorado lawmakers expanded the CPA’s scope, adding privacy requirements for minors under 18. In response, the Colorado Attorney General’s Office issued several rounds of proposed rule amendments throughout late 2024. A third version of those amendments was finalized on December 17, 2024, with most changes taking effect on January 30, 2025. The expanded children’s privacy provisions are scheduled to take effect on October 1, 2025, and remain the subject of ongoing rulemaking.
The most impactful, and potentially burdensome, aspect of the proposed amendments is the expansion of protections for minors under 18. While COPPA has long required verifiable parental consent for children under 13, Colorado’s rules create obligations for a much broader age range. This includes a requirement that businesses obtain affirmative consent before activating certain “system design features” that may increase the “addictiveness” of an online service targeted at minors.
These features include personalized recommendations, autoplay, gamified elements, and other tools commonly used to retain users’ attention. The rules specify that a feature is covered if it is designed to “significantly increase, sustain, or extend” a minor’s use of the online service. Importantly, if such a feature is off by default and a minor manually enables it, that act will be treated as valid affirmative consent.
This creates new design and disclosure considerations for companies building consumer apps, online games, video platforms, and educational tools. Product teams may need to document the purpose and expected engagement impact of certain features to demonstrate compliance.
Under COPPA, companies are only bound by its requirements if they have “actual knowledge” that a user is under 13 or if their platform is specifically “directed at” children under 13. The Colorado rules go further, adopting a broader “knowledge standard” under which businesses may be liable if they know or willfully disregard that a user is a minor under 18.
The rules outline a non-exhaustive list of indicators that may trigger this standard—for example, if a user includes their age or school grade in a profile, if a parent reports that a user is a minor, or if the business markets directly to teen audiences. A business could also be deemed to have constructive knowledge if it segments users as minors for internal purposes such as ad targeting.
While the Colorado and COPPA standards share some objective criteria, this expanded knowledge standard could force companies to take additional steps to confirm and track users’ age.
Colorado’s move to expand minor privacy protections is not an outlier. In the first half of 2025 alone, Vermont, Nebraska, and Arkansas passed legislation extending certain privacy rights to teens. Connecticut amended its data privacy law to include new safeguards for minors. California, New York, and Maryland have all passed “age-appropriate design” laws, though some face legal challenges.
Notably, a federal court in California recently issued a preliminary injunction against that state’s Age-Appropriate Design Code Act, finding that the law likely violates the First Amendment. See NetChoice, LLC v. Bonta, No. 5:2022cv08861 (N.D. Cal. 2023). Similar challenges have been filed against Maryland’s law. Anticipating this, Colorado lawmakers included language asserting that the state’s law does not restrict free speech or press rights under the US Constitution, a move likely designed to preempt constitutional litigation.
Still, whether this disclaimer will be enough remains to be seen. Many in the tech industry argue that laws regulating online design choices can amount to impermissible content regulation. That legal uncertainty may lead some companies to delay implementation or hope for judicial intervention before the Colorado statute’s October 1, 2025, effective date.
If adopted, the proposed rules may impose significant compliance obligations on businesses that operate in Colorado or process personal data from Colorado residents. Companies will need to review and possibly reevaluate:
In some cases, businesses may need to implement age-gating tools or collect additional personal data to determine a user’s age, ironically increasing the very privacy and cybersecurity risks these laws aim to reduce. Complying with the new requirements could push companies to track users more closely over time.
In addition to its efforts to strengthen protections for minors with these proposed amendments, Colorado is also taking a more assertive stance on biometric privacy. The proposed amendments would require businesses to publish a public-facing policy detailing how biometric data (e.g., fingerprints, facial geometry, and voiceprints) is collected, used, shared, and deleted. Express consent would be required before using or disclosing such identifiers, and the rules would apply not only to consumer-facing businesses but also to employers and service providers.
While these provisions are distinct from the child privacy framework, they reflect the same broader trend: a more proactive, risk-based approach to data governance that is increasingly taking shape at the state level.
The Colorado amendments reflect an ongoing trend of states taking steps to extend privacy protection for their residents beyond more specific and limited protections that have historically existed under federal law. This trend continues to complicate the compliance burden for companies doing business in the United States.
Whether or not the courts ultimately uphold all aspects of the Colorado rules, companies that begin preparing now, by mapping age-related data flows, evaluating design features for engagement impact, and building flexible consent infrastructure, as well as evaluating use of biometrics, will be better positioned as more states follow Colorado’s lead.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: