<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=5678177&amp;fmt=gif">

Stricter Rules for Handling Minors' Data in Colorado Await Governor’s Signature

partial view of little girl in headphones using laptop

On May 15, 2024, a new bill was passed by the Colorado Senate and sent to the state’s Governor, Jared Polis, for signature. 

The new bill, Senate Bill 24-041, would bring a series of changes to the Colorado Privacy Act (CPA) which revolve around the way the personal data of minors is processed and there is a heightened risk of harm to minors. 

Here is a summary of the changes: 

  • It adds specific data protection measures for minors' online activities, provides minors with the right to control their personal data, and imposes stricter requirements on how companies handle minors' data:
  • New definitions are added, specific to minors, such as "minor," "adult," "online service," and "heightened risk of harm to minors."
    • Minor: any consumer under eighteen years of age.
    • Adult: an individual who is eighteen years of age or older.
    • Heightened risk of harm to minors: Processing minors' personal data in ways that could lead to unfair treatment, financial or reputational injury, unauthorized data disclosure, or intrusive behavior.
  • It prohibits companies from processing minors' data for targeted advertising, selling minors' data, and profiling minors without consent and mandates that companies must not retain minors' data longer than necessary to provide the service.
  • It prohibits the use of system design features intended to significantly increase, sustain, or extend minors' use of online services, and the collection of minors' precise geolocation data unless necessary for the service, and mandates that minors must be notified during the data collection.
  • It requires companies to use reasonable care to avoid risks of harm to minors and to conduct data protection assessments for services aimed at minors.
  • It maintains the enforcement mechanisms of the CPA and introduces penalties specifically related to violations of minors' data protection.

If signed, SB 24-041 will become effective on October 1, 2025 unless it or parts of it are contested.