Colorado Proposes New Privacy Rules Focused on Minors’ Online Data

August 15, 2025

In response to 2024 legislative amendments to the Colorado Privacy Act (CPA), Colorado’s Department of Law (CO DOL) has issued a Notice of Proposed Rulemaking, proposing draft amendments to the CPA rules (Proposed Rules) designed to clarify and strengthen protections for minors’ online personal data.

Companies subject to the Colorado Privacy Act should monitor this process closely, as the new rules will inform compliance planning and requirements. Stakeholders have the opportunity to engage with the CO DOL regarding the Proposed Rules via written comments (due September 5, 2025) or public hearing (scheduled September 10, 2025).

Key Legislative Amendments and Proposed Rules Focusing on Protecting Minors’ Online Data

The 2024 legislative amendments to the CPA creates new requirements and prohibitions for controllers that offer an  “online service, product, or feature” where the controllers “actually know[] or willfully disregard[]” that the consumer is a minor. A minor is defined as a consumer under the age of 18. These updates to the CPA are set to go into effect on October 1, 2025.

The Proposed Rules—which were filed on July 29, 2025—seek to govern the implementation of these statutory changes. In particular, the Proposed Rules:

  • Detail several factors to evaluate if a controller is “willfully disregard[ing]” that a consumer is a minor;
  • Identify factors that would determine if a system design feature “significantly increases, sustains, or extends” a minor’s use of an online service, product, or feature, which is prohibited under the new framework unless the controller obtains appropriate consent to do so; and   
  • Outline how the consent process may operate with respect to enabling features that are turned off by default.

Process Updates and Next Steps

This Colorado rulemaking process reflects a growing trend among states to develop child and teen-focused privacy frameworks that establish heightened requirements. Companies should closely monitor this proceeding and these overall trends to ensure their privacy compliance strategies are keeping up with emerging expectations.   

Written comments can be submitted through the CPA rulemaking comment portal until September 5, 2025. A public hearing is also scheduled for September 10, 2025.

***

Wiley’s Privacy, Cyber & Data Governance Practice has broad experience in navigating rulemakings and compliance surrounding cutting-edge technology and the evolving legal landscape. For questions about this alert, please contact the authors.

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek