SB 24-041

Senate Bill 24-041, also known as "Privacy Protections for Children's Online Data," enhances the Colorado Privacy Act by adding specific protections for minors' data. Starting October 1, 2025, companies that do business in Colorado or target their products and services at Colorado residents must take extra care to avoid risks that could harm children when handling their personal information. These companies are also prohibited from using minors’ data for targeted advertising, selling it, or profiling them without consent, and they cannot collect precise geolocation data unless necessary. The bill was signed into law by the governor on May 31, 2024, meaning these protections will go into effect as scheduled in October 2025.

Official Summary

Effective October 1. 2025, the act amends the "Colorado Privacy Act" to add enhanced protections when a minor's data is processed and there is a heightened risk of harm to minors. The act applies to any entity that controls consumer personal data (controller) and that conducts business in Colorado or delivers products or services that are targeted at Colorado residents, regardless of the volume of or amount of revenue derived from that activity. A controller that offers an online service, product, or feature to a consumer who the controller knows or willfully disregards is a minor is required to: Use reasonable care to avoid any heightened risk of harm to minors caused by the service, product, or feature; and Conduct, and review as necessary, a data protection assessment for the service, product, or feature if there is a heightened risk of harm to minors and maintain documentation regarding the assessment for a specified period. Unless the minor or, for a minor who is under 13 years of age, the minor's parent or legal guardian has consented, a controller is prohibited from processing a minor's personal data: For targeted advertising, selling the minor's personal data, or profiling in furtherance of decisions that produce legal or similarly significant consequences; For any processing purpose other than the purpose disclosed at the time the minor's personal data is collected or a purpose reasonably necessary for the disclosed processing purpose; or For longer than reasonably necessary to provide the service, product, or feature. Absent consent, a controller is also prohibited from: Using a system design feature to significantly increase, sustain, or extend a minor's use of the service, product, or feature; or Collecting a minor's precise geolocation, except under specified circumstances. Neither a controller nor a processor that processes personal data for a controller is required to implement an age verification or age-gating system or otherwise affirmatively verify the age of consumers, and a controller that conducts commercially reasonable age estimation is not liable for an erroneous age estimation. The attorney general and district attorneys are authorized to enforce the requirements of the act in the same manner as authorized under the "Colorado Privacy Act", including notifying a controller of, and allowing a controller time to cure, a violation. APPROVED by Governor May 31, 2024 EFFECTIVE October 1, 2025(Note: This summary applies to this bill as enacted.)

Votes