Colorado’s Department of Law has issued a formal Notice of Proposed Rulemaking on July 29, 2025, to update rules under the Colorado Privacy Act (CPA) following 2024 legislative amendments focused on protecting minors’ personal data. These proposed rules are open for public comment until September 5, 2025, with a public hearing set for September 10, 2025  .

Key features of the proposed rules include:

• Definition of “willfully disregard” a minor’s status: Controllers are considered to “willfully disregard” a user being under 18 if they receive age information from a user or parent, explicitly target minors with the service, or internally categorize users as minors for business purposes  .

• Restrictions on design features: The rules prohibit using any system design feature that significantly increases, sustains, or extends a minor’s use of a service—unless the controller obtains proper consent (from the minor, or the parent if the minor is under 13)  .

• Expanded minors’ protections: The scope of the CPA is broadened to include teens under 18 (raising the previous threshold of 13). Requirements now include opt-in consent before selling minors’ data, targeted advertising, incompatible use of collected data, profiling, or retaining data longer than necessary. Geolocation data for minors is also restricted, and alerts must display when precise geolocation is being collected. Unsolicited communications to minors by unknown adults are prohibited. Controllers must conduct data protection assessments tailored to minors and must avoid using manipulative consent mechanisms  .

These proposed rules align with Colorado’s broader trajectory of elevated privacy standards for children and teens, expected to take effect by October 1, 2025, while giving regulators and businesses time to adapt  .

View the original full article here: https://www.jdsupra.com/legalnews/colorado-proposes-new-privacy-act-rules-1817545/