What started as a flurry when California included protections for data about known teens in its 2018 privacy law soon became a blizzard. State after state passed new protections for teens into their own privacy laws, with each version raising the standards above the previous ones.
Now, even in the depths of summer, an avalanche is forming in Colorado’s mountain passes, as amendments to the Colorado Privacy Act (CPA) are set to come into force on October 1, 2025.
Draft rules implementing the CPA amendments (the Proposed Rules) issued July 29, 2025, by the Colorado Department of Law (DOL) aim to extend heightened protections not only to data about known minors under 18 but also any personal information collected on websites or services directed to such minors, even when a business does not know the ages of its users.
Among other things, this will require controllers operating services intended for minor audiences to seek opt-in consent before engaging in many standard business practices, such as targeted advertising, profiling, and extended data retention. Controllers will also need to conduct data protection assessments, implement technical safeguards related to geolocation data and communication tools, and avoid design features intended to increase engagement or addiction by minors.
The DOL has opened the Proposed Rules to public comment from July 29 to September 10, 2025. A public hearing on September 10 will follow the public comment period. The Proposed Rules do not include an effective date, but it is likely that the DOL set the rulemaking timeline with the goal of finalizing the Proposed Rules by October 1, 2025, when the CPA amendments are scheduled to go into effect.
To read the full alert, click here.
The post Colorado Proposes Children’s Privacy Amendments to Privacy Act Regulations appeared first on Data, Privacy & Cybersecurity Insights.