Colorado Attorney General’s Office Finalizes Latest Colorado Privacy Act Rulemaking

Key point: The rules provide further guidance to controllers subject to the law’s children’s privacy protections.

On October 9, 2025, the Colorado attorney general’s office announced final revisions to the proposed draft amendments to the Colorado Privacy Act (CPA) rules. The office published draft rules in July and solicited public comments. The final revisions reflect changes to the rules based on those public comments. The office has requested an Attorney General opinion letter for these rules. After the opinion letter is received, the rules will be filed with the Secretary of State for publication in the Colorado Register. The rules will become effective 20 days after publication.

In the below article, we provide a brief summary of the changes.

In our prior article, we provided background on the rulemaking process, the statutory background, and a summary of the proposed amendments. As explained in that article, the amendments do three things. First, they operationalize the children’s privacy law amendments by providing direction for what it means for a controller to “willfully disregard” that a consumer is a minor (under 18 years of age). Second, the amendments flesh out what it means for a system design feature to significantly increase, sustain, or extend a minor’s use of an online service, product, or feature. Finally, the amendments change the rule’s existing definition of “revealing” to address the addition of precise geolocation data as an element of sensitive data.

Willfully Disregard

The final rules establish three factors that may be considered when determining if a controller willfully disregards that a consumer is a minor: (1) if the controller has directly received credible information from a parent or consumer indicating that the consumer is a minor; (2) if the controller has intentionally directed the website or service to minors, considering different factors such as marketing or promotional materials that refer to the intended audience as “minors” or “teens,” hosting or displaying advertisements that are directed to minors, or empirical evidence demonstrating that the intended or actual audience of largely composed of minors; or (3) if the controller has categorized a consumer as minor to service advertising on the platform or service.

The final rules also note that these factors are not exhaustive, that no one factor is dispositive of the analysis, and the office may consider the totality of the circumstances when determining if a controller willfully disregards that a consumer is a minor.

Finally, the rules state that they do not require controllers to implement commercially reasonable age verification or age-gating systems or otherwise affirmatively collect, retain, use, link, or combine personal data concerning a consumer that they would not otherwise collect, retain, use, link, or combine in the ordinary course of business, such as a consumer’s age.

System Design Features

The final rules identify three factors that may be considered when determining if a system design feature significantly increases, sustains, or extends a minor’s use of an online service, product, or feature:

1. Whether the controller developed or deployed the system design feature primarily to significantly increase, sustain, or extend a minor’s use of or engagement with an online service, product, or feature;
2. Whether the system design feature has been shown by competent and reliable empirical evidence to cause harm due to increased use of or engagement with an online service, product, or feature; and
3. Whether the system design feature has the substantial effect of subverting or impairing minor autonomy, decision making or choice, or unfairly, fraudulently, or deceptively manipulating or coercing a minor.

The second and third factors received the most revisions in this section. This is consistent with our prior article where we identified the two factors as those likely to be the subject of public comments.

The final rules also identify seven situations in which a system design feature will likely not be found to significantly increase, sustain, or extend a minor’s use of an online product, service, or feature:

1. If the minor expressly and unambiguously requested specific media or category of media, the minor subscribed to specific media by the author, creator, or poster, or the minor has subscribed to a page or group featuring specific media, provided that the media is not recommended, selected, or prioritized for display based, in whole or in part, on other information associated with the minor or the minor’s device;
2. If media are recommended, selected, or prioritized only in response to a specific search inquiry by the minor, or is exclusively next in a pre-existing sequence from the same author, creator, poster, or source;
3. If the system design feature is one that is necessary to the core functionality of an online service, product, or feature;
4. If the system design feature is based on personal data that is not persistently associated with the minor or the minor’s device;
5. If the system design feature does not consider the minor’s previous interactions with media generated or shared by other consumers;
6. If the online service, product, or feature contains countervailing measures that could mitigate the harm or other negative effects of the system design feature, such as default time of day or time use limits, or required parental controls; or
7. If the system design feature’s primary function is to enhance the safety of the platform for minors, remove spam, or filter out age-inappropriate content.

The final rules contain clarifying revisions to the first, fourth, and sixth categories while the seventh category is new.

The final rules also state that the three factors are not exhaustive, that no one factor is dispositive, and the office can consider the totality of circumstances when evaluating if a system design feature significantly increases, sustains, or extends a minor’s use of an online service, product or feature.

The office also added a provision that the rule “does not impose any obligation on a Controller or Processor that adversely affects the rights of any person to freedom of speech or freedom of the press guaranteed by the First Amendment to the United States Constitution.”

Definition of Revealing

The final revisions do not make any changes to the definition of “revealing” that was provided in the proposed rules. As such, the final rules remove the example from the definition of “revealing,” which states that precise geolocation can be considered sensitive data if it can be used to infer an individual’s sensitive data. The office needed to remove the example to align with the other amendments made to the CPA this year that added precise geolocation as an element of sensitive data.