Potential Legal Challenge Looms as Colo. Privacy Changes Take Effect
A potential tech industry legal challenge is looming as child-related amendments to the Colorado Privacy Act go into effect Wednesday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The office for Colorado Attorney General Phil Weiser (D) closed public comment on draft rules clarifying the amendments on Sept. 10, the same day NetChoice warned at a virtual hearing that the rules won’t “survive a legal challenge” (see 2509100045).
All comments collected through Sept. 10 were added to the formal rulemaking record. Both the draft rules and statutory amendments go into effect Wednesday. Weiser’s office didn’t comment Thursday.
NetChoice in its written comments highlighted successful legal campaigns against California’s age-appropriate design code law and similar laws in Arkansas and Utah. “The proposed rules are likely to face constitutional challenges and, if implemented, would harm both innovation and the users they purport to protect,” said NetChoice.
Consumer groups in their comments said Colorado is right to craft a knowledge standard to hold companies accountable for willfully ignoring user age in its draft kids privacy rules (see 2509110064).
The Computer and Communications Industry Association suggested in its comments that the AG’s office amend or remove four different sections related to the knowledge standard.
CCIA recommended the rules use federal COPPA language to define what constitutes websites and services directed to children. The association asked the AG to delineate requirements for when a company is intentionally targeting minors with marketing versus when a company is targeting minors but is also leaving open the possibility of appealing to younger adults.
CCIA warned that the draft rules allow bad actors to file false reports labeling adult users as minors, arguing that best practices suggest allowing minors to report their own safety concerns to avoid this issue.
ACT | The App Association asked the AG to clarify compliance expectations for small businesses. Under the proposed rules, small businesses might have to "continuously monitor” user profiles and bios in order to avoid any “willful disregard” for user age. “This could impose significant burdens on small businesses, who do not have the staff, time, or resources necessary to regularly check for such information,” said ACT. “The Department should modify the example or clarify its language to prevent imposing this duty on small businesses.”
The Software & Information Industry Association warned some of the draft language could inadvertently discourage companies from implementing privacy protections that err on the side of caution when determining age. SIIA noted a company might categorize ambiguous profiles as minors to prevent targeted advertising and avoid potential compliance issues. This protective measure can be interpreted as creating “knowledge” liability, which could create disincentive to implement such measures, said SIIA.
“The underlying intent of the service provider in targeting or not targeting content should be a key consideration in determining knowledge, differentiating between intention targeting and proactive risk mitigation,” said SIIA.