| Summary |
The bill amends the Colorado Privacy Act to add enhanced
protections when a minor's data is processed and there is a heightened risk
of harm to the minor. The bill applies to any entity that controls consumer
personal data (controller) and that conducts business in Colorado or
delivers products or services that are targeted at Colorado residents,
regardless of the volume of or amount of revenue derived from that
activity.
A controller that offers an online service, product, or feature to a
consumer that the controller knows or willfully disregards is a minor is
required to:
•
Use reasonable care to avoid any heightened risk of harm
to minors caused by the service, product, or feature; and
•
Conduct, and review as necessary, a data protection
assessment for the service, product, or feature and maintain
documentation regarding the assessment for a specified
period.
Unless the minor or, for a minor who is under 13 years of age, the
minor's parent or legal guardian has consented, a controller is prohibited
from processing a minor's personal data:
•
For targeted advertising, selling the minor's personal data,
or profiling the minor's personal data;
•
For any processing purpose other than the purpose
disclosed at the time the minor's personal data is collected
or a purpose reasonably necessary for the disclosed
processing purpose; or
•
For longer than reasonably necessary to provide the
service, product, or feature.
A controller is also prohibited from:
•
Using a system design feature to significantly increase,
sustain, or extend a minor's use of the service, product, or
feature; or
•
Collecting a minor's precise geolocation, except under
specified circumstances.
The attorney general and district attorneys are authorized to
enforce the requirements of the bill in the same manner as authorized
under the Colorado Privacy Act, including notifying a controller of, and
allowing a controller time to cure, a violation.
|
