“revealing” applies to sensitive personal data. Once the Attorney General issues the opinion letter, the rules will be filed with the Secretary of State
and take effect 20 days after publication in the Colorado Register.
Key Updates in the Final Rules for the Colorado Privacy Act
1. Willful Disregard of a Minor
The rules identify three key factors the Attorney General may use to determine whether a company “willfully disregards” a consumer’s status as a minor (under 18):
whether the company has received credible information suggesting the user is a minor; whether marketing or data evidence shows a primarily minor audience;
or whether the company classifies consumers as minors for targeting purposes. These factors clarify what the state considers as adequate diligence to avoid
exploiting minors’ data.
2. System Design Features That Increase a Minor’s Use
The rules set new guardrails for system design features—such as recommendation algorithms, streaks, or reward systems that are designed to “significantly increase,
sustain, or extend” a minor’s engagement. The state will assess whether these features were created primarily to boost usage, whether there is evidence of harm,
and whether the design manipulates or coerces minors. Seven examples of features that do not meet this threshold (for instance, those essential to core functionality
or initiated by the user) help clarify the boundaries for compliance.
3. Clarification of “Revealing” Sensitive Personal Data
The final rules remove the example listing “precise geolocation” as an example of “revealing” data, since that category is now explicitly defined as sensitive data
under the statute itself. This means businesses must now treat precise geolocation data as sensitive personal data and apply higher standards for consent, access,
and security.
Why This Rulemaking Matters
The updates signal that the Colorado Attorney General expects companies to demonstrate active, auditable compliance—especially where children’s data or user
engagement features are involved. Businesses can no longer rely on passive disclaimers or boilerplate privacy notices. Regulators will evaluate whether companies
knew, or reasonably should have known, that minors were using their platforms, and whether system design choices were deliberately optimized to maximize engagement.
These rules elevate the standard for privacy-by-design, governance, and documentation across organizations operating under the CPA.
Colorado Privacy Act Compared to Other Privacy Laws
The Colorado Privacy Act stands alongside other state privacy laws such as the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA), but its scope and enforcement priorities show a growing shift toward structural accountability.
Compared to the CPRA: California’s law includes a private right of action and focuses heavily on consumer rights and data sales, while Colorado’s new rules
emphasize children’s protections, system design, and controller obligations. Colorado’s framework is slightly more prescriptive around how companies identify minors
and audit behavioral design choices.
Compared to the VCDPA: Virginia’s law is narrower in scope and focuses on consumer rights and consent. The CPA goes further by requiring evidence of privacy-by-design and more explicit documentation of sensitive data processing, particularly around minors.
Compared to the EU’s GDPR: The CPA mirrors GDPR principles like transparency, accountability, and controller-processor responsibilities, but the Colorado rules extend into system design and user engagement—an area not yet codified in most U.S. or EU privacy frameworks. This approach aligns Colorado’s regulatory outlook with the EU’s growing interest in regulating “dark patterns” and manipulative interface design.
Intersection with AI Regulation: Colorado, the U.S., and the EU
Privacy and artificial intelligence regulation are converging quickly, and Colorado is one of the first states to link these two domains explicitly. By focusing on “system design features,” the new CPA rules create parallels with algorithmic accountability.
The Colorado Artificial Intelligence Act (CAIA): Passed in 2024 and taking effect in 2026, the CAIA imposes obligations on developers and deployers of “high-risk” AI systems. It requires transparency, risk assessments, and documentation to prevent algorithmic bias and harm. Together, the CPA and CAIA form a dual compliance framework—one covering personal data, and the other addressing algorithmic integrity.
AI Regulation in the U.S.: At the federal level, the U.S. lacks a unified AI law, though federal agencies have released AI risk management frameworks and executive orders emphasizing transparency and accountability. States like Colorado are filling the gap by adopting hybrid privacy and AI governance models that mirror European trends.
The EU AI Act: The European Union’s AI Act (Regulation (EU) 2024/1689) classifies AI systems by risk level and mandates strict controls for “high-risk” and “general-purpose” systems.
The Act complements the EU’s GDPR, emphasizing documentation, transparency, and explainability. The CPA’s design-feature focus echoes this European model, highlighting how privacy and AI regulation are merging globally.
Compliance Priorities for Businesses Operating in Colorado
Businesses operating under the CPA should treat this rulemaking as a mandate to strengthen governance and documentation. Key next steps include:
- Review and document how your organization identifies and handles minors within your products or services.
- Evaluate algorithms, recommendation systems, and engagement loops for potential manipulation or prolonged use by minors.
- Update your data mapping to treat precise geolocation as sensitive data under the CPA.
- Integrate AI governance into your privacy program, ensuring alignment with both the CPA and CAIA.
- Revise vendor and processor contracts to reflect the new obligations related to minors and system design features.
- Maintain audit-ready records of compliance decisions, risk assessments, and system feature reviews.
How Captain Compliance Helps You Stay Ahead of the Colorado Privacy Act
Captain Compliance helps organizations navigate the intersection of privacy and AI regulation. Our tools and services allow businesses to:
- Conduct gap assessments against the latest CPA rules, CAIA, GDPR, and the EU AI Act.
- Map data flows and algorithmic features to uncover compliance risks.
- Generate audit-ready documentation—impact assessments, consent records, algorithmic feature logs, and DPIAs.
- Implement consent management software that blocks cookies if a user opts-out.
- Prepare your team for regulator inquiries and demonstrate accountability through structured documentation.
With Captain Compliance, businesses gain confidence that their data and AI programs align with the strictest global standards. We can automate and protect against the increase in enforcement and regulations as well as protecting your firm against the rise in privacy litigation.
Colorado Attorney General’s final CPA rules
The Colorado Attorney General’s final CPA rules mark a pivotal moment in U.S. privacy law. They confirm that compliance is not only about data flows but also about how systems are built, how algorithms engage users, and how children’s information is protected. As AI regulation expands through the Colorado AI Act and the EU AI Act, the overlap between data privacy and AI accountability will continue to grow. Companies that act now to integrate these obligations will not only reduce risk but also build lasting trust with regulators and consumers alike.
