United States of America: Department of Law filed draft amendments to Colorado Privacy Act Rules for biometric privacy and children's privacy

On 29 July 2025, the Colorado Department of Law proposed amendments to the Colorado Privacy Act Rules (4 CCR 904-3), introducing new obligations for entities processing biometric data and data from minors. The rules clarify that biometric data includes identifiers, including facial templates and iris scans when used for identification, and that certain inferences, including those drawn from geolocation or browsing data, qualify as sensitive data. Controllers may be deemed to have knowledge of a user's minor status based on profile information, marketing practices, or third-party reports. System design features that significantly increase, sustain, or extend a minor’s engagement, including recommendation algorithms, require opt-in consent, which is only valid if the minor affirmatively enables the feature. The rules also state that age verification is not mandatory, though entities may consider guidance from other jurisdictions.