United States of America: Department of Law closes consultation on draft amendments to Colorado Privacy Act Rules for biometric privacy and children's privacy

On 11 July 2025, the Colorado Department of Law closes the consultation on the amendments to the Colorado Privacy Act Rules (CPA) for biometric privacy and children's privacy. The amendment introduces new obligations for entities processing biometric data and data from minors. The rules clarify that biometric data includes identifiers, including facial templates and iris scans when used for identification, and that certain inferences, including those drawn from geolocation or browsing data, qualify as sensitive data. Controllers may be deemed to know a user's minor status based on profile information, marketing practices, or third-party reports. System design features that significantly increase, sustain, or extend a minor’s engagement, including recommendation algorithms, require opt-in consent, which is only valid if the minor affirmatively enables the feature. The rules also state that age verification is not mandatory, though entities may consider guidance from other jurisdictions.