Colorado § 6-1-1308.5 Duties of controllers - duty of care - rebuttable presumption

Colorado Statutes

§ 6-1-1308.5 — Duties of controllers - duty of care - rebuttable presumption

Colorado § 6-1-1308.5

Title 06Consumer

Art.Colorado Consumer Protection Act

This text of Colorado § 6-1-1308.5 (Duties of controllers - duty of care - rebuttable presumption) is published on Counsel Stack Legal Research, covering Colorado primary law. Counsel Stack provides free access to over 12 million legal documents including statutes, case law, regulations, and constitutions.

Bluebook

Colo. Rev. Stat. § 6-1-1308.5 (2026).

Text

(1)(a) A controller that offers any online service, product, or feature to a consumer whom the controller actually knows or willfully disregards is a minor shall use reasonable care to avoid any heightened risk of harm to minors caused by the online service, product, or feature.

(b)In any enforcement action brought by the attorney general or a district attorney pursuant to section 6-1-1311, there is a rebuttable presumption that a controller used reasonable care as required under this section if the controller complied with this section.

(2)Unless a controller has obtained consent in accordance with subsection

(3)of this section, a controller that offers any online service, product, or feature to a consumer whom the controller actually knows or willfully disregards is a minor

Free access — add to your briefcase to read the full text and ask questions with AI

(1) (a) A controller that offers any online service, product, or feature to a consumer
whom the controller actually knows or willfully disregards is a minor shall use
reasonable care to avoid any heightened risk of harm to minors caused by the
online service, product, or feature.

(b) In any enforcement action brought by the attorney general or a district
attorney pursuant to section 6-1-1311, there is a rebuttable presumption that a
controller used reasonable care as required under this section if the controller
complied with this section.

(2) Unless a controller has obtained consent in accordance with subsection
(3) of this section, a controller that offers any online service, product, or feature to a
consumer whom the controller actually knows or willfully disregards is a minor
shall not:

(a) Process a minor's personal data:

(I) For the purposes of:

(A) Targeted advertising;

(B) The sale of personal data; or

(C) Profiling in furtherance of decisions that produce legal or similarly
significant effects concerning a consumer;

(II) For any processing purpose other than the processing purpose that the
controller disclosed at the time the controller collected the minor's personal data
or that is reasonably necessary for, and compatible with, the processing purpose
that the controller disclosed at the time the controller collected the minor's
personal data; or

(III) For longer than is reasonably necessary to provide the online service,
product, or feature;

(b) Use any system design feature to significantly increase, sustain, or
extend a minor's use of the online service, product, or feature; or

(c) Collect a minor's precise geolocation data unless:

(I) The minor's precise geolocation data is reasonably necessary for the
controller to provide the online service, product, or feature;

(II) The controller only collects and retains the minor's precise geolocation
data for the time necessary to provide the online service, product, or feature; and

(III) The controller provides to the minor a signal indicating that the
controller is collecting the minor's precise geolocation data and makes the signal
available to the minor for the entire duration of the collection of the minor's precise
geolocation data; except that this subsection (2)(c)(III) does not apply to any service
or application that is used by and under the direction of a ski area operator, as
defined in section 33-44-103 (7).

(3) (a) A controller shall not engage in the activities described in subsection
(2) of this section unless the controller obtains:

(I) The minor's consent; or

(II) (A) If the minor is a child, the consent of the minor's parent or legal
guardian.

(B) A controller that complies with the verifiable parental consent
requirements established in the Children's Online Privacy Protection Act of 1998,
15 U.S.C. sec. 6501 et seq., as amended, and the regulations, rules, guidance, and
exemptions adopted pursuant to said act, as amended, is deemed to have satisfied
any requirement to obtain parental consent under this subsection (3)(a)(II).

(b) (I) A controller that offers any online service, product, or feature to a
consumer whom that controller actually knows or willfully disregards is a minor
shall not:

(A) Provide any consent mechanism that is designed to substantially subvert
or impair, or is manipulated with the effect of substantially subverting or impairing,
user autonomy, decision-making, or choice; or

(B) Except as provided in subsection (3)(b)(II) of this section, offer any direct
messaging apparatus for use by a minor without providing readily accessible and
easy-to-use safeguards to limit the ability of an adult to send unsolicited
communications to the minor with whom the adult is not connected.

(II) Subsection (3)(b)(I)(B) of this section does not apply to an online service,
product, or feature of which the predominant or exclusive function is:

(A) Electronic mail; or

(B) Direct messaging consisting of text, photos, or videos that are sent
between devices by electronic means, where messages are shared between the
sender and the recipient, only visible to the sender and the recipient, and not posted
publicly.

(4) Subsections (2)(a) and (2)(b) of this section do not apply to any service or
application that is used by and under the direction of an educational entity,
including a learning management system or a student engagement program.