Section 6-1-1308.5 - [Effective 10/1/2025] Duties of controllers - duty of care - rebuttable presumption(1)(a) A controller that offers any online service, product, or feature to a consumer whom the controller actually knows or willfully disregards is a minor shall use reasonable care to avoid any heightened risk of harm to minors caused by the online service, product, or feature.(b) In any enforcement action brought by the attorney general or a district attorney pursuant to section 6-1-1311, there is a rebuttable presumption that a controller used reasonable care as required under this section if the controller complied with this section.(2) Unless a controller has obtained consent in accordance with subsection (3) of this section, A controller that offers any online service, product, or feature to a consumer whom the controller actually knows or willfully disregards is a minor shall not: (a) Process a minor's personal data: (I) For the purposes of: (A) Targeted advertising;(B) The sale of personal data; or(C) Profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer;(II) For any processing purpose other than the processing purpose that the controller disclosed at the time the controller collected the Minor's personal data or that is reasonably necessary for, and compatible with, the processing purpose that the controller disclosed at the time the controller collected the minor's personal data; or(III) For longer than is reasonably necessary to provide the online service, product, or feature;(b) Use any system design feature to significantly increase, sustain, or extend a minor's use of the online service, product, or feature; or(c) Collect a minor's precise geolocation data unless:(I) The minor's precise geolocation data is reasonably necessary for the controller to provide the online service, product, or feature;(II) The controller only collects and retains the minor's precise geolocation data for the time necessary to provide the online service, product, or feature; and(III) The controller provides to the minor a signal indicating that the controller is collecting the minor's precise geolocation data and makes the signal available to the minor for the entire duration of the collection of the minor's precise geolocation data; except that this subsection (2)(c)(III) does not apply to any service or application that is used by and under the direction of a ski area operator, as defined in section 33-44-103 (7).(3)(a) A controller shall not engage in the activities described in subsection (2) of this section unless the controller obtains: (I) The minor's consent; or(II)(A) If the minor is a child, the consent of the minor's parent or legal guardian.(B) A controller that complies with the verifiable parental consent requirements established in the "Children's Online Privacy Protection Act of 1998", 15 U.S.C. sec. 6501 et seq., as amended, and the regulations, rules, guidance, and exemptions adopted pursuant to said act, as amended, is deemed to have satisfied any requirement to obtain parental consent under this subsection (3)(a)(II).(b)(I) A controller that offers any online service, product, or feature to a consumer whom that controller actually knows or willfully disregards is a minor shall not: (A) Provide any consent mechanism that is designed to substantially subvert or impair, or is manipulated with the effect of substantially subverting or impairing, user autonomy, decision-making, or choice; or(B) Except as provided in subsection (3)(b)(II) of this section, offer any direct messaging apparatus for use by a minor without providing readily accessible and easy-to-use safeguards to limit the ability of an adult to send unsolicited communications to the minor with whom the adult is not connected.(II) subsection (3)(b)(I)(B) of this section does not apply to an online service, product, or feature of which the predominant or exclusive function is: (B) Direct messaging consisting of text, photos, or videos that are sent between devices by electronic means, where messages are: Shared between the sender and the recipient; only visible to the sender and the recipient; and not posted publicly.(4) Subsections (2)(a) and (2)(b) of this section do not apply to any service or application that is used by and under the direction of an educational entity, including a learning management system or a student engagement program.Added by 2024 Ch. 296,§ 4, eff. 10/1/2025, app. to conduct occurring on or after the applicable effective date.2024 Ch. 296, was passed without a safety clause. See Colo. Const. art. V, § 1(3).