In October 2025, the Colorado Department of Law finalized amendments to the Colorado Privacy Act rules, adopting new provisions to strengthen children’s privacy and safety. As part of the rulemaking process, ACT | The App Association submitted feedback explaining how the proposed rules would affect small businesses and recommending changes to improve online safety without creating undue regulatory burdens. After we raised these concerns, the Department made several key revisions, setting a strong example for how policymakers can work with stakeholders to advance effective legislation while giving small businesses clear guidance to innovate responsibly.

To effectively balance online safety and innovation, state policymakers should develop practical, proportional guidelines that clearly define obligations without forcing small businesses into defensive overcompliance. For example, in our comments on the draft CPA amendments, we urged the Department to clarify language in Rule 6.13(A)(1), which used the example of consumers listing their age in a profile bio as evidence that a business had directly received age information and could be found to have willfully disregarded it. As we noted, this could create a de facto surveillance obligation for small businesses and require them to constantly monitor users’ profiles to avoid a finding of willful disregard. This requirement would be infeasible in practice, privacy-invasive, and force small businesses to divert limited resources from innovation to observation. In the final rules, the Department clarified that such examples are not exhaustive and that the Attorney General should consider the totality of circumstances when assessing compliance. It also made clear that businesses are not required to collect, retain, use, link, or combine user data they would not otherwise handle in the ordinary course of business. The Department’s clarification demonstrates how clear standards can protect children without imposing impractical monitoring requirements on small businesses.

Moreover, policymakers should prioritize narrowly tailored, context-aware rules that focus on genuine intent or effect, rather than broad design features, to avoid unintentionally capturing services not directed to children. For that reason, we recommended that the Department clarify Rule 6.13(A)(2), which listed widely applicable factors to determine whether a controller has directed a website or service to minors, such as subject matter, visual content, and language. These factors risked sweeping in websites or services using common creative choices, such as bright visuals or gamified incentives. The Department subsequently revised the rule to clarify that a business must have intentionally directed its website or service to minors. The updated factors now focus on clearer indicators, such as references to “minors” or “teens” in marketing or promotional materials, advertisements aimed at minors, or empirical evidence showing that minors make up the intended or actual audience.

Finally, when drafting online safety rules, policymakers should avoid vague or subjective standards that make compliance unpredictable and invite arbitrary enforcement. For example, the draft version of Rule 6.14(A) listed several factors assessing whether a design feature “significantly increases, sustains, or extends” a minor’s use of an online service, product, or feature. Among them was whether a feature has increased the “addictiveness” of a service. However, “addictiveness” is a vague standard that invites subjective judgment, and its inclusion could pressure small businesses to over-restrict legitimate engagement or design features out of an abundance of caution. The Department subsequently removed “addictiveness” in favor of language focusing on whether a feature has “the substantial effect of subverting or impairing Minor autonomy, decision making, or choice, or unfairly, fraudulently, or deceptively manipulating or coercing a Minor.” This update better captures the types of design practices that can harm young users without discouraging legitimate engagement or design features.

As states continue to debate privacy and online safety rules, we urge policymakers to draft regulations that balance online safety and innovation. Colorado’s approach to rulemaking and the final rules demonstrate how meaningful protections for children don’t require unworkable compliance obligations for small businesses. We appreciate the Department’s willingness to refine the rules based on stakeholder input and remain committed to working with policymakers to develop effective solutions that advance both online safety and innovation.