Round voting button logo

Age Attestation on Computing Devices

Concerning age attestation for users of computing devices.

Engrossed on 4/6/26

Overview

This Colorado legislation establishes a comprehensive age attestation framework for online users, requiring operating system providers and covered application stores to implement age verification mechanisms that protect minors while enabling developers to comply with age-appropriate content requirements. The bill creates a standardized system for transmitting age signals from device-level account setup through the application ecosystem, mandating that operating system providers collect birth date or age information during account creation and make this information available to developers through covered application stores. The legislation aims to balance child safety objectives with privacy considerations by limiting data collection to the minimum necessary information and establishing clear rules for how age signals must be used by developers. By creating a uniform age attestation infrastructure, the bill seeks to reduce the burden on individual developers to implement their own age verification systems while providing a consistent mechanism for compliance with age-related content restrictions across the digital ecosystem.

Core Provisions

The bill establishes three primary obligations across the digital ecosystem. Operating system providers must provide an accessible interface at account setup requiring account holders to indicate the birth date or age of the device user, as specified in §6-30-102(1)(a). Developers receiving age signals must use that information as the primary indicator of the user's age range under §6-30-102(2)(a), and are prohibited from requesting more information from operating system providers or covered application stores than the minimum amount necessary pursuant to §6-30-102(2)(e)(I). All covered entities must comply with these requirements in a nondiscriminatory manner as mandated by §6-30-102(3). The enforcement mechanism established in §6-30-104(1) creates a tiered civil penalty structure with fines up to $2,500 per minor affected for each negligent violation and up to $7,500 per minor affected for each intentional violation. The bill includes a liability protection provision in §6-30-105(5) that shields entities from liability arising from device or application use by individuals other than the user to whom an age signal pertains. The legislation takes effect January 1, 2028, subject to referendum petition procedures outlined in §2, with various compliance dates referenced including January 1, 2027, and July 1, 2028, for different aspects of implementation.

Key Points

  • Operating system providers must collect birth date or age information at account setup through an accessible interface
  • Developers must use received age signals as the primary indicator of user age range
  • Data minimization requirement limits information requests to the minimum necessary
  • Nondiscriminatory compliance mandate applies to all covered entities
  • Civil penalties range from $2,500 per minor for negligent violations to $7,500 per minor for intentional violations
  • Liability protection for misuse by individuals other than the designated account user

Legal References

  • §6-30-102(1)(a) - Operating system provider age collection requirement
  • §6-30-102(2)(a) - Developer use of age signals
  • §6-30-102(2)(e)(I) - Data minimization requirement
  • §6-30-102(3) - Nondiscriminatory compliance mandate
  • §6-30-104(1) - Civil penalty structure
  • §6-30-105(5) - Liability limitation provision
  • §6-30-101 - Definitions
  • §6-30-103 - Applicability to existing devices

Implementation

The Colorado Attorney General serves as the primary enforcement authority with exclusive power to assess and recover civil penalties through civil actions as specified in §6-30-104(1). The enforcement mechanism relies on a complaint-driven model rather than proactive regulatory oversight, with the Attorney General initiating civil proceedings against violators. The bill does not establish a dedicated funding mechanism or appropriation for enforcement activities, suggesting that implementation will occur within existing Attorney General resources and budgets. Compliance measures center on technical implementation requirements for operating system providers to build age collection interfaces and for covered application stores to transmit age signals to developers. The legislation does not mandate specific reporting requirements to state agencies, instead relying on the civil penalty structure to incentivize voluntary compliance. The phased implementation timeline with multiple critical dates suggests a staged rollout, though the specific compliance obligations associated with the January 1, 2027, and July 1, 2028, dates are not fully detailed in the available section summary. The nondiscriminatory compliance requirement in §6-30-102(3) creates an implicit monitoring obligation to ensure equal treatment across applications and developers, though the bill does not specify how this will be verified or enforced.

Legal References

  • §6-30-104(1) - Attorney General enforcement authority
  • §6-30-102(3) - Nondiscriminatory compliance requirement

Impact

The primary beneficiaries of this legislation are minors who will receive enhanced protection from age-inappropriate content through systematic age verification at the operating system level. Parents and guardians benefit from a standardized mechanism for age attestation that reduces reliance on individual application-level controls. Developers gain a uniform age signal infrastructure that simplifies compliance with age-related content restrictions and reduces the burden of implementing proprietary age verification systems. The civil penalty structure creates significant financial exposure for covered entities, with potential costs scaling based on the number of minors affected by violations. For a violation affecting multiple minors, penalties could reach substantial amounts, particularly for intentional violations at $7,500 per affected minor. Operating system providers and covered application stores face administrative costs associated with building and maintaining age collection interfaces and signal transmission infrastructure. The absence of sunset provisions indicates that these requirements are intended as permanent features of Colorado's consumer protection framework. Expected outcomes include increased age verification accuracy across the digital ecosystem, reduced exposure of minors to age-inappropriate content, and standardization of age attestation practices among developers. The liability protection in §6-30-105(5) limits the administrative burden on covered entities by preventing liability for unauthorized device use, though this may create enforcement gaps when minors access devices using accounts not designated for their use.

Key Points

  • Minors receive enhanced protection from age-inappropriate content
  • Parents gain standardized age attestation mechanisms
  • Developers benefit from uniform age signal infrastructure reducing compliance complexity
  • Civil penalties create significant financial exposure scaling with number of affected minors
  • Operating system providers and application stores incur infrastructure development and maintenance costs
  • No sunset provisions indicate permanent implementation
  • Liability protection limits enforcement scope for unauthorized device use

Legal References

  • §6-30-104(1) - Civil penalty amounts
  • §6-30-105(5) - Liability limitation

Legal Framework

The bill operates under Colorado's consumer protection authority, adding a new article to the Colorado Revised Statutes addressing age attestation for online users. The legislation exercises state police power to protect minors from harmful content, a traditional area of state regulatory authority. The framework intersects with federal law governing online platforms and data privacy, potentially raising preemption questions under the dormant Commerce Clause given the interstate nature of digital services and the burden placed on national operating system providers and application stores to implement Colorado-specific requirements. The cross-reference to antitrust law in the section summary suggests awareness of potential competitive implications, particularly regarding the nondiscriminatory compliance mandate in §6-30-102(3) which may implicate federal antitrust principles. The data minimization requirement in §6-30-102(2)(e)(I) aligns with emerging privacy law frameworks but creates potential tension with more permissive federal standards. The bill does not explicitly address preemption of local ordinances, though the statewide framework suggests intent to establish uniform requirements across Colorado. Judicial review provisions are not detailed in the available summary, though the civil enforcement mechanism through the Attorney General implies that defendants in penalty actions would have standard appellate rights. The liability limitation in §6-30-105(5) creates a statutory defense that would be subject to judicial interpretation regarding what constitutes use by an individual other than the designated account holder.

Key Points

  • Exercises state police power for minor protection
  • Potential dormant Commerce Clause preemption concerns for interstate digital services
  • Intersection with federal antitrust law through nondiscriminatory compliance mandate
  • Data minimization requirements may conflict with federal privacy standards
  • Civil enforcement mechanism implies standard judicial review rights
  • Statutory liability defense subject to judicial interpretation

Legal References

  • Colorado Revised Statutes - statutory framework
  • §6-30-102(3) - Nondiscriminatory compliance provision
  • §6-30-102(2)(e)(I) - Data minimization requirement
  • §6-30-105(5) - Liability limitation
  • U.S. Constitution, Commerce Clause - potential preemption basis

Critical Issues

The legislation faces substantial constitutional challenges under the dormant Commerce Clause, as the requirement for operating system providers to implement Colorado-specific age collection interfaces imposes significant burdens on interstate commerce and may be deemed an impermissible extraterritorial regulation. First Amendment concerns arise regarding potential restrictions on access to protected speech, particularly for mature minors seeking access to constitutionally protected content that may be restricted based on age signals. The data minimization requirement in §6-30-102(2)(e)(I) creates implementation ambiguity regarding what constitutes the minimum necessary information, potentially leading to inconsistent interpretations and compliance challenges. The nondiscriminatory compliance mandate in §6-30-102(3) lacks clear enforcement mechanisms and standards for determining what constitutes discriminatory treatment, creating uncertainty for covered entities. Technical implementation challenges include the feasibility of retrofitting existing operating systems and application stores with age signal infrastructure, particularly for devices already in use as addressed in §6-30-103. The liability protection in §6-30-105(5) creates enforcement gaps when minors use devices or accounts not designated for them, potentially undermining the bill's protective objectives. Cost implications are substantial for operating system providers and covered application stores that must develop, implement, and maintain age attestation infrastructure, with these costs likely passed to consumers or developers. The civil penalty structure creates significant financial exposure that may be challenged as excessive under due process principles, particularly for violations affecting large numbers of minors. Opposition arguments center on privacy concerns regarding mandatory age data collection, the technical burden on industry, potential ineffectiveness due to circumvention by tech-savvy minors, and the risk of creating a false sense of security while imposing substantial compliance costs. The bill's interaction with federal children's online privacy laws such as COPPA creates potential conflicts and compliance complexity for covered entities subject to multiple regulatory frameworks.

Key Points

  • Dormant Commerce Clause challenges due to extraterritorial effects on interstate digital services
  • First Amendment concerns regarding restrictions on access to protected speech
  • Ambiguity in data minimization standards creates compliance uncertainty
  • Nondiscriminatory compliance mandate lacks clear enforcement mechanisms
  • Technical feasibility challenges for retrofitting existing systems
  • Enforcement gaps from liability protection for unauthorized device use
  • Substantial infrastructure costs for operating system providers and application stores
  • Potential due process challenges to civil penalty amounts
  • Privacy concerns regarding mandatory age data collection
  • Risk of circumvention by tech-savvy minors undermining effectiveness
  • Conflicts with federal COPPA and other children's online privacy laws

Legal References

  • U.S. Constitution, Commerce Clause - extraterritoriality limits
  • U.S. Constitution, First Amendment - protected speech concerns
  • U.S. Constitution, Fourteenth Amendment - due process limits on penalties
  • §6-30-102(2)(e)(I) - Data minimization requirement
  • §6-30-102(3) - Nondiscriminatory compliance mandate
  • §6-30-103 - Applicability to existing devices
  • §6-30-105(5) - Liability limitation
  • 15 U.S.C. § 6501 et seq. - Children's Online Privacy Protection Act (COPPA)

Sponsors

DDDD
4
1
R
Democratic CaucusRepublican Caucus

Roll Call Votes

28 Yea

DRRDRDDDDDRDDDRDRRDDDDDRRDDD

7 Nay

DDRDDRR

Calendar

Feb 24

2:00 PM

Senate Business, Labor, & Technology Committee Hearing

Feb 27

7:30 AM

Senate Second Reading Calendar

Mar 2

7:30 AM

Senate Second Reading Calendar

Mar 3

7:30 AM

Senate Third Reading Calendar

Apr 2

12:00 AM

House Second Reading Calendar

Apr 2

7:45 AM

Senate Joint Technology Committee Hearing