Section 6-1-1309.5 - [Effective 10/1/2025] Data protection assessments(1) A controller that, on or after October 1, 2025, offers any online service, product, or feature to a consumer whom such controller actually knows or willfully disregards is a minor shall conduct a data protection assessment for the Online service, product, or feature if there is a heightened risk of harm to minors. The controller shall conduct the data protection assessment: (a) In a manner that is consistent with the requirements established in section 6-1-1309; and(b) That addresses: (I) The purpose of the online service, product, or feature;(II) The categories of a minor's personal data that the online service, product, or feature processes;(III) The purposes for which the controller processes a minor's personal data with respect to the online service, product, or feature; and(IV) Any heightened risk of harm to minors that is a reasonably foreseeable result of offering the online service, product, or feature to minors.(2) A controller that conducts a data protection assessment pursuant to subsection (1) of this section shall:(a) Review the data protection assessment as necessary to account for any material change to the processing operations of the online service, product, or feature that is the subject of the data protection assessment; and(b) Maintain documentation concerning the data protection assessment for the longer of: (I) Three years after the date on which the processing operations cease; or(II) The date the controller ceases offering the online service, product, or feature.(3) A single data protection assessment may address a comparable set of processing operations that include similar activities.(4) If a controller conducts a data protection assessment for the purpose of complying with another applicable law or regulation, the data protection assessment is deemed to satisfy the requirements established in this section if the data protection assessment is reasonably similar in scope and effect to the data protection assessment that would otherwise be conducted pursuant to this section.(5) If a controller conducts a data protection assessment pursuant to subsection (1) of this section or a data protection assessment review pursuant to subsection (2)(a) of this section and determines that the online service, product, or feature that is the subject of the assessment poses a heightened risk of harm to minors, the controller shall establish and implement a plan to mitigate or eliminate the heightened risk.(6)(a) A data protection assessment conducted pursuant to this section:(I) Is confidential, except as provided in subsection (6)(b) of this section; and(II) Is not a public record, and is exempt from public inspection and copying, under the "Colorado Open Records Act", part 2 of article 72 of title 24.(b)(I) A controller shall make a data protection assessment conducted pursuant to this section available to the attorney general upon request. The attorney general may evaluate the data protection assessment for compliance with section 6-1-1308.5 and with other laws, including this article 1.(II) The disclosure of a data protection assessment pursuant to a request from the attorney general does not constitute a waiver of any attorney-client privilege or work-product protection that might otherwise exist with respect to the assessment and any information in the assessment.(7) Data protection assessment requirements apply to processing activities created or generated after October 1, 2025, and are not retroactive.Added by 2024 Ch. 296,§ 4, eff. 10/1/2025, app. to conduct occurring on or after the applicable effective date.2024 Ch. 296, was passed without a safety clause. See Colo. Const. art. V, § 1(3).