I'm Christian Martinez. I am the Founder of “HikeQuest Teen.” It is a mobile app that gamifies hiking trails for families in Colorado.
Christian's App Dilemma
I'm Jane McKenzie, a technology & privacy attorney. I advise startups on compliance with state privacy laws, including the Colorado Privacy Act.
An Interactive Consent Flow for Children’s Data under the Colorado Privacy Act.
Start
Created by Cavielle McKenzie
Choose Your Investigation Path
To determine whether HikeQuest complies with the Colorado Privacy Act, we need to investigate several key areas of the law.
Who is considered a Child?
Does the Colorado Privacy Act (CPA) Apply to HikeQuest?
Is Children's Data = Sensitive Data?
The CPA classifies personal data from a known child as sensitive data: CPA §6-1-1303(24)
Under the CPA, a child is any individual under the age of thirteen: CPA §6-1-1303(4)
The Colorado Privacy Act applies to businesses that conduct business in Colorado AND process 100,000 consumers’ data OR 25,000 consumers’ data and derive revenue from the sale of their personal data: CPA §6-1-1304(1)
Valid Consent Requirements
What Happens If a Parent Revokes Consent?
A Consumer shall be able to refuse or revoke Consent, requiring the controller to stop processing the data: CPA Rule 7.07(A); CPA §6-1-1306(IV)(C).
Consent must be a clear, informed, affirmative action, freely given, specific and unambiguous: CPA §6-1-1303(5). It cannot rely on pre-checked boxes, silence, or blanketed acceptance of terms: CPA Rule 7.03 (B)(2).
My mobile app collects usernames, location of hikes, photos, uploaded by users, fitness activity data and optional profile information. Recently, a parent emailed me asking: "Are you collecting my child's data? I did not consent to this!" I am now concerned about legal liability, I want to schedule a meeting with attorney Jane McKenzie.
continue
Christian Arrives at Jane’s Office
I built an app for families who hike in Colorado. Children can track trails, upload photos, and earn badges. However, parents are now asking about privacy laws. Do I need consent?
Let’s walk through the Colorado Privacy Act (CPA) step-by-step.
120,000 total users with 100,000 users located in Colorado and the app sells anonymized analytics to outdoor gear and food companies.
We must determine whether the CPA applies. How many users does your app have?
STEP 1: Does the CPA Apply?
What should Jane do at this point?
continue
Whether the CPA applies to HikeQuest.
- Conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to Colorado residents, and
- Processes personal data of
- 100,000 consumers, OR
- 25,000 consumers and derives revenue or receives a discount on the price of goods or services from the sale.
CPA §6-1-1304(1)
The Colorado Privacy Act applies if a business:
continue
YES — CPA likely applies to you Christian since your company, HikeQuest, conducts business in Colorado and processes the personal data of at least one hundred thousand consumers in Colorado.
continue
STEP 2: Are Children Using the App?
Do children under 13 use HikeQuest?
Well… most users are hikers and families.
Children do sign up with usernames like Hikerwannabee11..
A child under the CPA is: “An individual under thirteen years of age.” CPA §6-1-1303(4)
Well, okay then...YES children are using the app.
Christian, CPA 6-1-1308(7) states If you process the personal data of an individual you know to be a child (an individual under 13: CPA §6-1-1303(4)), you have a duty to first obtain consent from the child's parent or lawful guardian.
Jane pulls up Christian's app interface. What should Christian do at this point?
STEP 3: What Type of Data is being Collected?
Jane discovers that Christian's App collects:
- location data from hikers
- photos uploaded by users
- race or ethnicity
- usernames
- age ranges
- citizenship
- health data
- activity tracking data
continue
Under the CPA, sensitive data is personal data that reveals racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status: CPA §6-1-1303(24)(a).
Sensitive data includes:
- genetic or biometric data
- health data
- racial or ethnic origin
- personal data from a known child.
CPA §6-1-1303(24)
The children’s data collected by Christian's app includes their personal data such as their citizenship, race or ethnicity, health data, and these constitute sensitive data.
STEP 4: Consent Requirement Triggered
So I can just get consent from the child?
Christian, the children's data collected by the app is considered sensitive data, therefore you cannot process this data without first obtaining consent from a parent or lawful guardian: CPA §6-1-1308(7); CPA Rules 7:02(A)(2) & 7:06(A).
Christian, children can’t legally give consent to a controller to process their sensitive data.
What do I do now?
STEP 5: Who Must Give Consent?
How do you verify parental permission?
Well... Uhmmm...
Children just click I agree when they sign up.
Hmmm. Consent must first come from a parent or legal guardian when processing children’s personal data. CPA §6-1-1308(7)
Did Christian acquire valid consent?
STEP 6: Is the Consent Mechanism Valid?
Okay Chrisitan, I will now review HikeQuest's signup page.
The app currently uses:
- a pre-checked consent box
- broad acceptance of terms of service.
- no parental verification.
Under the CPA consent must be:
- freely given.
- informed.
- specific.
- unambiguous.
- given through a clear affirmative action.
CPA 6-1-1303(5); CPA Rule 7.03.
Consent is not
- broad acceptance of terms of service.
- hovering over, muting, pausing, or closing a given piece of content.
- agreement obtained through dark patterns.
CPA 6-1-1303(5) (a-c).
Examples of invalid consent include:
- pre-ticked boxes.
- blanketed acceptance of general terms within the App.
- dark patterns.
CPA Rules Rule 7.03(B)(2).
Christian some reasonable methods for determining that a person consenting to the processing of a child’s Personal Data is the parent or lawful guardian of that Child is identified under CPA Rule 7.06(C). Some examples include:
- a Consent form to be signed by the parent or guardian under penalty of perjury
- Requiring a parent or guardian, to use a credit card, debit card; and
- having a parent or guardian connect to trained personnel via videoconference.
CPA Rule 7.06(C)(1-5).
How do I know if it is the parent or lawful guardian?
You now can redesign how you acquire consent.
STEP 7: Provide Proper Privacy Notice
Parents must understand exactly what data you collect.
You must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
- categories of personal data collected.
- purposes of processing.
- third-party data sharing, disclosure of the sale or processing and the manner in which one can opt out of the sale or processing.
- consumer rights.
- how to contact the company.
Your privacy notice should be written clearly enough for parents to understand. CPA §6-1-1308(1)
Christian must comply with the duties of a controller under CPA 6-1-1308 when processing children's data. These include but are not limited to:
- Duty of transparency.
- Duty of data minimization; and
- Duty of care to take reasonable measures to secure personal data
CPA §6-1-1308(1-7)
Ensure that the HikeQuest App complies with CPA §6-1-1308(1-7).
STEP 8: Processing Children’s Data
STEP 9: Checking whether there is a Secondary Use.
Are you using the children's data for advertising?
We considered using their hiking activity to show ads for hiking equipment and food options during sports.
Then that would require new consent since controllers cannot process data for new purposes incompatible with the original purpose without consent. CPA §6-1-1308(4).
Sigh...
STEP 10: Parents Can Revoke Consent
Is there anything else I need to know?
Parents must be able to refuse or withdraw consent easily. CPA §6-1-1306(1); CPA Rule 7.07(A)
For instance, if a parent clicks “Delete My Child’s Data” you must, stop processing that data and delete data where applicable. CPA §6-1-1306(1)(d).
What we have learned
These are the key lessons.
Children cannot legally consent on their own. You must obtain clear, valid consent from a parent or legal guardian before collecting their data.
Christian's business falls within the scope of the Colorado Privacy Act because HikeQuest processes large amounts of consumer data and operates in Colorado.
Children’s Data is Sensitive Data. CPA §6-1-1303(24)
Parental Consent is Required. CPA §6-1-1308(7) CPA Rule 7.03
The CPA treats personal data from a known child as sensitive data. That means you must obtain consent before processing it.
Under the CPA, a child is anyone under thirteen. If the app collects their data, special protections apply.
Who is a Child? CPA §6-1-1303(4)
Know When the CPA Applies CPA §6-1-1304(1)
Congratulations!
Chrisitan fianlly understands how the Colorado Privacy Act (CPA) protects children’s personal data. HikeQuest must ensure that valid parental consent is obtained before processing children’s sensitive data, and that parents can exercise their rights. Chrisitan's company can continue helping families explore Colorado’s trails by following these rules.
Home
In this experience, you will learn to recognize bullying situations, how to act in response, and how to promote respectful coexistence. You will accompany Carlos and Lucía in a conversation that will help you identify key signals and make responsible decisions.
An Interactive Consent Flow for Children’s Data under the Colorado Privacy Act.
All Faith
Created on March 10, 2026
Start designing with a free template
Discover more than 1500 professional designs like these:
View
Feedback and Leadership Simulation
View
Product Purchase Simulation
View
Onboarding Quiz for New Employees
View
Work Style Quiz
View
The Meeting Microlearning
View
The Meeting Microlearning Mobile
View
Customer Management Simulation
Explore all templates
Transcript
I'm Christian Martinez. I am the Founder of “HikeQuest Teen.” It is a mobile app that gamifies hiking trails for families in Colorado.
Christian's App Dilemma
I'm Jane McKenzie, a technology & privacy attorney. I advise startups on compliance with state privacy laws, including the Colorado Privacy Act.
An Interactive Consent Flow for Children’s Data under the Colorado Privacy Act.
Start
Created by Cavielle McKenzie
Choose Your Investigation Path
To determine whether HikeQuest complies with the Colorado Privacy Act, we need to investigate several key areas of the law.
Who is considered a Child?
Does the Colorado Privacy Act (CPA) Apply to HikeQuest?
Is Children's Data = Sensitive Data?
The CPA classifies personal data from a known child as sensitive data: CPA §6-1-1303(24)
Under the CPA, a child is any individual under the age of thirteen: CPA §6-1-1303(4)
The Colorado Privacy Act applies to businesses that conduct business in Colorado AND process 100,000 consumers’ data OR 25,000 consumers’ data and derive revenue from the sale of their personal data: CPA §6-1-1304(1)
Valid Consent Requirements
What Happens If a Parent Revokes Consent?
A Consumer shall be able to refuse or revoke Consent, requiring the controller to stop processing the data: CPA Rule 7.07(A); CPA §6-1-1306(IV)(C).
Consent must be a clear, informed, affirmative action, freely given, specific and unambiguous: CPA §6-1-1303(5). It cannot rely on pre-checked boxes, silence, or blanketed acceptance of terms: CPA Rule 7.03 (B)(2).
My mobile app collects usernames, location of hikes, photos, uploaded by users, fitness activity data and optional profile information. Recently, a parent emailed me asking: "Are you collecting my child's data? I did not consent to this!" I am now concerned about legal liability, I want to schedule a meeting with attorney Jane McKenzie.
continue
Christian Arrives at Jane’s Office
I built an app for families who hike in Colorado. Children can track trails, upload photos, and earn badges. However, parents are now asking about privacy laws. Do I need consent?
Let’s walk through the Colorado Privacy Act (CPA) step-by-step.
120,000 total users with 100,000 users located in Colorado and the app sells anonymized analytics to outdoor gear and food companies.
We must determine whether the CPA applies. How many users does your app have?
STEP 1: Does the CPA Apply?
What should Jane do at this point?
continue
Whether the CPA applies to HikeQuest.
- Processes personal data of
- 100,000 consumers, OR
- 25,000 consumers and derives revenue or receives a discount on the price of goods or services from the sale.
CPA §6-1-1304(1)The Colorado Privacy Act applies if a business:
continue
YES — CPA likely applies to you Christian since your company, HikeQuest, conducts business in Colorado and processes the personal data of at least one hundred thousand consumers in Colorado.
continue
STEP 2: Are Children Using the App?
Do children under 13 use HikeQuest?
Well… most users are hikers and families.
Children do sign up with usernames like Hikerwannabee11..
A child under the CPA is: “An individual under thirteen years of age.” CPA §6-1-1303(4)
Well, okay then...YES children are using the app.
Christian, CPA 6-1-1308(7) states If you process the personal data of an individual you know to be a child (an individual under 13: CPA §6-1-1303(4)), you have a duty to first obtain consent from the child's parent or lawful guardian.
Jane pulls up Christian's app interface. What should Christian do at this point?
STEP 3: What Type of Data is being Collected?
Jane discovers that Christian's App collects:
continue
Under the CPA, sensitive data is personal data that reveals racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status: CPA §6-1-1303(24)(a).
Sensitive data includes:
- genetic or biometric data
- health data
- racial or ethnic origin
- personal data from a known child.
CPA §6-1-1303(24)The children’s data collected by Christian's app includes their personal data such as their citizenship, race or ethnicity, health data, and these constitute sensitive data.
STEP 4: Consent Requirement Triggered
So I can just get consent from the child?
Christian, the children's data collected by the app is considered sensitive data, therefore you cannot process this data without first obtaining consent from a parent or lawful guardian: CPA §6-1-1308(7); CPA Rules 7:02(A)(2) & 7:06(A).
Christian, children can’t legally give consent to a controller to process their sensitive data.
What do I do now?
STEP 5: Who Must Give Consent?
How do you verify parental permission?
Well... Uhmmm...
Children just click I agree when they sign up.
Hmmm. Consent must first come from a parent or legal guardian when processing children’s personal data. CPA §6-1-1308(7)
Did Christian acquire valid consent?
STEP 6: Is the Consent Mechanism Valid?
Okay Chrisitan, I will now review HikeQuest's signup page.
The app currently uses:
- a pre-checked consent box
- broad acceptance of terms of service.
- no parental verification.
Under the CPA consent must be:- freely given.
- informed.
- specific.
- unambiguous.
- given through a clear affirmative action.
CPA 6-1-1303(5); CPA Rule 7.03.Consent is not
- broad acceptance of terms of service.
- hovering over, muting, pausing, or closing a given piece of content.
- agreement obtained through dark patterns.
CPA 6-1-1303(5) (a-c).Examples of invalid consent include:
- pre-ticked boxes.
- blanketed acceptance of general terms within the App.
- dark patterns.
CPA Rules Rule 7.03(B)(2).Christian some reasonable methods for determining that a person consenting to the processing of a child’s Personal Data is the parent or lawful guardian of that Child is identified under CPA Rule 7.06(C). Some examples include:
- a Consent form to be signed by the parent or guardian under penalty of perjury
- Requiring a parent or guardian, to use a credit card, debit card; and
- having a parent or guardian connect to trained personnel via videoconference.
CPA Rule 7.06(C)(1-5).How do I know if it is the parent or lawful guardian?
You now can redesign how you acquire consent.
STEP 7: Provide Proper Privacy Notice
Parents must understand exactly what data you collect.
You must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
- categories of personal data collected.
- purposes of processing.
- third-party data sharing, disclosure of the sale or processing and the manner in which one can opt out of the sale or processing.
- consumer rights.
- how to contact the company.
Your privacy notice should be written clearly enough for parents to understand. CPA §6-1-1308(1)Christian must comply with the duties of a controller under CPA 6-1-1308 when processing children's data. These include but are not limited to:
- Duty of transparency.
- Duty of data minimization; and
- Duty of care to take reasonable measures to secure personal data
CPA §6-1-1308(1-7)Ensure that the HikeQuest App complies with CPA §6-1-1308(1-7).
STEP 8: Processing Children’s Data
STEP 9: Checking whether there is a Secondary Use.
Are you using the children's data for advertising?
We considered using their hiking activity to show ads for hiking equipment and food options during sports.
Then that would require new consent since controllers cannot process data for new purposes incompatible with the original purpose without consent. CPA §6-1-1308(4).
Sigh...
STEP 10: Parents Can Revoke Consent
Is there anything else I need to know?
Parents must be able to refuse or withdraw consent easily. CPA §6-1-1306(1); CPA Rule 7.07(A)
For instance, if a parent clicks “Delete My Child’s Data” you must, stop processing that data and delete data where applicable. CPA §6-1-1306(1)(d).
What we have learned
These are the key lessons.
Children cannot legally consent on their own. You must obtain clear, valid consent from a parent or legal guardian before collecting their data.
Christian's business falls within the scope of the Colorado Privacy Act because HikeQuest processes large amounts of consumer data and operates in Colorado.
Children’s Data is Sensitive Data. CPA §6-1-1303(24)
Parental Consent is Required. CPA §6-1-1308(7) CPA Rule 7.03
The CPA treats personal data from a known child as sensitive data. That means you must obtain consent before processing it.
Under the CPA, a child is anyone under thirteen. If the app collects their data, special protections apply.
Who is a Child? CPA §6-1-1303(4)
Know When the CPA Applies CPA §6-1-1304(1)
Congratulations!
Chrisitan fianlly understands how the Colorado Privacy Act (CPA) protects children’s personal data. HikeQuest must ensure that valid parental consent is obtained before processing children’s sensitive data, and that parents can exercise their rights. Chrisitan's company can continue helping families explore Colorado’s trails by following these rules.
Home
In this experience, you will learn to recognize bullying situations, how to act in response, and how to promote respectful coexistence. You will accompany Carlos and Lucía in a conversation that will help you identify key signals and make responsible decisions.