Privacy & Information Security Law Blog

On May 31, 2024, Colorado Governor Jared Polis signed into law a bill that amends the Colorado Privacy Act (“CPA”) and introduces new obligations for processors of biometric data. These new obligations target the processing of biometric data when it is used for identification purposes. The law goes into effect on July 1, 2025.

The CPA currently classifies “biometric data that may be used for the purpose of uniquely identifying an individual” as sensitive data subject to heightened compliance requirements, such as individual consent prior to processing. The CPA also requires covered entities to conduct data protection assessments prior to processing covered biometric data (“biometric data”).

New Obligations for the Collection and Processing of Biometric Data

HB24-1130 adds further compliance requirements, such as the adoption of a public, written policy governing the processing of biometric data. The written policy applies to controllers that control or process covered biometric data and the policy must establish a retention schedule, data security incident protocols, and deletion guidelines based on retention specifications set out in HB24-1130. Processors must also have data security incident protocols in place.

The new law imposes external transparency requirements on the collection and retention of biometric data, including a requirement to make available the non-internal portions of the written policy, and to provide a notice at collection that describes the data being collected, whether it will be shared, and the specific purposes for collection and sharing. Covered controllers may not sell or disclose biometric data without the individual’s consent unless, with respect to disclosure only, the disclosure is: (1) required by law; (2) for the purpose of completing a financial transaction; or (3) to a processor, is necessary for the purpose collected and to which the individual consented. HB24-1130 states that all existing CPA exceptions still apply (e.g., to balance the need for biometric privacy with the use of biometrics for public safety).

Controllers are prohibited from refusing to provide a good or service to an individual who refuses to consent to the collection, use, disclosure, transfer, sale, retention or processing of biometric data unless it is necessary to the provision of the good or service, and are prohibited from price or quality adjustments for individuals who exercise their biometric privacy rights. The law also limits a controller’s ability to purchase biometric identifiers, making it lawful to do so only if a controllers pays an individual directly for the data, gets consent, and the purchase is not related to providing a product or service to the consumer.

The new law establishes an individual right to access the “category or description” of biometric data collected as well as the following details:

• the source of the biometric data;
• the purpose of collection and processing;
• the identity of third parties with access to the biometric data (and the purpose for disclosure); and
• the type of biometric data disclosed to third parties.

Special Obligations in the Employment Context

Employers in Colorado may require employee consent for the collection and processing of biometric data as a condition of employment only for:

• securing access to physical locations, electronic hardware and software applications (except certain time and location tracking);
• recording employee work hours;
• improving or monitoring workplace safety or security; and
• improving or monitoring public safety and security in emergency situations.

Employers must collect employee consent for other uses; however, these uses cannot be conditions of employment. The law also allows employers to use biometric systems to conduct background checks, or for the employee’s job/role, as long as they align with the employee’s “reasonable expectations.”

Rulemaking

The Colorado Department of Law has rulemaking authority under HB24-1130.