On May 31, 2024, Colorado Governor Jared Polis signed HB 1130 into law, amending the Colorado Privacy Act (CPA). In addition, legislators in Vermont recently passed the Vermont Data Privacy Act (H. 121) and sent the bill to Governor Phil Scott's desk. Both actions add further complexity to an already fragmented United States legal landscape governing biometric data. HB 1130 (which does not contain a private right of action) will take effect on July 1, 2025 in Colorado, as will H. 121 (which does include a private right of action in its current form) if it is enacted in Vermont. These bills are preceded by legislation enacted in Illinois, Texas, and—most recently—Washington, which regulate private entities' collection and use of biometric data specifically, and more comprehensive state data privacy laws that include restrictions on how companies collect and use biometric data (e.g., the California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), and Maryland Online Data Privacy Act (MODPA). Colorado's new law will apply to a broad array of organizations doing business in the state and will significantly heighten their compliance obligations and legal risk. If enacted, Vermont's data privacy law will have a similar impact.
Colorado
HB 1130 is the first biometric data privacy bill of its kind in the US because it merges compliance requirements similar to the Illinois Biometric Information Privacy Act (BIPA) with additional, unique obligations and restrictions that are more commonly found in broader consumer privacy statutes. Any company that (1) collects or processes biometric data and (2) conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to Colorado residents is subject to HB 1130, even if it does not otherwise meet the CPA's higher applicability thresholds.
The scope of data covered under HB 1130 is also very broad when compared to BIPA, Texas's Capture or Use of Biometric Identifiers Act (CUBI), and other laws that regulate biometric data. Under HB 1130, "biometric data" is "one or more biometric identifiers that are used or intended to be used, singly or in combination with each other or with any other personal data, for identification purposes." A "biometric identifier" is "data generated by the technological processing, measurement, or analysis of a consumer's biological, physical, or behavioral characteristics, which can be processed for the purpose of uniquely identifying an individual." Notably, unlike most consumer privacy statutes enacted to date (including the CPA), employee and job applicant data is generally not exempted from HB 1130. The law allows employers to collect and process employees' or prospective hires' biometric identifiers without consent to perform certain routine tasks, such as a reasonable background check. But, overall, HB 1130 heightens employers' compliance obligations. It requires employers to obtain employees' or prospective employees' consent to collect and process biometric identifiers in many cases, and it also restricts an employer's permissible reasons for requiring that employees or prospective employees provide such consent as a condition of their employment.
Like BIPA and other biometric data privacy laws, HB 1130 requires biometrics-specific privacy policies; data retention and destruction protocols; pre-collection individualized notices; pre-collection consent; and compliance with disclosure obligations and limitations. The law also includes minimum data security requirements and a transactional prohibition on selling, leasing, or trading biometric data.
HB 1130 goes beyond other biometric data privacy laws, however, by imposing unique compliance requirements on the collection and use of biometric data. For example, HB 1130 requires companies to delete biometric data on "the earliest reasonably feasible date," which must be within 45 days after a business concludes that retaining the data is "no longer necessary, adequate, or relevant to the express processing purpose," as identified by a review conducted by the business at least once annually. HB 1130 also requires companies' privacy policies to include security incident protocols specific to biometric data, in addition to guidelines and schedules for biometric data retention and deletion. And, as mentioned above, HB 1130 imposes explicit consent obligations for employers.
HB 1130 also distinguishes itself from other biometric data privacy laws by importing compliance obligations more traditionally seen in broader consumer privacy statutes, such as the CPA and California Consumer Privacy Act (CCPA). This includes the right to access and other obligations related to transparency, purpose specification, data minimization, secondary use of data, and data security. Moreover, similar to broader consumer privacy statutes, HB 1130 distinguishes between controllers (organizations or individuals that, alone or jointly with others, determine the purposes for and means of processing personal data) and processors (organizations or individuals that process personal data on behalf of a controller). Like controllers, processors must implement security incident response plans and other measures that are tailored to safeguarding biometric data specifically.
While HB 1130 does not contain a private right of action, it provides for enforcement by the State Attorney General through civil penalties of up to $20,000 per violation, disgorgement, restitution, reimbursement of attorney's fees, and injunctive relief.
Vermont
H.121 is the first comprehensive data privacy bill to establish a limited private right of action for the illegal collection and use of personal data, including biometric data (the CPRA, for example, only allows a private right of action for data breaches).
H.121 applies to individuals and businesses that (1) conduct business in Vermont or produce products or services that are targeted to residents of Vermont and (2) control or process the personal data of at least 25,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or control or process the personal data of at least 12,500 consumers and derive more than 25% of their gross revenue from the sale of personal data. Note: The second applicability prong is not required when the data collected is consumer health data ("any personal data that a controller uses to identify a consumer's physical or mental health condition or diagnosis, including gender-affirming health data and reproductive or sexual health data").
Under H.121, "biometric data" is sensitive personal data that is "generated from the technological processing of an individual's unique biological, physical, or physiological characteristics that is linked or reasonably linkable to an individual, including: (i) iris or retina scans; (ii) fingerprints; (iii) facial or hand mapping, geometry, or templates; (iv) vein patterns; (v) voice prints; and (vi) gait or personally identifying physical movement or patterns."
In addition to including provisions commonly found in comprehensive data privacy statutes (e.g., consumer rights to delete, access, correct, and opt-out; data security requirements), H.121 imposes data minimization requirements that prohibit businesses from collecting personal information for any purpose outside of providing the product or service. The legislation also contains unique provisions for protecting children, including a requirement that businesses consider the distinctive needs of consumers of different age ranges when designing their online services, products, and/or features (i.e., "age-appropriate design code").
Unlike other comprehensive data privacy laws, H.121 not only establishes a private right of action against large data brokers when they cause a breach of personal information (which is the case under the CCPA/CPRA), it also allows a private right of action where a large data broker misuses data about a consumer's race, color, sex, sexual orientation or gender identity, physical or mental disability, religion, ancestry, or national origin. A large data broker or "large data holder" is an entity that processes the personal data of at least 100,000 Vermont residents a year. If H.121 is enacted, the private right of action would not be effective until July 1, 2027, and the legislature would have to reauthorize the right every two years. The bill's inclusion of a private right of action may be a hurdle to its passage, as Vermont Governor Scott is reportedly considering a veto and has concerns about its impact on small Vermont businesses. Opposing advocacy groups have written to Governor Scott's office in the past few days urging him to sign or veto the bill.
Colorado's HB 1130 is the latest addition to a patchwork of state data privacy laws, and Vermont's H. 121 may soon join the fray. They add to a state privacy regime that is developing concurrently with increasing Federal Trade Commission (FTC) enforcement of alleged unfair and/or deceptive uses of biometric informationandartificial intelligencetechnologies. This trend is expected to continue, and may be still further complicated by the proposed American Privacy Rights Act (APRA) which, as currently drafted, allows for both federal and state attorney general enforcement, a private right of action, and – in certain cases – entitlement to remedies provided under California and Illinois state laws.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.