On May 31, 2024, Governor Jared Polis signed into law Colorado House Bill 24-1130 (HB 1130), amending the Colorado Privacy Act (the CPA) to impose new requirements on controllers that process biometric data. The amendments go into effect July 1, 2025. Unlike the Illinois Biometric Information Privacy Act (BIPA), HB 1130 does not create a private right of action.
Importantly, HB 1130 not only creates new obligations for entities that were already subject to the CPA, but also broadens the application of the CPA to include entities and types of data that the law previously did not regulate. Understanding this new law is critical for entities operating in Colorado (including certain nonprofits) that use biometric data as part of their operations.
Definitions of Biometric Identifiers and Biometric Data
HB 1130 defines "biometric identifier" and "biometric data" in a manner that is broadly similar to the way in which these terms are defined under other data privacy laws, including BIPA. A "biometric identifier" is defined to mean "data generated by the technological processing, measurement, or analysis of a consumer's biological, physical, or behavioral characteristics, which data can be processed for the purpose of uniquely identifying an individual." The law specifically identifies fingerprints, voiceprints, scans or records of an eye retina or iris, facial maps, or "other unique biological, physical, or behavioral patterns or characteristics" as biometric identifiers.
The law defines "biometric data" as "one or more biometric identifiers that are used or intended to be used, singly or in combination with each other or with other personal data, for identification purposes." The law carves out from the definition of biometric data photographs, voice recordings, or the data generated from either a photograph or a voice recording.
Key Provisions of HB 1130
Prior to the amendment, the CPA only regulated controllers that (i) conduct business in Colorado or deliver commercial products or services targeted to state residents and (ii) satisfy either or both of the following thresholds: (A) control or process the personal data of at least 100,000 Colorado residents per year, or (B) derive revenue from selling personal data and process or control the personal data of at least 25,000 Colorado residents. Under HB 1130, the CPA now imposes biometric privacy requirements on an entity that controls or processes biometric data of any Colorado resident, even if the volume of data does not meet the numerical data processing thresholds set forth above. As a result, any controller must provide specific notice and obtain consent before collecting or processing biometric data or identifiers from Colorado residents.
HB 1130 introduces several new requirements even for controllers that were already subject to the CPA. This includes an obligation to adopt a written policy that establishes (1) a retention schedule for biometric identifiers and data, with retention requirements different from those in BIPA; (2) a protocol for responding to any incident that may compromise the security of biometric data and identifiers (including notification of the breach as required by the existing data breach notification law); and (3) guidelines for the deletion of biometric data and identifiers. As part of those guidelines, a controller must conduct a review annually to determine if any biometric data or identifiers are ripe for deletion. The controller must make its written policy available to the public, with certain exceptions, including if the policy applies only to the controller's current employees or contains internal protocols for responding to data security incidents.
Among other obligations, HB 1130 also requires controllers to (1) provide a reasonably accessible, clear, and meaningful privacy notice that meets certain content requirements; (2) satisfy certain rights of the consumers with respect to their biometric data and identifiers; (3) refrain from selling, leasing, or trading biometric identifiers or otherwise disclosing biometric identifiers to a third party without the consumer's consent, subject to certain exceptions; and (4) ensure that appropriate security measures are used when storing and transmitting biometric data.
In addition, HB 1130 contains certain provisions that do not appear in other state biometric privacy laws. For example, it prohibits controllers from purchasing biometric identifiers unless they pay the consumer and obtain consent, and as long as the purchase is unrelated to the provision of a product or service to the consumer. HB 1130 also imposes on controllers heightened disclosure requirements if the controller meets certain data processing thresholds. Upon request, controllers must disclose to consumers the category or description of biometric data collected and additional information, including the source from which the data was collected and the identity of any third party to which the data was disclosed and the purposes for disclosure.
Application to Employee Data
The CPA currently excludes from its scope personal data of individuals acting in a commercial or employment context. In a complete turnabout, HB 1130 amends the CPA to include certain protections for biometric data and identifiers of "employees," a term that is broadly defined to include individuals who are employed full-time, part-time, or on-call or who are hired as contractors, subcontractors, interns, or fellows.
HB 1130 permits employers to require employees or prospective employees to consent to the collection and processing of biometric identifiers as a condition of employment, but only in certain circumstances. These circumstances include the use of biometric data or identifiers to (1) permit access to secure locations; (2) record the commencement and conclusion of the employee's workday; (3) improve or monitor workplace safety and security; and (4) improve or monitor the safety or security of the public in the event of an emergency. Importantly, the law specifically states that employment cannot be conditioned on consenting to the use of biometrics to track the employee's location or the amount of time an employee is using a hardware or software application.
HB 1130 provides that employers may collect and process biometric identifiers for purposes other than those specified above only with consent. The law also states that nothing restricts an employer's ability to collect and process an employee's or prospective employee's biometric identifier "for uses aligned with the reasonable expectations of" an employee based on job description and role or a prospective employee based on background check, application, or identification requirements.
Next Steps
When HB 1130 goes into effect in 2025, it will mark a significant increase in compliance obligations for entities that control or process biometric data and identifiers of Colorado residents. Ahead of that date, entities that operate in Colorado should seek expert legal counsel to ensure that they have the appropriate procedures and policies in place for compliance with these new obligations to the extent they apply. Our team of experienced attorneys and policy advisors can provide tailored guidance and assistance in devising compliance strategies to mitigate potential risks.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.