Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Colorado: Bill amending CPA to address biometric identifiers signed by legislature

On May 28, 2024, House Bill 24-1130 for an Act concerning protecting the privacy of an individual's biometric data was signed by the Speaker of the House of Representatives and the President of the Colorado State Senate. Afterward, the bill was sent to the Governor of Colorado on the same date for signature. 

Scope of the bill

The bill would amend the Colorado Privacy Act (CPA) to add protections for biometric data by requiring data controllers to adopt a written policy that:  

  • establishes a retention schedule for biometric identifiers;  
  • includes a protocol for responding to a breach of security of biometric data; and 
  • includes guidelines that require the permanent destruction of a biometric identifier.  

The bill also:  

  • prohibits data controllers from collecting a biometric identifier unless the controller first satisfies certain disclosure and consent requirements;  
  • specifies certain prohibited acts and requirements for data controllers that collect and use biometric data; 
  • requires a data controller to allow a consumer to access and update a biometric identifier; 
  • restricts an employer's permissible reasons for obtaining an employee's consent for the collection of biometric identifiers; and  
  • authorizes the attorney general (AG) to promulgate bill implementation rules. 

Obligations for data controllers

The bill places additional obligations on data controllers including:

  • increasing the time to destroy biometric data after receiving a verified request to 45 days from the original 30 days;
  • prohibiting a data controller from buying biometric identifiers without fulfilling additional requirements;
  • banning the collection of biometric identifiers of employees or prospective employees by employers; and
  • prohibiting a data controller from refusing the provision of a good or service if a data subject refuses to consent unless the collection of the biometric identifier is necessary for the good or service.

You can read the bill here and track its progress here.