Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Colorado: Bill amending CPA to address biometric identifiers signed by Governor

On May 31, 2024, House Bill 24-1130 for an Act concerning protecting the privacy of an individual's biometric data was signed by the Colorado Governor into law. The Act will take effect on July 1, 2025, unless an amendment is filed as described within the Act. 

Scope of the Act

The Act amends the Colorado Privacy Act (CPA) to add protections for biometric data by requiring controllers to adopt a written policy that:

  • establishes a retention schedule for biometric identifiers;
  • includes a protocol for responding to a breach of security of biometric data; and
  • includes guidelines that require the permanent destruction of a biometric identifier.

The Act also:

  • prohibits data controllers from collecting a biometric identifier unless the controller first satisfies certain disclosure and consent requirements;
  • specifies certain prohibited acts and requirements for data controllers that collect and use biometric data;
  • requires a data controller to allow a consumer to access and update a biometric identifier;
  • restricts an employer's permissible reasons for obtaining an employee's consent for the collection of biometric identifiers; and
  • authorizes the Colorado Attorney General (AG) to promulgate the Act's implementation rules.

Obligations for controllers

The Act places obligations on controllers including:

  • requiring the destruction of biometric data after receiving a verified request within 45 days;
  • prohibiting a controller from buying biometric identifiers without fulfilling additional requirements;
  • banning the collection of biometric identifiers of employees or prospective employees by employers; and
  • prohibiting a controller from refusing the provision of a good or service if a data subject refuses to consent unless the collection of the biometric identifier is necessary for the good or service.

You can read the signed Act here and view the legislative history here.