On May 31, 2024, Colorado Governor Jared Polis signed HB 1130 into law. This legislation amends the Colorado Privacy Act to add specific requirements for the processing of an individual’s biometric data. This law does not have a private right of action.

Similarly to the Illinois Biometric Information Privacy Act (BIPA), this law requires controllers to provide notice and obtain consent prior to the collection or processing of a biometric identifier. The law also prohibits controllers from selling or disclosing biometric identifiers unless the customer consents or unless disclosure is necessary to fulfill the purpose of collection, to complete a financial transaction, or is required by law.

The law contains several novel requirements. For instance, it prevents a controller from purchasing a biometric identifier unless: (a) they pay the consumer, (b) they obtain the consumer’s consent, and (c) the purchase is unrelated to the provision of a product or service to the customer. Additionally, it requires companies meeting certain thresholds to disclose detailed information about their biometric data collection and use upon consumer request, including the source from which the controller access the data and the purpose for which it was processed.

The law also sets forth retention requirements that differ from those of BIPA. Specifically, controllers processing biometric data must adopt written guidelines that require the permanent destruction of a biometric identifier by the earliest of: (a) the date upon which the initial purpose for collecting the biometric identifier has been satisfied; (b) 24 months after the consumer last interacted with the controller; or (c) the earliest reasonably feasible date. The earliest reasonably feasible date must be no more than 45 days after a controller determines that storing the biometric identifier is no longer necessary or relevant to the express processing purpose, as identified by an annual review. The controller may extend the 45 day period by up to 45 additional days if necessary given the complexity and amount of biometric identifiers to be deleted. The written policy must also establish a retention schedule for biometric identifiers and include a protocol for responding to a breach of security involving biometric data. Note that the controller need not publish policies applying only to current employees or internal protocols for responding to security incidents.

Lastly, the law contains guidance on the use of biometric systems by employers. It specifies that employers may collect biometric identifiers as a condition of employment, but only to: permit access to secure physical locations or hardware (and not to track a current employee’s location or how much time they spend using an application); to record the start and end of a work day; and to improve workplace and public safety. The collection of biometric identifiers from employees for other reasons may not be a condition of employment and may occur only with consent. The law contains a broad statement that employers may still collect and process employees’ biometric identifiers for uses aligned with the employee’s reasonable expectations based on the role.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Priya Leeds Priya Leeds

Priya Sundaresan Leeds is an associate in the firm’s San Francisco office. She is a member of the Privacy and Cybersecurity Practice Group. She also maintains an active pro bono practice with a focus on gun control and criminal justice.

Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.