On May 31, 2024, Colorado Governor Jared Polis signed HB 1130 into law. This legislation amends the Colorado Privacy Act to add specific requirements for the processing of an individual’s biometric data. This law does not have a private right of action.
Similarly to the Illinois Biometric Information Privacy Act (BIPA), this law requires controllers to provide notice and obtain consent prior to the collection or processing of a biometric identifier. The law also prohibits controllers from selling or disclosing biometric identifiers unless the customer consents or unless disclosure is necessary to fulfill the purpose of collection, to complete a financial transaction, or is required by law.
The law contains several novel requirements. For instance, it prevents a controller from purchasing a biometric identifier unless: (a) they pay the consumer, (b) they obtain the consumer’s consent, and (c) the purchase is unrelated to the provision of a product or service to the customer. Additionally, it requires companies meeting certain thresholds to disclose detailed information about their biometric data collection and use upon consumer request, including the source from which the controller access the data and the purpose for which it was processed.
The law also sets forth retention requirements that differ from those of BIPA. Specifically, controllers processing biometric data must adopt written guidelines that require the permanent destruction of a biometric identifier by the earliest of: (a) the date upon which the initial purpose for collecting the biometric identifier has been satisfied; (b) 24 months after the consumer last interacted with the controller; or (c) the earliest reasonably feasible date. The earliest reasonably feasible date must be no more than 45 days after a controller determines that storing the biometric identifier is no longer necessary or relevant to the express processing purpose, as identified by an annual review. The controller may extend the 45 day period by up to 45 additional days if necessary given the complexity and amount of biometric identifiers to be deleted. The written policy must also establish a retention schedule for biometric identifiers and include a protocol for responding to a breach of security involving biometric data. Note that the controller need not publish policies applying only to current employees or internal protocols for responding to security incidents.
Lastly, the law contains guidance on the use of biometric systems by employers. It specifies that employers may collect biometric identifiers as a condition of employment, but only to: permit access to secure physical locations or hardware (and not to track a current employee’s location or how much time they spend using an application); to record the start and end of a work day; and to improve workplace and public safety. The collection of biometric identifiers from employees for other reasons may not be a condition of employment and may occur only with consent. The law contains a broad statement that employers may still collect and process employees’ biometric identifiers for uses aligned with the employee’s reasonable expectations based on the role.