What to Know About Colorado’s New Biometric Data Requirements

Colorado Adds New Requirements for Biometric Data to Its Privacy Law: Marginal Adjustments in Contrast to Illinois BIPA

On May 31, 2024, Colorado Gov. Jared Polis signed into law HB-1130, which broadens the scope and adds some new requirements for collecting and processing biometric data under the Colorado Privacy Act (CPA) passed in 2021.

As originally introduced, the measure would “bolt on” misaligned provisions similar to the Illinois Biometric Information Protection Act (BIPA). This proposal was broadly panned by stakeholders as problematic and unnecessary, given that the CPA, which had just gone into effect in July 2023, already addresses and protects biometric data. As a result, a completely different bill was negotiated that is in closer alignment with existing CPA provisions on biometric data (related to consent and data retention for example), as well as CPA regulations and data breach and other related laws, in many cases by restating or referencing these existing requirements. At the same time, there were some substantial changes to the CPA.

General Summary

Note these changes only apply with respect to biometric data and biometric identifiers (as defined):

Scope Expansion

  • Employers will now have to follow requirements with respect to employee biometric data (the CPA had been limited to consumer data, specifically excluding employee data).
  • Any controller that controls or processes “any amount”  of biometric identifiers or biometric data will be subject to the requirements, removing the applicability threshold. For all other types of personal data regulated by the CPA, an applicability threshold remains for controllers, which is 1) controlling or processing the personal data of 100,000 consumers (Colorado residents) or more during a calendar year, and/or 2) deriving revenue from the sale of personal data and controlling or processing the personal data of 25,000 consumers or more.

New Requirements

  • Notice to consumers regarding collection and use of biometric information, which must include elements as stipulated.
  • Prohibiting the sale, lease or trade of biometric identifiers.
  • More detailed consumer rights to access and “correct” biometric data retained by controllers than were originally included under the CPA.  
  • Employers will be subject to new rules regarding employee biometric data. An employer will only be allowed to require collection and processing of biometric data to:
    • Permit access to secure physical locations and secure electronic hardware and software applications
    • Record the commencement and conclusion of the employee’s full work day
    • Improve or monitor workplace safety or security or ensure the safety or security of employees
    • Improve or monitor the safety or security of the public in the event of an emergency or crisis situation

Otherwise, such collection and processing must be consent-based and cannot be required as a condition of employment; however, employers will still be able to collect and process biometric identifiers for “uses aligned with the reasonable expectations” of an employee based on the employee’s job description or role, or a prospective employee based on reasonable background check, application or identification requirements.

Implications and Key Considerations for the Security Industry

The final measure reflects several priorities advocated by the Security Industry Association (SIA) and other stakeholders throughout the legislative process. Among other changes, this included authorization of workplace safety applications (described above), alignment of data retention and destruction requirements with existing CPA rules and ensuring key activities exempted from CPA requirements (which include security applications) continue to be exempt under the new biometrics provisions that are added.

A key legislative declaration in HB-1130 clarifies that CPA exceptions are preserved:

“…While increasing protections for individuals’ biometric identifiers is of the utmost importance, critical privacy protections must be balanced with the use of biometric data to support public safety as outlined in state and federal statutes. The ‘Colorado Privacy Act’, part 13 of article 1 of title 6, Colorado Revised Statutes, includes a variety of exceptions to the requirements established in this act, including permitted uses of biometric data for public safety needs, and all of the exceptions that apply to the entirety of the ‘Colorado Privacy Act’ apply to the protections established for biometric data and biometric identifiers in this act.”

Under CPA subpart 6-1-1304 (3), subsections VII, IX and X exempt private entities’ efforts to provide physical security in their establishments. Subsection III exempts activities to assist law enforcement investigations.

Further Considerations

  • This additional layering of requirements in Colorado is highly unusual, as the only state in 2024 so far to enact a measure on biometrics and doing so where a comprehensive privacy law protecting this data already existed. In any case, same as in recent years, all state proposals introduced mirroring Illinois’ BIPA law have failed so far (in fact, no state has replicated this highly problematic law since it was enacted in 2008).
  • Applicability to employee data was strongly opposed by Colorado’s business community, as it had been outside the scope of the CPA and is already protected by numerous federal laws. All other state comprehensive data privacy laws except California exclude such data and focus exclusively on consumer data, which is a fundamentally different context. This is something to watch for and address in potential future legislation.
  • The new provisions are effective July 1, 2025. Note these provisions, like the rest of the CPA, are subject to enforcement by the Colorado attorney general, who also has the authority to issue implementing regulations. Fines under Colorado’s consumer protection statutes can be significant, from $2,000 to $20,000 per violation; however, there is no private right of action provided in the measure.
  • There is no doubt this new regulatory complexity will make it more difficult for biometric technology providers to do business in Colorado and for consumers to benefit from these technologies. As always, in evaluating the applicability and of new requirements, companies should consult advice from a qualified attorney or other professional advisor in relation to any compliance questions.

SIA will continue to track developments and provide analysis related to Colorado’s privacy law, and we continue to welcome any member feedback. For further information, contact SIA Senior Director of Government Relations Jake Parker at jparker@securityindustry.org