Colorado: Expanded Biometric Data Protections Coming in 2025!
APPLIES TO Covered Employers with Employees in CO |
EFFECTIVE July 1, 2025 |
QUESTIONS? Contact HR On-Call |
Quick Look
|
Discussion:
HB 1130 amends the Colorado Privacy Act (CPA) to require expanded protections for the collection and use of biometric information. Although the bill applies broadly to consumers, it also applies in the context of employer and employee relationships. “Employee” also includes contractors, subcontractors, interns, and fellows. Covered biometric information includes the “technological processing, measurement, or analysis of a consumer’s biological, physical, or behavioral characteristics” that can uniquely identify an individual, such as a fingerprint; voiceprint; eye retina or iris scan; or facial map, geometry, or template.
An employer who controls or processes biometric identifiers must have a written policy that identifies a data retention schedule, a process for responding to data security incidents, and guidelines for when to delete biometric identifiers. The employer must give advance notification to employees that biometric data is being collected, the purpose for collecting the data, length of time that the data will be retained, and whether the data will be shared, including the reason for sharing it. Employers must obtain the individual’s consent before collecting biometric data.
Biometric data cannot be shared unless the individual consents, the individual requests that data be shared to complete a financial transaction, the individual consented to disclosure to a processor which is necessary for the purpose for which the data was collected, or is otherwise required by state or federal law. Employers must protect biometric data from disclosure using the standard of care within the employer’s industry.
Employers may require that employees and prospective employees provide their biometric data to permit access to physical locations or secure hardware or software applications, for timekeeping purposes, or workplace safety purposes. However, employers cannot require employees to provide biometric data to track their location or the amount of time they are using a hardware or software application. Employers are permitted to collect and process biometric data “for uses aligned with the reasonable expectations” based on an employee’s job description or role, or conducting a background check of a prospective employee, provided that the applicable requirements are met.
Action Items
- Review the bill here.
- Implement policy on collecting and using biometric identifiers.
- Prepare required employee notice and consent processes.
Disclaimer: This document is designed to provide general information and guidance concerning employment-related issues. It is presented with the understanding that ManagEase is not engaged in rendering any legal opinions. If a legal opinion is needed, please contact the services of your own legal adviser. © 2024 ManagEase