Colorado: Expanded Protections for Biometric Information under the Colorado Privacy Act

/in /by

APPLIES TO

All Employers with Employees in CO

EFFECTIVE

July 1, 2025

QUESTIONS?

Contact HR On-Call

(888) 378-2456
Quick Look

  • HB 1130 expands biometric protections under Colorado’s Privacy Act to include circumstances related to the collection and processing of biometric data and identifiers in the employment context.

Discussion

Colorado’s HB 1130 was recently signed by Governor Polis amending Colorado’s Privacy Act (CPA) to broaden protections for biometric data in several significant ways. Key aspects of the amendments are summarized below.

 

Application of CPA Amendments. As originally enacted, a controller is subject to the CPA if it: (i) determines the purposes and means of processing personal data, (ii) conducts business in Colorado or produces or delivers commercial products or services intentionally targeted to residents of the state, and (iii) either:  (a) controls or processes the personal data of more than 100,000 Colorado residents per year or (b) derives revenue from selling the personal data of more than 25,000 Colorado residents. HB 1130 adds that a controller can be subject to the CPA without meeting these requirements if it would otherwise be subject to the CPA solely to the extent that it controls or processes any amount of biometric data or biometric identifiers.

 

New Definitions. The amendments add the following definitions:

  • “Employee” is defined to include not only individuals employed on a full or part-time basis, but also individuals who are “on-call” or hired as a “contractor, subcontractor, intern, or fellow.”
  • “Biometric data” means one or more biometric identifiers that are used or intended to be used, singly or in combination with each other or with other personal data, for identification purposes. “Biometric data” does not include the following unless the biometric data is used for identification purposes: (i) a digital or physical photograph; (ii) an audio or voice recording; or (iii) any data generated from a digital or physical photograph or an audio or video recording.
  • “Biometric identifier” means data generated by the technological processing, measurement, or analysis of a consumer’s biological, physical, or behavioral characteristics, which data can be processed for the purpose of uniquely identifying an individual. “Biometric identifier” includes: (a) a fingerprint; (b) a voiceprint; (c) a scan or record of an eye retina or iris; (d) a facial map, facial geometry, or facial template; or (e) other unique biological, physical, or behavioral patterns or characteristics.

 

New Controller Requirements. HB 1130 establishes several new requirements for controllers who control or process one or more biometric identifiers. These include:

  • Obtaining consent from the consumer (including the employee) before collecting the consumer’s biometric data;
  • Maintaining a written policy that establishes a retention schedule, identifies a process for responding to data security incidents, and establishes guidelines for addresses deletion of biometric identifiers; and
  • Providing a reasonably accessible privacy notice that satisfies specific content requirements including the purposes for processing.

 

Prohibited Activities. Under HB 1130, controllers are prohibited from the following activities that concern biometric identifiers:

  • Selling, leasing or trading such information;
  • Disclosing biometric identifiers, subject to limited exceptions including consent and complying with federal or state law; and
  • Refusing to provide a good or service to a consumer, based on the consumer’s refusal to consent to the controller’s collection, use, disclosure, etc. of a biometric identifier unless it is necessary to provide the good or service.

 

Employment Provisions. HB 1130 includes new provisions that are specific for employers. Specifically, the amendments provide that employers may require current or prospective employees to allow the employer to collect and process their biometric identifiers, but that they may do so only to:

  • Permit access to secure physical locations and secure electronic hardware and software applications;
  • Record the commencement and conclusion of the employee’s full workday, including meal breaks and rest breaks in excess of 30 minutes;
  • Improve or monitor workplace safety or security or ensure the safety or security of employees; and
  • Improve or monitor the safety or security of the public in the event of an emergency or crisis situation.

 

Employers will be able to collect and process biometric identifiers where the anticipated uses are “aligned with the reasonable expectations” of an employee based on the employee’s job description or role, or a prospective employee based on reasonable background check, application, or identification requirements.

 

Action Items

  1. Prepare to implement privacy and data security policies.
  2. Prepare to implement employee notices and consent for biometric data collection.
  3. Have appropriate personnel trained on the collection and processing of biometric data and identifiers.

 

Disclaimer: This document is designed to provide general information and guidance concerning employment-related issues. It is presented with the understanding that ManagEase is not engaged in rendering any legal opinions. If a legal opinion is needed, please contact the services of your own legal adviser. © 2024 ManagEase