Colorado: Finalized Rules for Colorado Privacy Act

/in /by

APPLIES TO

All Employers with Employees in CO

EFFECTIVE

As Indicated

QUESTIONS?

Contact HR On-Call

(888) 378-2456
Quick Look

  • HB-24-1130 adds protections for individuals’ biometric data by requiring entities to control or process one or more biometric identifiers to meet certain obligations.
  • This would apply in the employment context for those employers who require employees to provide biometric data for matters such as access, security, or timekeeping.

Discussion:

Finalized rules addressing amendments to the Colorado Privacy Act (CPA) go into effect later this year. SB 24-041 goes into effect on October 1, 2025, and addresses additional requirements for entities that offer any “online service, product or feature to [Colorado residents] whom the controller actually knows or willfully disregards is under the age of 18 and their processors.” A “controller” is a person that controls or processes one or more biometric identifiers. HB 24-1130 is effective July 1, 2025, and affects all employers.

 

HB 24-1130 adds protections for individuals’ biometric data by requiring controllers to meet certain obligations. This would apply in the employment context for those employers who require employees to provide biometric data for matters such as access, security, or timekeeping. Biometric data means one or more biometric identifiers that are used or intended to be used, singly or in combination with each other or with other personal data, for identification purposes. A biometric identifier means data generated by the technological processing, measurement, or analysis of an individual’s biological, physical, or behavioral characteristics, which data can be processed for the purpose of uniquely identifying an individual. This includes fingerprints, voiceprints, a scan or record of an eye retina or iris, a facial map, facial geometry, or facial template or other unique biological, physical, or behavioral patterns or characteristics.

 

The employer or controller must adopt a written policy with the following components:

 

  • A retention schedule for biometric identifiers and data;
  • A protocol for responding to a data security incident that may compromise the security of biometric identifiers or data;
  • Include guidelines requiring the deletion of a biometric identifier on or before certain dates; and
  • Make the written policy available to the public.

 

Additional requirements also apply to collection and disclosure of such biometric identifiers. A controller is prohibited from collecting a biometric identifier unless they have provided a disclosure notice and obtained consent. The disclosure must include how the individual’s biometric identifier is to be used. Employers requiring the collection of biometric identifiers as a condition of employment must comply with the requirements of the CPA.

 

Action Items

  1. Review the final rules here.
  2. Review collection and use of biometric data and identifiers.
  3. Create a written policy in accordance with the requirements.
  4. Provide employees with a written disclosure and obtain consent in accordance with the requirements.
  5. Create protocols for responding to security breach incidents involving biometric data or identifiers.
  6. Review required policy, notice, and disclosure requirements with legal counsel.
  7. Have appropriate personnel trained on the requirements.

 

Disclaimer: This document is designed to provide general information and guidance concerning employment-related issues. It is presented with the understanding that ManagEase is not engaged in rendering any legal opinions. If a legal opinion is needed, please contact the services of your own legal adviser. © 2025 ManagEase