Colorado Privacy of Biometric Identifiers & Data (Effective July 1, 2025)
Colo. Rev. Stat. § 6-1-1314
SUMMARY:
The CPA law was amended in 2024 to introduce specific protections for individuals' biometric data. Entities that control or process biometric identifiers must adopt a written policy outlining a retention schedule for biometric data, a response protocol for data security incidents, and guidelines for deleting biometric identifiers by specified dates. With certain exceptions, this policy must be made publicly available. The law also imposes new disclosure and consent requirements for collecting biometric data, restricts employers' ability to obtain employee consent for biometric data collection, and mandates that controllers inform consumers about the use of their biometric identifiers. The attorney general is authorized to create additional rules to enforce these provisions. The update was approved by the Governor on May 31, 2024.
CITATION:
Colorado Revised Statutes Annotated
Title 6. Consumer and Commercial Affairs (§§ 6-1-101 — 6-28-102)
Fair Trade and Restraint of Trade (Arts. 1 — 6.5)
Article 1. Colorado Consumer Protection Act (Pts. 1 — 15)
Part 13 Colorado Privacy Act (§§ 6-1-1301 — 6-1-1313)
6-1-1314. Biometric data and biometric identifiers - controllers - duties and requirements - written policy - prohibited acts - right to correct biometric identifiers - right to access biometric identifiers - remedies and civil actions - rules - definitions.
EFFECTIVE: July 1, 2025
6-1-1314. Biometric data and biometric identifiers - controllers - duties and requirements - written policy - prohibited acts - right to correct biometric identifiers - right to access biometric identifiers - remedies and civil actions - rules - definitions.
(1) [Editor’s note: This section is effective July 1, 2025.] As used in this section, unless the context otherwise requires:
(a) “Collect”, “collection”, or “collecting” means to access, assemble, buy, rent, gather, procure, receive, capture, or otherwise obtain any biometric identifier or biometric data pertaining to a consumer by any means, online or offline, including:
(I) Actively or passively receiving a biometric identifier or biometric data from the consumer or from a third party; and
(II) Obtaining biometric data by observing the consumer’s behavior.
(b) “Employee” means an individual who is employed full-time, part-time, or on-call or who is hired as a contractor, subcontractor, intern, or fellow.
(c) “Legally authorized representative” means a parent or legal guardian of a minor or a legal guardian of an adult.
(2) Written policy required.
(a) A controller that controls or processes one or more biometric identifiers shall adopt a written policy that:
(I) Establishes a retention schedule for biometric identifiers and biometric data;
(II) Includes a protocol for responding to a data security incident that may compromise the security of biometric identifiers or biometric data, including a process for notifying a consumer when the security of the consumer’s biometric identifier or biometric data has been breached, pursuant to section 6-1-716; and
(III) Includes guidelines that require the deletion of a biometric identifier on or before the earliest of the following dates:
(A) The date upon which the initial purpose for collecting the biometric identifier has been satisfied;
(B) Twenty-four months after the consumer last interacted with the controller; or
(C) The earliest reasonably feasible date, which date must be no more than forty-five days after a controller determines that storage of the biometric identifier is no longer necessary, adequate, or relevant to the express processing purpose identified by a review conducted by the controller at least once annually. The controller may extend the forty-five-day period described in this subsection (2)(a)(III)(C) by up to forty-five additional days if such an extension is reasonably necessary, taking into account the complexity and number of biometric identifiers required to be deleted.
(b) A controller shall make its policy adopted pursuant to subsection (2)(a) of this section available to the public; except that a controller is not required to make available to the public:
(I) A written policy that applies only to current employees of the controller;
(II) A written policy that is used solely by employees and agents of the controller for the operation of the controller; or
(III) The internal protocol for responding to a data security incident that may compromise the security of biometric identifiers or biometric data.
(3) Processors - security breach protocols. A processor of biometric identifiers or biometric data must have a protocol for responding to a data security incident that may compromise the security of biometric identifiers or biometric data, including a process for notifying the controller when the security of a consumer’s biometric identifier or biometric data has been breached, pursuant to section 6-1-716.
(4) Collection and retention of biometric identifiers - requirements - prohibited acts.
(a) A controller shall not collect or process a biometric identifier of a consumer unless the controller first:
(I) Satisfies all duties required by section 6-1-1308;
(II) Informs the consumer or the consumer’s legally authorized representative in a clear, reasonably accessible, and understandable manner that a biometric identifier is being collected;
(III) Informs the consumer or the consumer’s legally authorized representative in a clear, reasonably accessible, and understandable manner of the specific purpose for which a biometric identifier is being collected and the length of time that the controller will retain the biometric identifier; and
(IV) Informs the consumer or the consumer’s legally authorized representative in a clear, reasonably accessible, and understandable manner if the biometric identifier will be disclosed, redisclosed, or otherwise disseminated to a processor and the specific purpose for which the biometric identifier is being shared with a processor.
(b) A controller that processes a consumer’s biometric identifier shall not:
(I) Sell, lease, or trade the biometric identifier with any entity; or
(II) Disclose, redisclose, or otherwise disseminate the biometric identifier unless:
(A) The consumer or the consumer’s legally authorized representative consents to the disclosure, redisclosure, or other dissemination;
(B) The disclosure, redisclosure, or other dissemination is requested or authorized by the consumer or the consumer’s legally authorized representative for the purpose of completing a financial transaction;
(C) The disclosure, redisclosure, or other dissemination is to a processor and is necessary for the purpose for which the biometric identifier was collected and to which the consumer or the consumer’s legally authorized representative consented; or
(D) The disclosure, redisclosure, or other dissemination is required by state or federal law.
(c) A controller shall not:
(I) Refuse to provide a good or service to a consumer based on the consumer’s refusal to consent to the controller’s collection, use, disclosure, transfer, sale, retention, or processing of a biometric identifier unless the collection, use, disclosure, transfer, sale, retention, or processing of the biometric identifier is necessary to provide the good or service;
(II) Charge a different price or rate for a good or service or provide a different level of quality of a good or service to any consumer who exercises the consumer’s rights under this part 13; or
(III) Purchase a biometric identifier unless the controller pays the consumer for the collection of the consumer’s biometric identifier, the purchase is unrelated to the provision of a product or service to the consumer, and the controller has obtained consent as described in subsection (4)(a) of this section.
(d) A controller or processor shall store, transmit, and protect from disclosure all biometric identifiers using the standard of care within the controller’s industry and in accordance with sections 6-1-1305 (4) and 6-1-1308 (5).
(e) A controller shall obtain consent from a consumer or from the consumer’s legally authorized representative before collecting the consumer’s biometric data, as required by section 6-1-1308 (7).
(5) Right to access biometric data - applicability - definition.
(a) Except as described in subsection (5)(b) of this section, at the request of a consumer or a consumer’s legally authorized representative, a controller that collects the consumer’s biometric data shall disclose to the consumer, free of charge, the category or description of the consumer’s biometric data and the following information:
(I) The source from which the controller collected the biometric data;
(II) The purpose for which the controller collected or processed the biometric data and any associated personal data;
(III) The identity of any third party with which the controller disclosed or discloses the biometric data and the purposes for disclosing; and
(IV) The category or a description of the specific biometric data that the controller discloses to third parties.
(b) The requirements of subsection (5)(a) of this section apply only to:
(I) A sole proprietorship, a partnership, a limited liability company, a corporation, an association, or another legal entity that:
(A) Conducts business in Colorado or produces or delivers commercial products or services that are marketed to Colorado residents;
(B) Collects biometric data or has biometric data collected on its behalf; and
(C) Either collects or processes the personal data of one hundred thousand individuals or more during a calendar year or collects and processes the personal data of twenty-five thousand individuals or more and derives revenue from, or receives a discount on the price of goods or services from, the sale of personal data;
(II) A controller that controls or is controlled by another controller and that shares common branding with the other controller. As used in this subsection (5)(b)(II), “common branding” means a shared name, service mark, or trademark that a consumer would reasonably understand to indicate that two or more entities are commonly owned.
(III) A joint venture or partnership consisting of no more than two businesses that share consumers’ personal data with each other.
(6) Use of consent by employers.
(a) An employer may require as a condition of employment that an employee or a prospective employee consent to allowing the employer to collect and process the employee’s or the prospective employee’s biometric identifier only to:
(I) Permit access to secure physical locations and secure electronic hardware and software applications; except that an employer shall not obtain the employee’s or prospective employee’s consent to retain biometric data that is used for current employee location tracking or the tracking of how much time the employee spends using a hardware or software application;
(II) Record the commencement and conclusion of the employee’s full work day, including meal breaks and rest breaks in excess of thirty minutes;
(III) Improve or monitor workplace safety or security or ensure the safety or security of employees; or
(IV) Improve or monitor the safety or security of the public in the event of an emergency or crisis situation.
(b) An employer and its processor may collect and process an employee’s or prospective employee’s biometric identifier for uses other than those described in subsection (6)(a) of this section only with the employee’s or prospective employee’s consent. An employer may not require that an employee or prospective employee consent to such collection or processing as a condition of employment or retaliate against an employee or prospective employee who does not consent to such collection or processing.
(c) So long as consent that is obtained for collection and processing as described in this section satisfies the definition of consent provided in section 6-1-1303 (5), consent is considered to be freely given and valid for the purposes described in subsection (6)(a) of this section.
(d) Nothing in this section restricts an employer’s or its processor’s ability to collect and process an employee’s or prospective employee’s biometric identifier for uses aligned with the reasonable expectations of:
(I) An employee based on the employee’s job description or role; or
(II) A prospective employee based on a reasonable background check, an application, or identification requirements in accordance with this section.
(7) Rules. The department of law may promulgate rules for the implementation of this section, including rules promulgated in consultation with the office of information technology and the department of regulatory agencies establishing appropriate security standards for biometric identifiers and biometric data that are more stringent than the requirements described in this section.
History
Source: L. 2024: Entire section added, (HB 24-1130), ch. 313, p. 2102, § 2, effective July 1, 2025.
For more information, see here: https://advance.lexis.com/documentpage/?pdmfid=1000516&crid=c5d0c194-186d-4fc4-a829-d7022b53b3c1&pdistocdocslideraccess=true&config=014FJAAyNGJkY2Y4Zi1mNjgyLTRkN2YtYmE4OS03NTYzNzYzOTg0OGEKAFBvZENhdGFsb2d592qv2Kywlf8caKqYROP5&pddocfullpath=%2Fshared%2Fdocument%2Fstatutes-legislation%2Furn%3AcontentItem%3A6CDJ-MFF3-RRNJ-Y41R-00008-00&pdcomponentid=234177&pdtocnodeidentifier=AAGAABAABAAOAAS&ecomp=h2vckkk&prid=96d629cb-8adf-4379-8761-413e24556a22
These materials were obtained directly from the U.S. State Government public websites and are posted here for your review and reference only. No Claim to Original U.S. State Government Works. This may not be the most recent version. The U.S. State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.