In late April, the Colorado legislature passed HB 1130, which amends the Colorado Privacy Act (CPA) to add protections for an individual’s biometric data and identifiers. Subject to the procedural formalities in the legislature, the bill will move to Colorado Governor Jared Polis for consideration. Assuming the bill becomes law, it will go into effect on July 1, 2025, and create several new obligations for entities that collect biometric data and identifiers. In addition, the bill’s requirements will apply to more entities than are currently covered by the CPA and will apply to employee data.

In the below article, we first provide a brief overview of the CPA’s existing treatment of biometric data. We then discuss the new obligations created by HB 1130.

Colorado Privacy Act’s Existing Treatment of Biometric Data

The CPA already contains provisions regarding the processing of biometric data. Specifically, the CPA’s definition of sensitive data includes “biometric data that may be processed for the purposes of uniquely identifying an individual.” See C.R.S. § 6-1-1303(24). Notably, the CPA does not define the term “biometric data,” which makes Colorado an outlier among other state consumer data privacy laws.

By including biometric data in the CPA’s definition of sensitive data, controllers subject to the CPA must obtain consumer consent prior to processing it. See C.R.S. § 6-1-1308(7). In addition, the CPA’s other provisions apply to the processing of biometric data, including the rights to access, delete, and correct found in C.R.S. § 6-1-1306(1).

Although the CPA does not define biometric data, the Colorado Attorney General Office’s provided the following definitions of both biometric data and biometric identifiers as part of its CPA rulemaking process:

“Biometric Data” as referred to in C.R.S. § 6-1-1303(24)(b) means Biometric Identifiers that are used or intended to be used, singly or in combination with each other or with other Personal Data, for identification purposes. Unless such data is used for identification purposes, “Biometric Data” does not include (a) a digital or physical photograph, (b) an audio or voice recording, or (c) any data generated from a digital or physical photograph or an audio or video recording.

“Biometric Identifiers” means data generated by the technological processing, measurement, or analysis of an individual’s biological, physical, or behavioral characteristics that can be Processed for the purpose of uniquely identifying an individual, including but not limited to a fingerprint, a voiceprint, scans or records of eye retinas or irises, facial mapping, facial geometry, facial templates, or other unique biological, physical, or behavioral patterns or characteristics

The CPA Rules specifically address biometric data and identifiers in two parts. First, the Rules state that the CPA’s definition of publicly available information does not include biometric data. See Rule 2.02. Second, the Rules provide that controllers do not need to provide biometric data or identifiers to an individual in response to an access request. See Rule 4.04D.

The CPA Rules also create numerous requirements for the processing of biometric data and identifiers through the Rule’s treatment of sensitive data. For example, controllers must identify the categories of sensitive data they process in their privacy notices and delete sensitive data or otherwise render it permanently anonymized or inaccessible within a reasonable period of time after a consumer withdraws her consent. See Rules 6.03A.1.a and 6.07B.3. Part 7 also applies to the collection and processing of sensitive data and creates numerous obligations for obtaining consumer consent to such processing, including the sale of sensitive data.

New Obligations Created by HB 1130

Applicability

The bill adds a new applicability section to the CPA that results in HB1130’s requirements applying more broadly than the current CPA’s requirements.

By way of background, the CPA applies to controllers that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to Colorado residents and either control or process the personal data of 100,000 or more Colorado residents annually or derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 or more Colorado residents. See C.R.S. § 6-1-1304.

The bill adds a new subparagraph (b) to section 6-1-1304 which, in summary, states that the CPA’s provisions regarding biometric data and identifiers apply to any controller that controls or processes any amount of biometric data or identifiers regardless of whether the controller meets the 100,000 / 25,000 thresholds described above. Stated differently, all entities that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to Colorado residents must comply with the CPA for the purposes of collecting and processing biometric data and identifiers.

It should be noted that because HB 1130 adds this provision into section 6-1-1304, the CPA’s existing exemptions and exceptions found in section 6-1-1304(2) apply to the new requirements. The bill’s preamble reiterates this point, stating: “The [CPA] includes a variety of exceptions to the requirements established in this act, including permitted uses of biometric data for public safety needs, and all of the exceptions that apply to the entirety of the [CPA] apply to the protections established for biometric data and biometric identifiers in this act.” Therefore, and for example, GLBA-regulated financial institutions are still exempt and controllers can still collect biometric data and identifiers to provide products or services specifically requested by a consumer.

Definitions

HB 1130 amends the CPA to add definitions of “biometric data and “biometric identifiers.” The definitions substantively track the definitions of these terms from the existing CPA Rules thereby creating interoperability. That said, it is important to note that HB 1130’s provisions do not universally apply to both biometric data and identifiers. Rather, the bill’s provisions often apply to one or the other term. Therefore, the distinction between the two becomes important for compliance purposes. It also should be kept in mind that the definition of biometric data incorporates biometric identifiers but not vice versa.

HB 1130 also adds new definitions for “collect,” “employee,” and “legally authorized representative” but these definitions are added to section 6-1-1314 and not to the CPA’s definitions contained in 6-1-1303. This is important in the context of the bill’s definition of “collect” and the CPA’s existing definition of processing.

The bill defines collect broadly to mean “to access, assemble, buy, rent, gather, procure, receive, capture, or otherwise obtain any biometric identifiers or biometric data.” It also includes both actively and passively receiving biometric data or identifiers from a consumer or from a third party as well as obtaining biometric data (but not identifiers) by observing a consumer’s behavior.

In turn, the CPA already defines “processing” to include “collect.” If HB 1130’s definition of collect was added to the CPA’s existing definitions, it would result in the definition of collect applying more broadly than stated HB 1130. By keeping the definition in a separate section, HB 1130 leaves the CPA’s existing definition of processing intact.

Consumers

HB 1130 creates different obligations based on whether the subject data collected is from consumers or employees. In this section, we discuss the obligations for consumer data. In the next section, we discuss the obligations for employee data.

Consent

Controllers must obtain consent from a consumer or their legally authorized representative (a parent or legal guardian if the consumer is a minor, or a legal guardian of an adult) before collecting biometric data and “as required by” C.R.S. § 6-1-1308(7), which is the CPA’s existing requirement for controllers to obtain consent for the processing of sensitive data. Consequently, controllers not already subject to the CPA should consider the Colorado Attorney General’s extensive rulemaking around consent when they drive compliance with this requirement.

Further, an important distinction is that the CPA requires consent to process sensitive data whereas HB 1130 requires consent before collecting biometric data. As noted, the bill’s definition of consent includes active and passive collection as well as obtaining biometric data by observing the consumer’s behavior.

Disclosures

Before collecting or processing biometric identifiers, controllers must inform the consumer or the consumer’s legally authorized representative in a clear, reasonably accessible, and understandable manner that (1) a biometric identifier is being collected; (2) the specific purpose for which a biometric identifier is being collected; (3) the length of time that the controller will retain the biometric identifier; and (4) if the biometric identifier will be disclosed, redisclosed, or otherwise disseminated to a processor and the purpose for which the biometric identifier is being shared with a processor.

Prohibitions

HB 1130 creates two prohibitions for controllers that process biometric identifiers.

First, HB 1130 expressly prohibits controllers from selling, leasing, or trading a biometric identifier with any entity. There do not appear to be any exemptions to this prohibition other than those exemptions that generally apply to the CPA.

Second, the bill prohibits controllers from disclosing, redisclosing, or otherwise disseminating the biometric identifier. The bill creates four exceptions to this prohibition: (1) the consumer or consumer’s legally authorized representative consents; (2) it is for the purpose of completing a financial transaction requested or authorized by the consumer or consumer’s legally authorized representative; (3) it is to a processor and necessary for the purpose for which the biometric identifiers was collected and to which consent was obtained; or (4) it is required by state or federal law.

In a separate paragraph, the bill creates three additional prohibitions that apply to controllers.

First, controllers may not refuse to provide a good or service to a consumer based on the consumer’s refusal to consent to the controller’s collection, use, disclosure, transfer, sale, retention, or processing of a biometric identifier unless the aforementioned activities are necessary to provide the underlying good or service.

Second, controllers cannot charge a different price for a good or service or provide a different level of quality of a good or service to any consumer that exercises their rights under the bill.

Third, controllers cannot buy a biometric identifier unless they pay the consumer for the collection, the purchase is unrelated to the provision of a product or service to the consumer and the controller has obtained consent.

Information Security

Controllers will be subject to the standard of care within the controller’s industry and in accordance with the CPA as it relates to storing, transmitting, and protecting from disclosure all biometric identifiers. This section also applies to processors. As discussed below, this area is identified as one for potential further rulemaking. It is worth noting that information security obligations for biometric data also exist under C.R.S. § 6-1-713.5.

Integration of CPA’s Controller Duties

Finally, the bill states that controllers cannot collect or process a biometric identifier unless they satisfy the “duties required by [CPA] section 6-1-1308.” That section sets forth the CPA’s requirements as to transparency, purpose specification, data minimization, duty to avoid secondary use, duty of care, duty to avoid unlawful discrimination, and requirement to obtain consent to process sensitive data.

Right to Access

The bill also creates a right to access but applies that right to a more limited set of controllers.

Specifically, upon request from a consumer or their legally authorized representative, controllers must disclose to the consumer, free of charge, the category or description of the consumer’s biometric data including the source from which the data was collected, the purpose for the collection and processing of the data, the identity of any third party to whom the controller disclosed the biometric data and the purpose for disclosure.

Of note, the bill does not state that this is a verified request, which is the standard under the CPA. Therefore, controllers subject both the CPA and HB 1130 will need to consider responding to a new type of request to access – although the bill does not contain any language requiring controllers to disclose this right in a privacy policy or to provide a specific means for receiving such requests. Presumably, this may be an area for Attorney General rulemaking.

As noted, this right also applies to a more limited set of controllers that is closer to the CPA’s applicability requirements. Specifically, the bill states that the right applies “only to” a “sole proprietorship, a partnership, a limited liability company, a corporation, an association or another legal entity that” (1) conducts business in Colorado or produces or delivers commercial products or services that are marketed to Colorado residents; (2) collects biometric data or has biometric data collected on its behalf; and (3) either collects or process the personal data of 100,000 or more individuals (not consumers) during a calendar year or collects and processes the personal data of 25,000 or more individuals and derives revenue from, or receives a discount on the price of goods or services from the sale of data. Borrowing from CCPA concepts, the bill also applies this right to a controller that controls or is controlled by another controller and shares “common branding” or certain types of joint ventures.

Employees

HB 1130 also generally requires that an employer and its processors obtain an employee’s or prospective employee’s consent to collect and process biometric identifiers. Except as discussed below, an employer cannot require that an employee or prospective employee consent to the collection or processing as a condition of employment or retaliate if consent is not provided. In apparent recognition that consent in the employment context is a murky concept, the bill states that consent is considered to be “freely given and valid” if it satisfies the CPA’s definition of consent (although it could be argued that this provision is self-defeating).

The bill also creates several instances for when employers can require, as a condition of employment, that an employee or prospective employee consent to the collection and processing of their biometric identifier:

• To permit access to secure physical locations and secure electronic hardware and software applications, though consent shall not be obtained for retaining biometric data for the purpose of tracking an employee’s location or the time that an employee spends using a hardware or software application;
• Recording an employee’s time entries at the start/end of their workday, including any meal and rest breaks in excess of 30 minutes; and
• To improve or monitor workplace safety or security for employees or the public in the event of an emergency or crisis.

HB 1130 does not restrict an employer from collecting and processing an employee’s biometric identifier for uses aligned with the employee’s job description or role, or a prospective employee for purposes of obtaining a reasonable background check, application, or identification requirements “in accordance with this section.”

Written Policy and Retention

Whether biometric data and identifiers are collected or processed for consumers or employees, a controller must adopt a written policy that meets certain requirements. However, in reviewing this section of the bill it is important to note that some provisions refer specifically to consumers and not employees. The CPA defines “consumer” to exclude individuals acting in an “employment context [or] as a job applicant.” Consequently, the written policy requirements are not the same for employees as they are for consumers.

The written policy must include:

• A retention schedule for biometric data and identifiers.
• A protocol for responding to a data security incident that may compromise the security of biometric data or identifiers, which includes a process for notifying consumers (but not employees) of the breach.
• Guidelines requiring the deletion of a biometric identifier (but not biometric data) on or before the earliest of: (a) the date upon which the initial purpose for collecting the biometric identifier has been satisfied; (b) 24 months after the consumer’s (but not employee’s) last interaction with the controller; or (c) no more than 45 days after a controller determines that the storage of the biometric identifier is no longer necessary, adequate, or relevant which is to be reviewed on an annual basis.

The written policy must be publicly available unless it applies only to a controller’s current employees, the written policy is used solely by employees and agents of the controller for the controller’s operations, or the internal protocol for responding to a data security incident may compromise the security of biometric data or identifiers. The bill does not state how the policy must be made available to the public.

Processor Obligations

Processors of biometric data or identifiers are required to have a protocol for responding to a data security incident that may compromise that information. That protocol must include a process for notifying the controller when the security of a consumer’s biometric data or identifier has been breached pursuant to Colorado’s breach notification statute.

Rulemaking

The bill authorizes – but does not require – the Colorado Attorney General’s office to promulgate rules. The office also may consult with the Office of Information Technology and the Department of Regulator Agencies to establish security standards for biometric identifiers and data “that are more stringent than the requirements described” in the bill.

Enforcement

The bill’s provisions are enforceable by the Colorado Attorney General and district attorneys.

Effective Date

The bill takes effect July 1, 2025 and applies to the collection, retention, processing and use of biometric data and identifiers after the effective date.

[View source.]