Colorado Department of Law Proposes Amendments to the Colorado Privacy Act Regulations Regarding Biometric and Minors’ Data

Public Comments Accepted Until November 7

On September 13, 2024, the Colorado Attorney General’s office (the Colorado Department of Law) proposed draft amendments (draft regulations) to its Colorado Privacy Act (CPA) regulations, which took effect in 2023. The draft regulations implement two new Colorado laws on biometric data (HB 24-1130) and minors’ data (SB 24-041) passed earlier this year, both of which amend the CPA. This alert provides an overview of these laws and key related draft regulations.

Key Takeaways

• Before collecting biometric identifiers, businesses must provide notice of the collection in a clear and reasonably accessible manner.
• Businesses that possess biometric identifiers must also implement a written and publicly available biometric identifier policy that includes a retention schedule, a protocol for responding to data security incidents, and mandatory deletion guidelines.
• Businesses that offer an online service, product, or feature to a consumer who the business knows or willfully disregards is a minor are: required to use reasonable care to avoid a heightened risk of harm to minors; required to obtain consent before processing minors’ data for certain purposes; and required to conduct data protection assessments.
• The Attorney General’s office will be accepting public comments on the draft regulations from September 25 to November 7, 2024, and a public hearing is set for November 7, 2024.

Biometric Information Requirements

Set to take effect on July 1, 2025, HB 24-1130 (the Biometric Bill) amends the CPA to add requirements for businesses that control or process biometric identifiers and biometric data, covering notice and consent, collection, disclosure, a written biometric information policy, and more.

The Biometric Bill defines “biometric identifiers” to include a consumer’s fingerprints, voiceprints, scans or records of an eye or iris, a facial map, or other unique biological, physical, or behavioral patterns or characteristics that can be processed for the purpose of uniquely identifying an individual. Meanwhile, “biometric data” is defined as one or more biometric identifiers that are used or intended to be used for identification purposes. This alert uses the term “biometric information” to refer to both biometric identifiers and biometric data collectively.

Scope (and Exceptions): While the Biometric Bill amends and forms part of the CPA, its applicability is broader than the CPA in that it covers businesses who control or process any amount of biometric information. Businesses that meet the Biometric Bill’s applicability requirements, but not the CPA’s, would need to comply with both, but only with respect to the biometric information that the business collects or processes.

Furthermore, because the Biometric Bill’s requirements are part of the CPA, the CPA’s general exceptions also apply to the Biometric Bill’s requirements. This, however, creates some ambiguity for certain biometric information processing scenarios. For example, the Biometric Bill includes legislative findings that recount cases where facial recognition technology has misidentified someone as a shoplifter, noting the associated risks that could befall consumers; nevertheless, the CPA’s general exceptions state that “[t]he obligations imposed on controllers or processors under this part 13 … do not … [r]estrict a controller's or processor's ability to … [p]revent, detect, protect against, or respond to … illegal activity … or investigate, report, or prosecute those responsible for any such action.”¹ In practice, the broad applicability of the CPA’s exceptions may run counter to the goals of the Biometric Bill in some circumstances, and for now, the draft regulations are silent on this tension.

Collection: Under the Biometric Bill, before collecting biometric identifiers (i.e., certain information that can be processed for the purpose of uniquely identifying an individual), businesses must provide notice of the collection in a clear and reasonably accessible manner. The notice must identify the purpose for collecting biometric identifiers, the length of retention, whether the identifiers will be disclosed to a processor, and the purpose for disclosure if disclosed. Businesses must also obtain consent from a consumer before collecting their biometric data (i.e., biometric identifiers that are used or intended to be used for identification purposes). The requirement to obtain consent before collecting biometric data is consistent with the CPA’s existing requirement to obtain consent before processing a consumer’s “sensitive data,” which was already defined to include “biometric data that may be processed for the purpose of uniquely identifying an individual.”²

The draft regulations explain that to be “clear,” the biometric identifier notice must include concrete and definitive language, avoiding abstract or ambivalent terms. The draft regulations also require that when a biometric identifier notice is incorporated into a broader privacy notice, the biometric identifier notice must be clearly labeled so a consumer can easily find it.

The draft regulations also explain that to be “reasonably accessible,” the biometric identifier notice may be a separate notice made available prior to collection, or a notice linked to a website homepage or mobile application’s app store or download page. The link would need to clearly indicate that it relates to biometric identifiers and mobile applications must also include a link to the notice in the application’s settings menu. Finally, businesses without websites would need to make the notice available to consumers in a way that the business usually interacts with the consumer.

Special Provisions for Employees’ Biometric Identifiers: While the broader CPA applies to Colorado residents acting only in an individual or household context, and not as a job applicant or in an employment context, the Biometric Bill nevertheless specifies requirements for employers seeking consent to obtain employees’ or prospective employees’ biometric identifiers. These provisions regarding employees are distinct from the Biometric Bill’s broader requirements regarding consumers.

The Biometric Bill allows employers to condition employment on the current or prospective employee’s consent to the employer’s collection and processing of biometric identifiers. This consent can be a condition of employment, however, only if the biometric identifier is used to: (1) permit access to secure facilities and hardware or software (except for tracking employee location and time spent using such applications); (2) record the beginning and end of an employees’ full work day; (3) improve or monitor workplace security; or (4) improve or monitor public safety in the event of an emergency or crisis. Employers may collect and process employee biometric identifiers for any other purpose with the employee’s consent; however, the employer may not condition employment or retaliate against an employee based on whether consent is given.

Additionally, the Biometric Bill contains a general carve-out for employers to collect or process employee biometric identifiers for uses aligned with the reasonable expectations of an employee based on their job description or role, or a prospective employee based on a reasonable background check, application, or identification requirements.

Disclosure: The Biometric Bill prohibits businesses from disclosing biometric identifiers unless: they obtain consent from the consumer; the disclosure is requested or authorized by the consumer for a financial transaction; disclosure is to a processor and is necessary to achieve the purpose for which the biometric identifier was collected and to which the consumer consented; or disclosure is required by state or federal law.

Curiously, the Biometric Bill seems to plainly prohibit the sale, lease, or trade of biometric identifiers without exception, while the draft regulations suggest that these activities are permitted with consent. It is unclear whether this apparent inconsistency is the result of a drafting error in the Biometric Bill (and the draft regulations are following the legislature’s actual intent) or if the draft regulations have misinterpreted this part of the Biometric Bill and applied the exceptions for disclosure too broadly.

Written Policy: The Biometric Bill requires businesses to establish and implement a written biometric identifier policy that includes a retention schedule for biometric information, a protocol for responding to data security incidents that may compromise biometric information, and mandatory guidelines to delete biometric identifiers at the earliest of the following: the purpose for collection has been satisfied; 24 months have passed without consumer interaction with the business; or as early as reasonably feasible and no longer than 45 days after the business determines the biometric identifier is no longer necessary to the express processing purpose identified upon collection.

The policy must be publicly available, but need not divulge (1) policies that apply only to the business’s employees; (2) internal operations policies used by employees and agents of the business; or (3) internal incident response protocols, the disclosure of which could compromise the security of biometric information.

Biometric Data Access Rights: Upon request, businesses must provide consumers with the category and description of the consumer’s biometric data they have collected, the source of collection, the purpose for collection or processing, the identity of any third parties to whom the business discloses biometric data, the purpose for such disclosure, and the category or a description of the specific biometric data that the business discloses. These access requirements apply only to businesses that meet certain processing thresholds set forth in the Biometric Bill.

Other Prohibitions: Businesses must not (1) refuse to provide goods or services based on a consumer’s refusal to give consent unless that biometric identifier is needed to provide the good or service; (2) charge different prices for consumers based on whether they exercise their consumer rights under the CPA; or (3) buy biometric identifiers unless the business pays the consumer for the identifier, the purchase is unrelated to the provision of a product or service to the consumer, and the business has obtained the consumer’s consent.

Processors: The Biometric Bill requires processors of biometric information to have a data security incident response protocol for potential compromises of biometric information. The protocol must include a process for notifying the controller when the security of a consumer’s biometric information has been breached.

Requirements for Minors’ Data

Set to take effect on October 1, 2025, SB 24-041 (the Minors Bill) amends the CPA to add protections for children’s and minors’ data. At its core, the Minors Bill imposes a duty of reasonable care to avoid a heightened risk of harm to minors onto businesses that offer an “online service, product, or feature to a consumer whom the controller actually knows or willfully disregards is a minor.”

Scope: While the CPA already defined the term “child” as an individual under 13 years of age, the Minors Bill adds the term “minor,” defined as a consumer under 18. The Minors Bill also specifies that, unlike the broader CPA, its provisions apply to any business that conducts business in Colorado or delivers products or services that are targeted at Colorado residents, regardless of the amount of personal data processed.

Consent Requirements: Without the consent of a minor 13 or older, or a child’s legal guardian, businesses that offer an online service, product, or feature to a consumer whom the business actually knows or willfully disregards is a minor may not process minors’ data for:

• targeted advertising, sale, or profiling;
• a processing purpose other than that stated at collection; or
• a processing purpose not reasonably necessary for the disclosed processing purpose.

Businesses must also avoid providing a consent mechanism designed to subvert or impair user decision-making, i.e., they must avoid obtaining consent through dark patterns.

Data Protection Assessment Requirements: Businesses that offer an online service, product, or feature to a consumer who the business knows or willfully disregards is a minor are required to conduct data protection assessments that address:

• the purpose of the online service, product, or feature and purpose for processing the data;
• categories of minors’ data processed; and
• any heightened risk or harm to minors that is a reasonably foreseeable result of offering the service, product, or feature (the draft regulations would also require that assessments include the source and nature of any such heightened risk).

After conducting a data protection assessment, businesses must thereafter review and revise the assessment as necessary to account for material changes. Businesses must also retain documentation concerning the assessment for the longer of either: three years after processing ends or the date the business ceases offering the online service, product, or feature. Under the existing CPA regulations, such documentation would include, at a minimum, a copy of the data protection assessment and any prior versions, if modified, and the assessment must be held in an electronic, transferable form. Businesses must also make these assessments available to the Colorado Attorney General upon request.

Under the Minors Bill, businesses are allowed to conduct a single assessment for a set of comparable processing activities that include similar activities, and if a business has conducted risk assessments similar in scope and effect for compliance with other laws, those assessments satisfy the Minors Bill’s requirements. If, as a result of a data protection assessment or review, the business determines its service poses a heightened risk of harm to minors, the business must establish and implement a plan to mitigate or eliminate the heightened risk.

Finally, processors must adhere to controller instructions and help the controller meet its obligations by establishing appropriate technical and organizational measures and providing information for data protection assessments.

Other Prohibitions: Under the Minors Bill, businesses are also prohibited from:

• using any system design feature to significantly increase, sustain, or extend a minors’ use of an online service, product, or feature; and
• offering direct messaging features to minors without easy-to-use safeguards to limit the ability of an adult to communicate with minors not connected with that adult.

Enforcement: If a cure is deemed possible, the Attorney General must issue a notice of violation to a business with a 60-day cure period before bringing an enforcement action. Note that compliance with the Minors Bill provides a rebuttable presumption that the business has fulfilled its duty of reasonable care to minors, and compliance with the Children’s Online Privacy Protection Act’s verifiable parental consent requirements satisfy the Minors Bill’s consent requirements.

Conclusion

From September 25, 2024, to November 7, 2024, the Attorney General’s office will be accepting public comments on the draft regulations and a public hearing is set for November 7, 2024, where the public may testify and submit oral comments.

^[1]Colo. Rev. Stat. § 6-1-1304(3)(a)(X).

^[2]Id. § 6-1-1303(24)(b).