Amendments to the Colorado Privacy Act, effective July 2025, resemble Illinois' biometrics law with some significant differences
Last May, Colorado Governor Jared Polis signed into law amendments to the Colorado Privacy Act ("CPA") that impose new obligations governing the collection, processing, retention, and disclosure of Coloradans' biometrics. The amendments become effective July 1, 2025, and will apply to all companies that (1) determine the purposes for and means of processing personal data (e.g., act as "controllers"), and (2) process any amount of biometric information or biometric data collected from Colorado residents—regardless of whether the companies otherwise meet the jurisdictional threshold of the CPA. Therefore, all companies doing business in Colorado—not just those subject to the CPA[1]—must first determine whether they collect or process any amount of Colorado residents' biometric identifiers or biometric data, and if they do, adopt and implement policies and procedures, provide specific consumer and employee notices, and, where necessary, obtain consumer and/or employee consents to ensure compliance with the CPA.
The CPA establishes two categories of biometrics—an "identifier," defined as an actual biometric measurement (face geometry, fingerprint, etc.), and "data," defined as those identifiers used to uniquely identify an individual. The CPA's definitions are similar to the definitions of biometric "identifier" and "information" in Illinois' landmark biometric privacy law,[2] but the Colorado definition of "biometric identifier" is narrower than the definition in BIPA. In addition, although the CPA generally does not apply in the employment context, the amendments to the CPA extend some of the protections for biometrics to Colorado employees. Finally, while the CPA has no private right of action, judicial decisions interpreting BIPA could influence the Colorado attorney general's interpretation and enforcement of the biometric provisions in the CPA and in the attorney general's rules, as discussed below. The CPA amendments provide additional authority to the attorney general to issue rules on the new provisions governing biometrics as proposed and approved here. The attorney general's pre-existing CPA Rules only covered biometrics to a limited extent.
Two Definitions of Biometrics
The CPA amendments govern separately defined "biometric identifiers" and "biometric data." Biometric identifiers are "generated by the technological processing, measurement, or analysis of an individual's biological, physical, or behavioral characteristics, which data can be processed for the purpose of uniquely identifying an individual." (Emphasis added.) Biometric identifiers include fingerprints, voiceprints, scans or records of eye retinas or irises, facial maps, geometry, or templates, and other unique biological, physical, or behavioral patterns or characteristics, whether or not they are actually used to identify an individual as long as they can be used to identify an individual.
"Biometric data," on the other hand, means one or more of the above-defined biometric identifiers that are used or are intended to be used, singly or in combination with each other or with other personal data, to identify an individual. Biometric identifiers thus become biometric data when they are used or intended to be used for identification purposes. Similarly, the CPA expressly excludes digital or physical photographs, audio or voice recordings, or any data generated from such photographs or recordings from the definition of "biometric data" unless they are used for identification purposes.[3]
Controllers' Obligations
The amendments impose several requirements and restrictions on controllers that process[4] the biometric identifiers or biometric data of Colorado residents.
Prohibitions on Processing of Biometric Identifiers and Biometric Data
The amendments generally prohibit controllers from collecting or processing biometric identifiers unless they do the following:
- Comply with other applicable provisions of the CPA: Controllers must comply with all applicable obligations under the CPA, regardless of the minimum data thresholds for controllers processing non-biometrics.
- Obtain prior consent: Existing provisions in the CPA require controllers to obtain consent before processing a consumer's "sensitive data," which is separately defined to include "biometric data" that "may be processed for the purpose of uniquely identifying an individual." The amendments added a new provision requiring controllers to obtain consent before collecting the consumer's biometric data but not biometric identifiers. When it initially passed the CPA several years ago, the Colorado legislature clearly intended that controllers obtain consent before collecting biometric measurements that "may be processed" for identification purposes, so controllers should not forgo obtaining consent for "biometric identifiers" simply because the amendments did not conform the original statutory text to the new definition, unless the biometric measurements cannot be used to identify an individual.
- Provide prior notice: Controllers must provide prior notice to the consumer in a clear, reasonably accessible, and understandable manner (1) that the controller is collecting a biometric identifier; (2) the specific purpose for which the controller is collecting the biometric identifier; (3) the retention period for the biometric identifier; and (4) whether the controller will disclose, redisclose, or otherwise disseminate the biometric identifier to a processor and the specific purpose for doing so.
The CPA amendments to the statute follow recent amendments to the Colorado Privacy Act Rules that expand on the statutory notice requirements by mandating that for biometrics: (1) the controller provide consumers with notice at or before the initial collection or processing or before any material change to the processing purpose; (2) information in the notice be "[c]oncrete and definitive," not abstract or ambiguous, and be "clearly labeled" if included in a privacy notice, such that consumers "can easily access the section of the privacy notice containing the relevant information"; (3) the notice be "reasonably accessible," which means that it should either be a separate notice or, if included in the privacy policy, "clearly labeled"; and, as noted above, (4) the notice be "[m]ade available in its entirety prior to" collecting or processing biometric identifiers—i.e., linked from a website homepage and in the app store or download page and app settings menu, as well as in an offline medium, if the controller regularly interacts with the consumer offline.[5]
Prohibitions on Certain Disclosures of Biometric Identifiers
Controllers may not sell, lease, or trade the biometric identifier or disclose, redisclose, or otherwise disseminate the biometric identifier unless:
- Consented to by the consumer;
- Requested or authorized by the consumer for the purpose of completing a financial transaction;
- To a processor, if necessary for the purposes for which the biometric identifier was collected, and to which the consumer consented; or
- Required by state or federal law.
Prohibitions on Discrimination and Purchasing of Biometrics
Controllers may not refuse to provide consumers with a good or service if the consumer refuses to consent to the collection, disclosure, transfer, sale, retention, or processing of a biometric identifier unless necessary for the controller to provide the good or service. In addition, controllers may not charge a different price or rate for a good or service, or provide a different level of quality, to consumers who exercise any of their rights under the CPA. Finally, controllers may not purchase a consumer's biometric identifier unless the controller pays the consumer, the purchase is unrelated to the provision of a product or service to the consumer, and the controller has obtained the consumer's consent.
Written Policy Required
Controllers that process or control biometric identifiers—i.e., measurements that could be used for identification purposes, but do not have to be—must adopt a written policy that does the following:
- Establishes a retention schedule for both biometric identifiers and biometric data;
- Establishes a protocol for responding to data security incidents that could compromise the security of either biometric identifiers or biometric data, including a process for notifying the consumer, if required;
- Requires deletion of biometric identifiers on or before the earliest of the following:
- The date that the initial purpose for collecting the biometric identifiers has been satisfied,
- Twenty-four months after the controller's last interaction with the consumer, or
- The earliest feasible date that is no more than 45 days after the controller determines storage of the biometric identifier is no longer necessary, adequate, or relevant to the processing purpose that the controller identified during its required annual review, subject to a 45-day extension, if reasonably necessary.
The controller must make this policy publicly available unless it applies only to current employees or is used solely by employees (or the controller's agents) for the controller's operations. Controllers are not required to make public their internal protocols for responding to data security incidents, however, if publishing the protocols may compromise the security of stored biometrics.
Right to Access
Certain controllers—i.e., those covered by the CPA that also collect biometric data or that control, or are controlled by, another CPA-covered controller with whom they share "common branding"—and joint ventures or partnerships consisting of no more than two businesses that share consumers' data, must respond to consumers, or consumers' legally authorized representatives, who request to access to biometric data.[6]
Controllers may not disclose the actual biometric data, but rather must provide, free of charge, the following information: (1) the category or description of the consumer's biometric data; (2) the source from which the biometric data was obtained; (3) the purpose for which it—and any associated personal data—was collected or processed; (4) the identity of any third party to whom the biometric data was or is disclosed and the purpose for the disclosure; and (5) the category or description of the specific biometric data that the controller discloses to third parties—e.g., "unique biometric data including a fingerprint scan without disclosing the actual fingerprint scan data."
Security
Both controllers and processors must store, transmit, and protect from disclosure all biometric identifiers using the standard of care within the controller's industry.
Processors
Processors that process biometric identifiers or biometric data must adopt and implement a protocol for responding to data security incidents that could compromise the security of such information, including a process for notifying the affected consumer when the security of such biometric identifier or biometric data has been breached.
Amendments Protect Employees' and Prospective Employees' Biometric Identifiers
The CPA amendments apply to biometric identifiers (and by implication biometric data) that controllers collect from employees (including contractors, subcontractors, interns, and fellows) and prospective employees, even though the CPA expressly excludes other personal data collected from individuals acting in those capacities. Therefore, controllers that collect biometric identifiers or biometric data from Colorado employees or prospective employees will need to comply with these new requirements, regardless of the quantity of biometric identifiers or biometric data they collect, but employers will only have to respond to employees' requests for access if the employers are otherwise covered by the CPA's thresholds.
While employers generally must obtain consent from employees and prospective employees before collecting and processing their biometric identifiers, they may require employees and prospective employees to consent to the collection and processing of biometric identifiers as a condition of employment in the following limited circumstances: (1) to permit access to secure physical locations, hardware, or software applications (but not for tracking location or time spent using an application); (2) to record the beginning and end of a full workday; (3) to improve or monitor workplace safety or security; and (4) to improve or monitor public safety or security in the event of an emergency or crisis situation. Employers may collect and process the employee's biometric identifier for additional uses other than those described in items (1) – (4) above with the employee's consent but may not require that additional consent as a condition of employment or retaliate against an employee or prospective employee who refuses to provide such additional consent.
[1] The CPA applies to controllers that conduct business in Colorado or produce or deliver commercial products or services intentionally targeted to Colorado residents and (1) control or process the personal data of 100,000 or more Colorado residents annually, and/or (2) derive revenue or receive a discount on goods and services from the sale of personal data and process or control the personal data of 25,000 or more Colorado residents. C.R.S. § 6-1-1304(1)(a).
[3] A district judge interpreted "biometric identifier" under BIPA in a similar manner. Specifically, the court held that although BIPA excludes digital and physical photographs from the definition of "biometric identifier," and also excludes all data derived from photographs, it would not "read the statute to categorically exclude from its scope all data collection processes that use images. And to read that categorical exclusion into the statute would substantially undercut it because the scanning of biometric identifiers is often based on an image or photograph" Patel v. Facebook, 185 F.Supp.3d 1155, 1171 (N.D. Cal. 2016), aff'd, 932 F.3d 1264 (9th Cir. 2019), cert. denied, 140 S.Ct. 937 (2020). Subsequent decisions from California and Illinois courts followed suit. But see Zellmer v. Meta Platforms, Inc., 104 F.4th 1117, 1126 (9th Cir. 2024) (stating that face signatures are not biometric identifiers because they cannot identify an individual). Thus, under BIPA (at least in the Ninth Circuit), scans of photographic images would be "biometric identifiers" only if the scans can identify an individual, similar to Colorado's definition of "biometric identifier."
[4] "Process" means "the collection, use, sale, storage, disclosure, analysis, deletion, or modification of personal data and includes the actions of a controller directing a processor to process personal data." (Emphasis added.) Although "personal data" is not defined expressly to include biometrics, the CPA defines biometric data that "may be processed for the purpose of uniquely identifying an individual" as "sensitive data" (emphasis added). The amendments added a definition for "Collect," "Collection," or "Collecting," noting that those terms mean "to access, assemble, buy, rent, gather, procure, receive, capture, or otherwise obtain any biometric identifier or biometric data pertaining to a consumer by any means, online or offline," including actively or passively "receiving" biometrics or "by observing the consumer's behavior."
[5] Colorado Privacy Act Rule 6.12.
[6] We interpret the common control and branding to refer to a controller that is covered by the CPA although the statutory language is not specific on that point.
[View source.]
