On May 28, 2024, House Bill 24-1130 for an Act concerning protecting the privacy of an individual's biometric data was signed by the Speaker of the House of Representatives and the President of the Colorado State Senate. Afterward, the bill was sent to the Governor of Colorado on the same date for signature. 

Scope of the bill

The bill would amend the Colorado Privacy Act (CPA) to add protections for biometric data by requiring data controllers to adopt a written policy that:  

• establishes a retention schedule for biometric identifiers;  
• includes a protocol for responding to a breach of security of biometric data; and 
• includes guidelines that require the permanent destruction of a biometric identifier.  

The bill also:  

• prohibits data controllers from collecting a biometric identifier unless the controller first satisfies certain disclosure and consent requirements;  
• specifies certain prohibited acts and requirements for data controllers that collect and use biometric data; 
• requires a data controller to allow a consumer to access and update a biometric identifier; 
• restricts an employer's permissible reasons for obtaining an employee's consent for the collection of biometric identifiers; and  
• authorizes the attorney general (AG) to promulgate bill implementation rules. 

Obligations for data controllers

The bill places additional obligations on data controllers including:

• increasing the time to destroy biometric data after receiving a verified request to 45 days from the original 30 days;
• prohibiting a data controller from buying biometric identifiers without fulfilling additional requirements;
• banning the collection of biometric identifiers of employees or prospective employees by employers; and
• prohibiting a data controller from refusing the provision of a good or service if a data subject refuses to consent unless the collection of the biometric identifier is necessary for the good or service.

You can read the bill here and track its progress here.