COLORADO AMENDS STATE PRIVACY LAW: What you need to know.
Starting July 1, 2025, the Biometric Data Privacy Amendment to the Colorado Privacy Act, HB 1130 (Privacy of Biometric Identifiers & Data | Colorado General Assembly), will impose new obligations on entities collecting biometric data from individuals in Colorado, including employees and job applicants.
Key Points:
Who is Affected:
This amendment applies to all entities, including nonprofits, conducting business in Colorado or targeting Colorado residents, regardless of size or data volume that collect biometric data from individuals in Colorado, including employees and job applicants, with a broad definition of "employee" that encompasses full-time, part-time, contractors, interns, etc.
Consent Requirements:
Employers can only collect biometric identifiers with consent and only for specific purposes such as:
- Permit access to secure locations
- Improve or monitor workplace safety and security
- Record the commencement and conclusion of the employee’s workday
- Improve or monitor the safety or security of the public in the event of an emergency.
Consent must be voluntary; employers cannot penalize employees for refusing additional uses beyond these specified purposes. Employers are generally not required to refresh consent unless they process additional categories of a biometric identifier not previously consented to, or if they wish to use the biometric identifier for a secondary purpose.
Importantly, the law specifically states that employment cannot be conditioned on consenting to the use of biometrics to track the employee’s location or the amount of time an employee is using a hardware of software application.
Biometric Definitions:
- Biometric Identifiers: Data from an individual's biological or behavioral traits (e.g., fingerprints, voiceprints).
- Biometric Data: Includes biometric identifiers and any related data used for identification, including derived data from photographs or audio.
Employer Compliance:
- Entities Required to Comply: Most employers who collect biometric data must comply, including nonprofits. Ecemptions includes
- Financial insitutions
- State higher education institutions
- Government entities
- Employers must implement a written biometric policy that outlines:
- A retention schedule for biometric identifires and biometric data;
- A protocol for responding to a data security incident that may compromise the security of biometric identifiers or biometric data; and
- Deletion protocols at specified times (e.g., after the purpose is fulfilled, 24 months after last interaction, or within 45 days of unnecessary retention)
Recommended Action Steps for Employers:
- Conduct a Data Audit: Identify existing employee biometric data.
- Review Policies: Update privacy policies to include biometric data specifics.
- Implement Consent Procedures: Establish clear consent processes for collections.
- Train Staff: Educate HR and management on handling biometric data.
- Assess Security Measures: Enhance data security to protect biometric information.
By following these guidelines, employers can ensure compliance and protect their employees' biometric data effectively.
