Colorado Expands Reach of Obligations for Processing Biometric Identifiers and Biometric Data

Key Takeaways

• Amendments to the Colorado Privacy Act, which go into effect on July 1, 2025, establish obligations surrounding biometric data and the broader category of biometric identifiers.
• While the Colorado Privacy Act generally does not impose requirements on employers, the amendments expand the scope of the law by imposing certain requirements on employers when they collect biometric identifiers or biometric data from their employees (including contractors) or prospective employees.
• The new requirements include broader disclosures; the need for consent from both consumers and employees for certain types of biometric processing; restrictions on the sale, purchase, and retention of biometric identifiers and data; and more.
• Companies that process human characteristics data should evaluate how these amendments may affect their business and take steps to ensure compliance.

Overview

Amendments to the Colorado Privacy Act (CPA) and CPA rules will take effect on July 1, 2025, significantly expanding the scope of requirements for businesses that control or process biometric identifiers and biometric data. Governor Jared Polis signed the amendments into law in May 2024. The attorney general then proposed rule updates, which, after public comment, were finalized in December. Together, these changes create a robust—but not entirely crystal clear—framework for biometric privacy in Colorado.

The Broad Scope of “Biometric Identifiers”

Unlike most other U.S. state consumer privacy laws, the CPA governs two categories of biometrics:

• Biometric identifiers—“data generated by the technological processing, measurement, or analysis of a consumer’s biological, physical, or behavioral characteristics which can be processed for identification.”
• Biometric data—a subset of biometric identifiers which are “used or intended to be used for identification purposes.” “Biometric data” does not include digital or physical photographs, audio or voice recordings, or any data generated from a digital or physical photograph or an audio or video recording unless any of these are used for identification purposes.

In short, all biometric data are biometric identifiers, but not all biometric identifiers are biometric data. And the definition of biometric identifier is so broad it may even include de-identified data since it applies to “data” generally, not just “personal data.”

Only biometric data is treated as “sensitive data” under the CPA, but the new rules impose requirements on both categories—including rules requiring notice and consent.

For comparison, the Illinois Biometric Information Privacy Act (BIPA)—which has generated thousands of class actions—imposes its requirements on a much narrower definition of biometric data (limited to specific types of data, such as retina or iris scans, fingerprints, voiceprints, and scans of hand or face geometry), as well as certain data derived from those types of data. The CPA is much broader. Notably, photos, videos, audio recordings, and data generated therefrom are excluded only from the narrower category of biometric data, leaving their status as biometric identifiers uncertain. Other state consumer privacy laws governing biometric data have broader definitions than the Illinois definition but are still narrower than the CPA.

New Obligations for Biometric Identifiers

The new rules introduce the following requirements for controllers that collect biometric identifiers:

• Biometric identifier notice. Biometric identifier notice requirements under the revised CPA rules largely do not distinguish between consumers and employees. However, the CPA amendments impose more specific disclosure requirements for consumers, particularly regarding purposes of use, retention periods, and processors to whom biometric identifiers are disclosed:
  • For consumers and employees, revised CPA Rule 6.12 requires that a biometric identifier notice be (1) provided at or before collection or processing; (2) provided in a clear, reasonably accessible, and understandable manner; (3) a separate notice or clearly labelled within a general privacy notice; and (4) linked from a website’s homepage and, if applicable, an app store or download page or, if the controller does not operate a website, conspicuously available through a medium regularly used by the controller to interact with consumers.
  • Revised CPA Rule 7.09 specifically requires consent from employees to be consistent with CPA Rules 7.03 - 7.09. CPA Rule 7.03 generally provides that consent is “informed” only if the following information is disclosed: (1) the controller's identity, (2) the plain-language reason that consent is required, (3) the processing purposes for which consent is sought, (4) the categories of personal data that the controller shall process to effectuate the processing purposes, (5) names of all third parties receiving the sensitive data through sale (if applicable), (6) a description of the consumer's right to withdraw consent, and (7) additional requirements for loyalty programs and profiling where applicable.
  • For consumers, Section 6-1-1314(4)(a) of the CPA amendments requires that consumers be informed (1) that a biometric identifier is being collected; (2) of the specific purposes of collection; (3) of the length of time that the controller will retain the biometric identifier; and (4) if the biometric identifier will be disclosed to a processor and, if so, the purposes for such disclosure.
• Consent for biometric identifiers, including from employees. Controllers that collect biometric identifiers from consumers are expressly required to obtain consent before disclosing, redisclosing, or otherwise disseminating any consumer’s biometric identifiers. There is no express requirement to obtain consent for collection and other use of a consumer’s biometric identifier; the requirement to obtain consent specifically references “collecting the consumer’s biometric data.” While employees are generally scoped out of the CPA, the CPA amendments require employers to obtain consent for collecting and processing employees’ biometric identifiers unless such requirement restricts an employer’s or its processor’s ability to collect and process biometric identifiers from (1) an employee for purposes aligned with the employee’s job description or role or (2) a prospective employee based on a reasonable background check, application, or identification requirement. Consent from employees is considered valid if it satisfies the CPA’s general definition of consent under Section 6-1-1303(5). Notably, the CPA amendments define “employee” to include contractors, subcontractors, interns, and fellows.
• Requiring consent as a condition of employment. Employees and prospective employees may be required to consent as a condition of employment, but only for the following purposes of processing their biometric identifiers: (1) permitting access to secure physical locations and electronic applications (excluding tracking employee location or time on hardware or software applications), (2) recording workday time periods, (3) enhancing workplace safety, and (4) improving public safety during emergencies. In these scenarios, employers must refresh consent when (1) processing additional categories of an employee’s biometric identifier and (2) processing an employee’s biometric identifier for a secondary use.
• No refusal of service to consumers for withholding consent. Controllers are prohibited from refusing to provide a good or service based on a consumer’s refusal to consent to the controller’s collection, use, disclosure/sale, retention, or processing of a biometric identifier unless such processing is necessary to provide the good or service. The CPA amendment also prohibits controllers from charging different prices to consumers who exercise any of their rights under the law.
• Restrictions on purchase of consumer biometric identifiers. Controllers are prohibited from purchasing biometric identifiers unless (1) the controller pays the consumer, (2) the purchase is unrelated to the provision of a product or service to the consumer, and (3) the controller has provided notice to and obtained consent from the consumer.
• Publicly available retention schedule. Controllers that control or process biometric identifiers must publish a public policy that includes a retention schedule for biometric identifiers and biometric data, a protocol for responding to data security incidents (for consumers), and guidelines for deleting biometric identifiers by specific deadlines.
• Restrictions on sale and other dissemination of consumer biometric identifiers. Controllers are prohibited from selling, leasing, trading, or otherwise disseminating biometric identifiers unless (1) the consumer consents, (2) dissemination is required for completing a requested financial transaction, (3) dissemination is to a processor and is necessary for the original purpose of collection consented to, or (4) dissemination is required by law.

The CPA amendments also include expanded rights of access to the narrower category of biometric data. Specifically, at the request of a consumer, a controller must disclose, free of charge, the category of the consumer's biometric data, its source, the purpose of its collection or processing, and the identity of any third parties to whom it was disclosed. These access rights are broader than those afforded to personal data under the CPA, which include only confirmation of whether a controller is processing the consumer’s personal data and access to the data itself.

How To Prepare

As we near July 2025, companies that process human characteristics data should consider assessing the risk that such data falls within the CPA’s broad definition of biometric identifier. Data previously determined to be out of the scope of sensitive data—or of the CPA altogether, in the case of employee data—may need to be reevaluated. For data that does qualify as a biometric identifier, companies subject to the CPA will have to contend with certain CPA requirements not imposed by any other U.S. consumer or biometric privacy law, including novel restrictions on the purchase of such data.