The Colorado Attorney General’s Office has filed a set of proposed draft amendments to the 2021 Colorado Privacy Act (CPA), which would broaden requirements for any business that collects and uses biometric information or children’s personal data.
Signed earlier this year by Governor Jared Polis, House Bill 1130 changes the CPA to require entities that collect biometric data or identifiers to provide notice to consumers explaining what biometric data is being collected, for what purpose, how long it will be kept, and whether it will be shared.
Significantly, Colorado’s legal definition of biometric data covers facial scans, fingerprints, voiceprints and retina scans – but not photos or audio recordings. Even so, there are those who believe it covers too much and will put many businesses at risk.
The amendment says the required notice “must be clear” (and clearly labeled), “concrete and definitive,” with no ambiguous language. HB 1130 also requires a controller or processor of biometric data to adopt a publicly available written policy that establishes a retention schedule for biometrics and describes a protocol for responding to a data security incident that may compromise biometric identifiers.
Select exceptions cover employee data used for activities like access control and timekeeping.
Amendments reach beyond scope of CPA to implicate smaller businesses
The move has prompted businesses to appeal to state privacy regulators for a more precise definition of biometric information, and to narrow how they implement the new protections to allow uses of data related to harassment and fraud prevention. Their complaint is that the new rules could choke small businesses and stifle innovation. The CPA only applies to companies that collect information from at least 100,000 state residents. But the amendments cover businesses that control or process any amount of biometric information.
In a recent analysis of HB 1130 for Biometric Update, Baker Donelson attorney David J. Oberly argues that the amendment’s “broad reach will ensnare many organizations that operate or otherwise conduct business in Colorado – but which are outside the scope of CPA compliance – significantly enhancing their legal risk and liability exposure.”
“Companies that develop, supply, or use biometric technologies are advised to take proactive steps to determine whether they fall under the scope of HB 1130 and, if so, develop a concrete plan for the completion of all modifications to organizational compliance programs needed to achieve compliance ahead of July 2025, when HB 1130 will take effect.”
Regardless, even with its new rules, Colorado’s privacy law lacks the legal teeth of its cousin in Illinois, the Biometric Information Protection Act (BIPA), in that it does not include a private right of action that would enable citizens to sue companies that violate their rights.
Minors bill could open doors for age assurance vendors
Accompanying HB 1130 is SB 041, which amends the CPA to add expanded protections for personal information about minors under the age of eighteen. A requirement that data controllers “use reasonable care to avoid any heightened risk of harm to minors” could have implications for the age assurance sector.
Article Topics
biometric data | biometric identifiers | biometrics | Colorado | data privacy | data protection | legislation
