Colorado Imposes New Privacy Requirements on Organizations Collecting Biometric Identifiers and Data

New biometric protections went into effect in Colorado on July 1. The Colorado Act on biometric identifiers and biometric data (the Act), House Bill 24-1130, amends the existing Colorado Privacy Act (CPA) (CO Rev Stat § 6-1-1301 et al.).  The Act lays out various limitations, requirements and prohibitions with regard to the use, collection, disclosure and handling of biometric identifiers and biometric data and grants consumers the right to access biometric data.

The biometric protections apply if an organization collects any amount of biometric information, even if the organization does not otherwise meet the jurisdictional threshold of the CPA, and this information includes biometrics that are not specifically used to identify an individual. And though the CPA generally does not apply in the employment context, the biometric requirements extend certain protections to Colorado employees. Notably, the Act does not provide a private right of action for violations and can only be enforced by the Colorado attorney general and district attorneys, with penalties of up to $20,000 per violation.

What are Biometric Identifiers?[1]

The Act defines biometric identifiers to include a “Consumer’s biological, physical, or behavioral characters, which data can be processed for the purpose of uniquely identifying an individual.” (CO Rev Stat § 6-1-1303(2.4)) Biometric identifiers include fingerprints, voiceprints, scans of eyes and facial maps, and geometry of templates. Importantly, unlike other biometric statutes, the Act appears to require that the biometric identifier be used for the purpose of identifying an individual, rather than other commercial purposes. However, this will be a key area to watch as the law is tested and interpreted in the real world.

Prohibitions, Limitations, Exceptions

The Act bars entities that process biometric identifiers or biometric data from the sale, lease, trade, disclosure, redisclosure or dissemination of the biometric identifier unless (CO Rev Stat § 6-1-1314(4)):

• The entity receives prior consent;
• The entity receives a request from or is authorized by the consumer to disclosure the biometric identifier to complete a financial transaction;
• The disclosure or dissemination is to a processor and is required to fulfill the purpose for which it was collected and the consumer has consented; or
• The disclosure is required by law.

An entity that controls or processes biometrics is prohibited from refusing the provision of goods or services, or charging a different rate for goods and services based on a consumer’s refusal to consent to the processing of biometrics.

The Act adds an additional prohibition: An entity shall not “purchase a biometric identifier unless the controller pays the consumer for the collection, the purchase is unrelated to the provision of a product or service to the consumer, and the controller has obtained [consumer’s] consent” (CO Rev Stat § 6-1-1314).

Written Biometric Policy

The Act requires entities that control or process one or more biometric identifiers or biometric data, referred to as “controllers,” to adopt a written policy, accessible to the public, which establishes (1) security incident response protocol, (2) retention schedule and (3) deletion guidelines (including timeframes)[2] for biometric identifiers and biometric data (CO Rev Stat § 6-1-1314(2)).

Notice and Consent

Notification to the consumer is required prior to the collection or processing of a biometric identifier. This notice must inform the consumer:

• A biometric identifier is being collected;
• The purpose for which the biometric identifier is being collected and the length of time it will be retained; and
• Whether the biometric identifier will be disclosed or disseminated to a processor and why.

Employer Requirements

The Act lays out specific requirements and limitations pertaining to the collection and processing of biometric identifiers or biometric data from employees and prospective employees, in particular requiring (1) informed consent, (2) adoption of a written biometric policy that establishes a retention schedule and deletion guidelines[3] and (3) security incident response protocol (CO Rev Stat § 6-1-1314(6)). Employers may only require consent of processing of biometrics as a condition of employment for an enumerated set of purposes:

• To permit access to secure locations, hardware and software;
• Timekeeping;
• Improvement or monitoring of workplace or employee safety or security; or
• Improvement or monitoring of public safety or security in crisis or emergency circumstances.

For all other purposes, employers are required to obtain prior consent for collection and processing of employee or prospective employee biometrics and may not condition employment upon consent. Other CPA provisions arguably do not apply to employers, since the Act defines “consumer” to exclude employees and job applicants.

Conclusion

These biometric-specific amendments to Colorado’s Privacy Act signal a continued shift toward enhanced biometric protections on the state level. Companies collecting or processing biometric identifiers or data of individuals in Colorado should review their policies and procedures to ensure compliance with these new elements.

Paul Hastings’ Data Privacy and Cybersecurity practice regularly advises on compliance with data privacy requirements at the federal, state and international levels, including for state-level biometric laws. If you have questions concerning privacy compliance and emerging case law, please do not hesitate to contact a member of our team.