What happened?

On April 22, 2024, the Colorado legislature passed HB 1130, amending the Colorado Privacy Act (CPA) to bolster protections for individual’s biometric data and identifiers. The bill is now pending review by Governor Jared Polis, with an expectation of being signed into law.

What are the details?

The bill amends the CPA to bolster biometric data protection, mandating controllers (who determine the processing of biometric data) to adopt a policy that sets a retention schedule for biometric identifiers, outlines a response protocol for security breaches, and prescribes guidelines for the earliest possible destruction of biometric identifiers. For employers, it restricts an employer’s permissible reasons for obtaining an employee’s consent for the collection of biometric identifiers.

Key Bites

• Employers that collect and process biometric data and identifiers will need to comply with disclosure and consent requirements, meaning that employers must inform employees about the collection and use of their biometric data and obtain their consent before collecting such data.

• Employers cannot require an employee or prospective employee to consent to the collection or processing as a condition of employment or retaliate if consent is not provided.

• However, there are some exceptions to this restriction.

• Employers are required to establish a retention schedule for biometric identifiers. This outlines how long biometric data can be stored before it must be securely deleted.

• Employers must have a protocol for responding to a security breach involving biometric identifiers or biometric data. This ensures there is a plan in place to respond to any potential breaches, minimizing the impact and risk to employees’ biometric data.

• Employer’s permissible reasons for obtaining an employee’s consent for the collection of biometric identifiers are very restricted. This means employers can only collect biometric data for specific, permissible reasons.

• Regarding employee data, the bill does not exempt the personal data of employees and job applicants. This means employers are within the scope of compliance when they employ any Colorado resident.

Business Considerations

• Employers should understand the new requirements and limits of the amendment to ensure they comply.
• Employers should update or create and adopt a written policy that clearly outlines how they will handle biometric data. This policy should be comprehensive and cover all aspects of biometric data handling.
• Employers should ensure they provide clear disclosure to their employees about what biometric data is being collected, why it is being collected, and how it will be used.
• Employers should obtain explicit consent from their employees before collecting their biometric data.
• Employers should put in place robust security measures to protect biometric data and prevent breaches, which should cover both physical and digital security.
• Employers should provide training to all members who will be handling biometric data, covering the details of the written policy, the importance of protecting biometric data, and what to do in the event of a security breach.
• Employers should regularly audit and update their policies to ensure they remain compliant with evolving technology and regulations.

Source References

• HB 1130 Text and Details

Resources

• Colorado Legislature Passes Biometric Privacy Bill
• Colorado Amends Colorado Privacy Act by Adding Protection for Neural Data (Vensure HR)

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.