New Biometric Rules Mark 'Seismic' Change to Colo. Privacy Act, Say Lawyers
Businesses should write broad biometric compliance strategies in response to Colorado Privacy Act (CPA) regulations adopted last month by the state attorney general office, BCLP lawyers Goli Mahdavi and Andrea Rastelli blogged Thursday.
Sign up for a free preview to unlock the rest of this article
Amendments to CPA rules will take effect Jan. 30. AG Phil Weiser (D) cleared the new privacy rules for minors, biometric information and other matters last month. The rules responded to kids’ and biometric privacy bills the legislature passed last year and created a process for issuing opinion letters and interpretive guidance.
While the biometric rules “have garnered relatively limited attention, they do introduce significant new obligations for businesses that collect and process biometric identifiers and data that will need to be addressed by the time they come into force on July 1, 2025,” wrote the BCLP lawyers: The rules’ expanded applicability “is one of the more seismic changes to the CPA.”
Smaller organizations and those that collect only non-consumer data such as for human resources “can also find themselves on the hook for complying” with the biometric rules. “While the CPA generally only applies to businesses that meet certain thresholds … the new requirements in section C.R.S. § 6-1-1314 apply much more broadly,” wrote Mahdavi and Rastelli. “Any entity doing business in Colorado or targeting Colorado residents must now comply … regardless of size or data volume.”
“As a first step, companies should identify and understand current and potential collections and uses of biometric identifiers and data,” the lawyers said.