Biometric Requirements Expand Scope of Colorado Privacy Act

“It's a pretty straightforward law to comply with, which is encouraging,” said Amy de La Lama, lead privacy and data security lawyer at BCLP. “For many companies, there are limited use cases, limited scenarios for which they're collecting biometric data, which makes it a little bit easier to address.”

She said one of the things that stood out about the biometric requirements is that they now include employees and employee data in the CPA. “That's a pretty significant expansion, just in terms of who it pulls in within scope.”

Danielle Kays, privacy and cyber lawyer at Fisher Phillips, agreed. “For the first time, employers must obtain written or electronic consent from Colorado employees before collecting their biometric data,” she said in an email to Privacy Daily. "They must also secure fresh consent if the data will be used for a new purpose or involves additional types of biometric identifiers.”

In a blog from January, two other BCLP lawyers wrote about the significance of the expanded applicability of the law under the new amendments (see 2501100051).

De La Lama additionally noted that the new requirements apply to a broader category of organizations than what was originally included in the Colorado Privacy Act. Because of the different thresholds for applicability, the requirements “could easily go unnoticed for companies that think they're not otherwise subject to the Colorado Privacy Act,” she said.

The amendment also “imposes a strict data-deletion schedule that requires covered entities to permanently destroy biometric data at the earliest of three possible” points: the purpose for collection has been fulfilled; if 24 months have passed since the last interaction between employee and employer; or within 45 days of employer determining retention is not needed anymore, said Anne Larson in a blog for law firm Ogletree Deakins from June 26.

She said the requirements also instruct “covered entities to maintain and implement a written incident-response protocol tailored to biometric data.” The protocol must include the state’s existing breach-notification statute, and notification of a breach to impacted individuals must occur within statutory timelines, Larson added.

De La Lama said Colorado's requirements are similar to other biometric laws, including Illinois’ Biometric Information Privacy Act (BIPA). “What really distinguishes it from Illinois … is that it does not have a private right of action, so it won't be litigated the same way that BIPA has been,” she said. “The requirements feel similar in that there are notice-and-consent requirements that apply to the collection and use of biometric data.”

Kays agreed. Only the Colorado attorney general and district attorneys can enforce that state's law, she said. “This means, unlike in Illinois, Colorado companies will not face the threat of class-action lawsuits under this new law.”

“Eventually, we may see actions brought by" the attorney general or district attorney "to enforce the law, if necessary, akin to some of the recent activity seen by the Texas Attorney General relating to [its] biometric statute,” but “those are far fewer in comparison to the number of BIPA lawsuits and class actions filed in Illinois courts.”

De La Lama said she “would expect enforcement to be like what we've seen with other elements of the Colorado Privacy Act, which is [allowing] time for companies to adjust and start to … get their policies and procedures into compliance, and then a potential uptick in enforcement after some reasonable amount of time has gone by.”

“The other piece to keep in mind is there's a shorter retention period than [the one] set out by BIPA,” she said. So, if you already have “a biometric policy, because you're subject to BIPA, [it’s important] that you have adjusted your retention language and also your practices.”

Kays also said a difference from BIPA is that employers can only require employees to use biometric technology in certain specific circumstances, like recording the start and end of a workday, allowing access to secure areas or hardware/software systems, and improving or monitoring both workplace safety and security, as well as public security in the event of an emergency.

"If the technology is not used for one of these purposes, then the employee must have the choice to use the biometric technology, unless the individual 'reasonably should expect' biometric collection based on the job description or for job applicants for 'reasonable background check, application, or identification requirements,'” she said.

Unlike BIPA, which is the subject of debate in courts (see 2502210037 and 2506260013), de La Lama said the biometrics requirements were not confusing or controversial. “I think it went unnoticed by a lot of companies,” she said. “The amendments kind of came and went, and then we all sort of looked up and thought, 'Holy moly, there are new biometric requirements, and they apply to employers.'”

“They kind of snuck under the radar, which is just interesting in that they are meaningful requirements that … I suspect a lot of companies aren't even aware [of] out there,” de La Lama added. "Hopefully," she said, other companies that collect biometric data already know about the new requirements and will help "push out education and information to companies that use their services."

Tuesday was also a key date for two other state privacy laws. The Oregon Consumer Privacy Act now applies to nonprofits, though it took effect for other entities one year ago.

July 1 also marks a milestone for the Delaware Personal Privacy Act, which took effect Jan. 1. “Data protection assessment requirements shall apply to processing activities created or generated on or after July 1, 2025, and are not retroactive,” says that law.