The bill amends the "Colorado Privacy Act" to add protections for an individual's biometric data by requiring a person that, alone or jointly with others, determines the purposes for and means of processing biometric data (controller) to adopt a written policy that:
- Establishes a retention schedule for biometric identifiers;
- Includes a protocol for responding to a breach of security of biometric data; and
- Includes guidelines that require the permanent destruction of a biometric identifier by the earliest of certain dates.
The bill also:
- Prohibits a controller from collecting a biometric identifier unless the controller first satisfies certain disclosure and consent requirements;
- Specifies certain prohibited acts and requirements for controllers that collect and use biometric data;
- Requires a controller to allow a consumer to access and update a biometric identifier;
- Restricts an employer's permissible reasons for obtaining an employee's consent for the collection of biometric identifiers; and
- Authorizes the attorney general to promulgate rules to implement the bill.
(Note: This summary applies to this bill as introduced.)