The bill amends the "Colorado Privacy Act" to add protections for an individual's biometric data by requiring a person that, alone or jointly with others, determines the purposes for and means of processing biometric data (controller) to adopt a written policy that:

  • Establishes a retention schedule for biometric identifiers;
  • Includes a protocol for responding to a breach of security of biometric data; and
  • Includes guidelines that require the permanent destruction of a biometric identifier by the earliest of certain dates.

The bill also:

  • Prohibits a controller from collecting a biometric identifier unless the controller first satisfies certain disclosure and consent requirements;
  • Specifies certain prohibited acts and requirements for controllers that collect and use biometric data;
  • Requires a controller to allow a consumer to access and update a biometric identifier;
  • Restricts an employer's permissible reasons for obtaining an employee's consent for the collection of biometric identifiers; and
  • Authorizes the attorney general to promulgate rules to implement the bill.

(Note: This summary applies to this bill as introduced.)
 

Sponsors

Rep. L. Daugherty, Rep. M. Lynch, Sen. C. Hansen, Sen. P. Lundeen

Status

Won: new law

Session

2024

Bill number

Position

Support