Colorado’s Biometrics Privacy Rules

Effective July 1, 2025, Colorado’s House Bill 24-1130 (HB 24-1130) amends the Colorado Privacy Act (CPA) to introduce stringent regulations on the collection, processing, and retention of biometric data, marking a significant expansion of privacy protections in the state. This legislation not only enhances the CPA’s existing framework but also extends specific obligations to employers, a notable departure from the CPA’s general exclusion of employee data. Below, we explore the details of Colorado’s new biometric rules, their relationship with the state’s AI laws and broader data privacy framework, comparisons with other U.S. biometric laws, and the practical implications for employers and employees.

Colorado’s Biometric Amendment (HB 24-1130)

The Biometric Amendment, signed into law by Governor Jared Polis on May 31, 2024, builds on the CPA’s classification of biometric data as “sensitive data” that requires heightened compliance measures, such as prior consent and data protection assessments (DPAs). HB 24-1130 introduces specific requirements for entities that control or process biometric identifiers (e.g., fingerprints, voiceprints, retina scans, facial geometry) or biometric data (identifiers used to uniquely identify an individual). These requirements apply to all entities doing business in Colorado or targeting Colorado residents, regardless of size or data volume, unlike the CPA’s general thresholds (e.g., processing data of 100,000 residents or selling data of 25,000 residents). Key provisions include:

• Notice and Consent: Controllers must provide clear, accessible notice before collecting biometric identifiers, detailing the data collected, purpose, retention period, and any third-party disclosures. Consent must be informed and affirmative, and for employees, it must be obtained in writing or electronically.
• Written Biometric Policy: Entities must adopt a written policy outlining a retention schedule, data security incident protocols, and deletion guidelines. Biometric identifiers must be deleted at the earliest of: (a) when the purpose of collection is satisfied, (b) 24 months after the individual’s last interaction with the controller, or (c) within 45 days of determining the data is no longer necessary. Public disclosure of the policy is required, except for policies solely addressing employee data.
• Prohibitions on Sale and Disclosure: Controllers cannot sell, lease, or trade biometric identifiers without consumer consent, and disclosures are limited to specific purposes (e.g., to processors for the original collection purpose, to complete financial transactions, or as required by law).
• Non-Discrimination: Entities cannot deny services, charge different prices, or provide lower-quality services to individuals who refuse to consent to biometric data collection, unless the data is essential to the service.
• Enforcement: The Colorado Attorney General and district attorneys enforce the law, with no private right of action, unlike Illinois’ Biometric Information Privacy Act (BIPA). Violators receive a 60-day cure period until January 1, 2025, after which penalties may apply.

Tie-In with Colorado’s AI Laws

Colorado has positioned itself as a leader in tech regulation, notably with Senate Bill 24-205 (SB 24-205), signed in May 2024, which addresses AI-powered discrimination. Effective February 1, 2026, this law requires developers and deployers of high-risk AI systems—those making consequential decisions in areas like employment, housing, or healthcare—to implement risk management policies, conduct impact assessments, and disclose AI use to consumers. Biometric data often fuels AI systems, particularly for facial recognition or behavioral analysis, creating a critical overlap with HB 24-1130.

• AI and Biometric Data: AI systems that process biometric data for identification (e.g., facial recognition for hiring or monitoring) must comply with both HB 24-1130’s consent and retention rules and SB 24-205’s requirements to mitigate algorithmic bias. For instance, an employer using AI-driven facial recognition for workplace access must obtain employee consent, provide notice, and ensure the AI system does not discriminate based on protected characteristics like race or gender.
• Data Protection Assessments: Both laws require DPAs for sensitive data processing. HB 24-1130 mandates DPAs for biometric data as sensitive data under the CPA, while SB 24-205 requires assessments for high-risk AI systems, ensuring risks to individual rights are weighed against processing benefits.
• Transparency and Accountability: SB 24-205’s disclosure requirements complement HB 24-1130’s notice obligations, ensuring consumers and employees are informed about how their biometric data is used in AI-driven processes.

This synergy reflects Colorado’s holistic approach to regulating emerging technologies, ensuring that biometric data used in AI systems is handled with robust privacy and fairness protections.

Integration with Colorado’s Data Privacy Laws

The CPA, effective since July 1, 2023, is Colorado’s comprehensive data privacy framework, aligning with laws like California’s Consumer Privacy Rights Act (CPRA) and Virginia’s Consumer Data Protection Act (VCDPA). It grants consumers rights to access, correct, delete, and opt out of personal data processing, with special protections for sensitive data like biometrics. HB 24-1130 expands the CPA’s scope by:

• Broadening Applicability: Unlike the CPA’s general thresholds, HB 24-1130 applies to any entity processing biometric data, including smaller businesses and nonprofits, increasing compliance burdens.
• Employee Data Inclusion: The CPA excludes data in employment contexts, but HB 24-1130 explicitly includes employee biometric data, aligning Colorado with California as one of the few states regulating employee privacy in this context.
• Minors’ Data Protections: Senate Bill 24-041 (SB 24-041), effective October 1, 2025, amends the CPA to protect minors’ data (under 18), requiring consent for targeted advertising, data sales, or risky profiling. If biometric data is collected from minors, controllers must comply with both HB 24-1130 and SB 24-041, including parental consent for children under 13.

The CPA’s enforcement mechanisms, including Attorney General oversight and opinion letters for compliance guidance, also apply to HB 24-1130, providing businesses a pathway to clarify obligations.

Colorado’s New Biometrics Rules and Their Intersection with AI, Data Privacy, and Other U.S. Biometric Laws: Implications for Employers and Employees

Colorado’s biometric rules join a patchwork of U.S. state laws, with Illinois’ BIPA (2008), Texas’ Capture or Use of Biometric Identifier Act (2009), and Washington’s biometric law (2017) being the most prominent. Key comparisons include:

• Illinois BIPA: BIPA is the strictest, with a private right of action leading to numerous class-action lawsuits. It requires consent, notice, and a retention policy for biometric data but applies broadly to consumers and employees without CPA-like exemptions. Unlike HB 24-1130, BIPA does not allow employers to condition employment on consent for specific purposes.
• Texas: Texas’ law requires notice and consent but is narrower, focusing on capturing or using biometric identifiers for commercial purposes. It lacks employee-specific provisions and has Attorney General-only enforcement, similar to Colorado.
• Washington: Washington’s law applies to biometric data in databases for identification, requiring consent and security measures but excluding employee data. It also lacks a private right of action.
• California CPRA: The CPRA includes biometric data as sensitive personal information, requiring opt-in consent and consumer rights. Like HB 24-1130, it applies to employee data (since 2023), but its biometric provisions are less detailed than Colorado’s.

Colorado’s law is unique in its broad applicability to all entities processing biometric data and its specific employee provisions, balancing robust protections with employer flexibility compared to BIPA’s rigidity.

Impact on Employers

HB 24-1130 significantly affects employers, who must now comply with biometric data regulations despite the CPA’s general exemption for employment data. Key implications include:

• Consent Requirements: Employers must obtain written or electronic consent before collecting employee biometric identifiers (e.g., for time clocks or access control). Consent can be a condition of employment only for:
  • Access to secure physical or electronic locations (except for tracking location or time spent on applications).
  • Recording the start/end of workdays or breaks over 30 minutes.
  • Improving workplace safety or security.
  • Enhancing public safety during emergencies.
• Permitted Uses Without Consent: Employers can collect biometric data without consent if aligned with an employee’s job description or role (e.g., security personnel) or for reasonable background checks, applications, or identification requirements for prospective employees.
• Biometric Policy: Employers must adopt a written policy for biometric data, including retention schedules and security incident protocols. Unlike consumer policies, employee-only policies are not required to be publicly disclosed, but clarity on employee access is pending regulatory guidance.
• Compliance Challenges: Employers must integrate biometric notices into existing privacy policies, ensure consent is informed (detailing purpose, retention, and disclosures), and refresh consent for new uses or data types. Small businesses, previously exempt from CPA thresholds, now face compliance costs, potentially discouraging biometric technology use.
• Risk Mitigation: Unlike BIPA, the lack of a private right of action reduces litigation risk, but Attorney General enforcement and potential penalties necessitate robust compliance programs. Employers can seek opinion letters for guidance.

Impact on Employees

Employees gain significant protections under HB 24-1130, enhancing their control over biometric data:

• Consent and Transparency: Employees must be informed about biometric data collection, its purpose, retention period, and third-party disclosures, empowering them to make informed decisions.
• Limited Conditioning of Employment: Employers cannot condition employment on consent for non-essential biometric uses (e.g., tracking location or app usage), protecting employees from coercive practices. Retaliation for refusing consent is prohibited.
• Data Protection: Retention and deletion requirements ensure biometric data is not stored indefinitely, reducing risks of misuse or breaches. Employees benefit from security incident protocols, though consumer-specific breach notifications may not apply.
• Alignment with Job Expectations: Employees can expect biometric data use to align with their roles, providing clarity and limiting overreach.

However, employees may face challenges if biometric systems are essential for job functions (e.g., secure access), as consent may be non-negotiable in those cases, potentially limiting their autonomy.

Practical Steps for Compliance

To prepare for July 1, 2025, employers should:

1. Conduct a Biometric Audit: Identify all biometric data collection (e.g., time clocks, facial recognition) and assess compliance with HB 24-1130.
2. Develop Policies: Create a written biometric policy with retention schedules, security protocols, and deletion guidelines. Ensure notices are clear and accessible.
3. Update Consent Processes: Implement written or electronic consent mechanisms for employees, specifying purposes and ensuring no retaliation for refusals.
4. Align with AI and CPA Requirements: Integrate biometric compliance with SB 24-205’s AI risk assessments and CPA’s consumer rights obligations, especially for minors’ data.
5. Seek Guidance: Request opinion letters from the Colorado Attorney General for clarity on ambiguous provisions, such as employee policy disclosure.
6. Monitor Developments: Stay informed on regulatory updates and public comments (accepted until November 7, 2024) to refine compliance strategies.

How To Be Compliant With Colorado’s Biometric Laws?

Colorado’s Biometric Amendment, effective July 1, 2025, establishes robust protections for biometric data, aligning with the state’s progressive AI and data privacy laws. By extending requirements to employers, it addresses a critical gap in the CPA, ensuring employee biometric data is handled with care. Compared to other U.S. biometric laws, Colorado strikes a balance between stringent protections and employer flexibility, avoiding BIPA’s litigation risks while broadening applicability. Employers must act swiftly to adopt policies, secure consents, and align with AI and privacy regulations, while employees gain greater control and transparency. As Colorado continues to lead in tech regulation, businesses should view compliance as an opportunity to build trust in an increasingly data-driven world.