Data Points: Privacy & Data Security Blog

Colorado was the third state in the U.S. to pass comprehensive privacy legislation, following in the footsteps of California and Virginia (the Colorado Privacy Act (the “CPA”). Now Colorado is increasing protections again, this time for biometric data effective July 1, 2025, and minors (defined as a consumer under the age of 18), effective October 1, 2025. Because the scope of coverage for both controllers and data subjects increases with these amendments, entities dealing with consumers or employees in Colorado should carefully review  whether they are subject to these changes and begin the process of revising their policies, notices, and assessments.

New Thresholds for Covered Entities.

Current Threshold.

The CPA currently applies to controllers  (persons that determine the purposes for and means of processing personal data) based on the number of consumers whose data they process. Specifically, the CPA applies to controllers conducting business in Colorado or that produce or deliver commercial products or services that are intentionally targeted to residents of Colorado and either (a) control or process the personal data of at least 100,000 consumers in a calendar year, or (b) control or process the personal data of at least 25,000 consumers and earn revenue or receive a discount on goods or services from the sale of personal data. A variety of exemptions apply, including for GLBA regulated entities and non-profit higher education, and HIPAA regulated data and data subject to FCRA. See Colorado Becomes Third State to Pass Comprehensive Privacy Legislation. The CPA amendments have a much broader scope and will cover entities not otherwise subject to the CPA.   

Expanded Threshold Effective July 1, 2025—Biometric Identifiers and Data.

Beginning July 1, 2025, the CPA will also cover, “for the purposes of a biometric identifier or biometric data that the controller collects and processes,” controllers that control or process any amount of biometric identifiers or biometric data even if the controllers don’t meet the processing thresholds for coverage under the other provisions of the CPA.  As written, such controllers will not only  need to comply with the new biometric provisions of the CPA but also existing provisions regarding “sensitive data,” which already included “biometric data that may be processed for the purpose of uniquely identifying an individual.” Because the CPA requires an opt-in to collection and processing of sensitive personal data, beginning July 1, 2025 controllers who were not previously covered by the CPA also will need to obtain consent before collecting and processing biometric data for the purposes of identification. Likewise, the CPA already requires data protection assessments (DPAs) for sensitive personal data. Therefore, these controllers will need to conduct a DPA on biometric data used for the purpose of identification just as currently covered controllers are obligated to do.

There is one bright spot for smaller controllers: The amendments’ requirements regarding the consumer’s right to access information about the controller’s processing of the consumer’s biometric data only applies to controllers who also meet processing thresholds under the general provisions of the CPA.

Expanded Threshold Effective October 1, 2025--Minors.

Effective October 1, 2025, the coverage threshold will expand again for purposes of the new provisions protecting minors. These new provisions will cover any controller that conducts business in Colorado or that produces or delivers commercial products or services that are intentionally targeted to residents of Colorado, without any processing thresholds. The existing CPA rules regarding opt-out mechanisms, and the provisions for liability, enforcement and preemption of local laws, also apply.

Exemptions Still Apply.

The amendments do not amend the exemptions from coverage currently in effect under the CPA, including data maintained for employment records purposes and the proviso that the obligations under the CPA don’t restrict a controller’s or processor’s ability to engage in certain conduct such as complying with the law, cooperating with law enforcement, and defending actual and anticipated legal claims. Effective October 1, 2025, two new exceptions apply. First, the CPA will not require a controller or processor to implement an age verification or age-gating system or otherwise affirmatively collect the age of consumers. But conducting a “commercially reasonable age estimation to determine which consumers are minors” provides the controller and processor a safe harbor from liability for getting the age estimation wrong. Second, the amendments clarify that they do not impose any obligation on a controller or processor that adversely affects the rights of any person to freedom of speech or freedom of the press guaranteed by the First Amendment to the United States Constitution. All exemptions remain subject to purpose limitations.

Some Biometric Amendments Apply to Obtaining Consent from Employees and Independent Contractors.

Employees and job applicants are still excluded from the definition of “consumer” under the CPA if they are acting in their capacity as such. In addition, the definition of “biometric identifiers” specifically applies to data of “consumers” and thus should exclude biometric identifiers of employees and job applicants. Therefore, most of the biometric amendments will not apply to employees and job applicants.  Unlike the other provisions of the CPA, however, some of the amendments on biometrics expressly apply to employees—broadly defined to include employees and individuals hired as a contractor, subcontractor, intern, or fellow. Specifically, the amendments prohibit an employer from obtaining consent from an employee as a condition of employment except in certain conditions, outlined below. The amendments also clarify methods by which permitted consent can be deemed valid, which requires that the consent be informed. Employers will want to review their biometric notice and consent forms and obtain adequate consent if needed by July 1, 2025.

Increased Obligations regarding Biometric Data and Biometric Identifiers—Effective July 1, 2025.

The amendments’ requirements apply variously to “biometric data” and “biometric identifiers.” The amendments define biometric data to mean biometric identifiers that are used (or are intended to be used) for identification purposes, either alone or with other personal data, but exclude a digital or physical photograph, an audio or voice recording, or data derived from such photographs or recordings. A “biometric identifier” is defined as data “generated by the technological processing, measurement, or analysis of a consumer’s biological, physical, or behavioral characteristics” that can be processed for the purpose of uniquely identifying an individual.  Biometric identifiers expressly include a fingerprint, voiceprint, retina or iris scan or record, facial map, geometry or template, or “other unique biological, physical, or behavioral patterns or characteristics.” The definitions parallel but are not identical to definitions under other privacy laws, such as the California Consumer Privacy Act, the Virginia Consumer Data Protection Act, and the Illinois Biometric Information Privacy Act (“BIPA”).

The CPA amendments on biometrics limit collection of biometric identifiers, require enhanced data security protections and deletion of biometric identifiers, and will require covered entities to have a detailed written policy, make the policy publicly available unless it pertains only to employees or if publication would pose a risk to security, and allow consumers to obtain information about the processing of their biometric data. The amendments also place limits on purchasing biometric identifiers and prohibit covered businesses from refusing to provide a service to a person who does not agree to provide their biometric data unless the biometric data is necessary to provide the service.  Entities already covered by the CPA processing biometric data should already be in compliance with many of these requirements. For newly covered businesses, there is a lot to do in the next two months.

Written policy required.

Controllers who process biometric data must have written policy with the following components:

(I) A schedule for retention of both biometric identifiers and biometric data;

(II) data security incident protocols for data incidents that could  compromise the security of biometric identifiers or biometric data, including data breach notices under Colorado’s data breach law;

(III) guidelines for deleting  biometric identifiers on or before the earlier of (i) the date when the initial purpose for collecting the biometric identifier has been satisfied; (ii) 24 months after the consumer last interacted with the controller; or (iii) forty-five days, or any earlier reasonably feasible date, after a controller determines that storage of the biometric identifier is no longer necessary, adequate, or relevant to the express processing purpose (identified by a review conducted by the controller at least once annually), subject to a 45 day extension in certain conditions.

Like BIPA, the CPA amendments require the controller to make the policy  available to the public, but the amendments provide exceptions for policies that only apply to current employees of the controller, policies used solely by employees and agents of the controller for the operation of the controller, or the portion of the policy setting out  internal protocol for responding to a data security incident that may compromise the security of biometric identifiers or biometric data. Note that because the requirement for a written policy covers biometric identifiers and does not expressly address employees, it appears that the requirement of a written policy does not apply to processing of biometric identifiers of employees. The reference to policies applicable to current employees is odd but is not a clear requirement that employers have policies applicable to employees.

Security

In addition to having security incident protocols in their written biometric policy, controllers must comply with the security standards in the CPA as well as the security standard of care within the controller’s industry.

Processors also are required to have a data security incident response plan for biometric data and biometric identifiers and must comply with their obligation to report incidents to the controller under Colorado’s data breach law.

Notice and Consent Related to Biometric Identifiers.

The CPA amendments prohibit controllers from processing or collecting a biometric identifier of a consumer if the controller does not first  (i) notify the consumer of the fact of and purpose of the collection, the period that the identifier will be retained, and the specific purpose for which the biometric identifier is being shared with a processor, in a clear, accessible and understandable manner; and (ii) comply with the CPA’s existing controller obligations, including notice, purpose specifications, data minimization, avoiding secondary use, security against unauthorized acquisition, avoiding unlawful discrimination, and importantly, consent, set forth in CRS 6-1-1308.

The amendments’ definition of collection is broad, and includes obtaining a biometric identifier or biometric data “by any means,” whether online or offline, and including actively or passively receiving a biometric identifier or biometric data from the consumer or from a third party, or obtaining biometric data by observing the consumer’s behavior.  The Colorado AG rules on the amendments require notice (i) at or before initial collection or processing and (ii) before any material change to the purpose of the processing. The notice can be in the controller’s general privacy notice, but only if clearly marked.

The amendments prohibit controllers from selling, leasing, or trading the biometric identifier with any entity.  Controllers also are prohibited from disclosing, redisclosing, or otherwise disseminating biometric identifiers without the consumer’s consent unless the disclosure or dissemination is requested or authorized by the consumer for the purpose of completing a financial transaction, is to a processor necessary for the purpose for which the biometric identifier was collected and consented to by the consumer, or required by state or federal law. Consent or requests can be made by a “legally authorized representative” of the consumer, but such representatives are limited to a parent or legal guardian of a minor or a legal guardian of an adult. Per the AG rules, consent must be refreshed if the consumer has not interacted with the controller in the prior 24 months, subject to certain exceptions. 

Controllers also cannot (i) refuse to provide a good or service to a consumer based on the consumer’s refusal to consent unless the controller’s collection, use, disclosure, transfer, sale, retention, or processing of a biometric identifier is necessary to provide the good or service; (ii) charge a different price or rate for a good or service or provide a different level of quality of a good or service to any consumer who exercises the consumer’s rights under the CPA; or (iii) purchase a biometric identifier unless the controller pays the consumer for the collection of the consumer’s biometric identifier, the purchase is unrelated to the provision of a product or service to the consumer, and the controller has obtained consent. Different provisions apply to consent by employees, as explained below.

Consumer right to access biometric data.

The amendments’ provisions regarding the consumer’s right to access biometric data only apply to controllers otherwise covered by the general provision of the CPA (i.e., conducting business in Colorado or marketing its commercial products or services to Colorado residents and meeting the numerical thresholds). For such covered entities, a consumer has the right to know the category or description of the consumer’s biometric data, the source from which the controller collected the biometric data, the purpose for which the controller collected or processed the biometric data and any associated personal data, the identity of any third party with which the controller disclosed or discloses the biometric data and the purposes for disclosing, and the category or a description of the specific biometric data that the controller discloses to third parties. The AG’s rules make clear that the controller is not required to provide a copy of the biometric data. Thus, a disclosure can state that the controller collects “unique Biometric Data including a fingerprint scan” without disclosing the actual fingerprint scan data.

Employee Consent.

Unlike the limitations with respect to the biometric data of consumers, employers can require consent to collection and processing biometric identifiers as a condition of employment if the collection and processing are for a limited purpose, specifically (i) permitting access to secure physical locations and secure electronic hardware and software applications; (ii) recording the commencement and conclusion of the employee’s full workday, including meal breaks and rest breaks in excess of thirty minutes; (iii) improving or monitoring workplace safety or security or ensuring the safety or security of employees; or (iv) improving or monitoring the safety or security of the public in the event of an emergency or crisis situation. Any consent sought for another permitted purpose cannot be a condition of employment, and retaliation against an employee who does not consent is prohibited. Consent for biometric data used for current employee location tracking or the tracking of how much time the employee spends using a hardware or software application is not permitted.

This section of the amendments makes clear that consent will be considered freely given and valid if it is a “clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data.” Thus, although not explicitly required,  employers seeking consent to collect and process biometric data from employees should provide notice consistent with that required under the amendments for other consumers. Doing so will help the employer argue that consent was specific and informed. General or broad terms are not sufficient for consent.

According to the AG rules, the employer must obtain new employee consent if additional categories of biometric data are added or if the data will be processed for a secondary purpose to which the employee did not originally consent.

The amendments don’t limit the collection and processing of an employee’s or prospective employee’s biometric identifier for uses aligned with the reasonable expectations of an employee based on the employee’s job description or role, or a prospective employee based on a reasonable background check, an application, or identification requirements in accordance with the amendments.

Data Protection Assessments.

Because biometric data that may be used for uniquely identifying an individual is “sensitive data” already under the CPA, the CPA’s requirements on data protection assessments (DPAs) for sensitive personal data continue to apply. DPAs must identify and weigh the benefits from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that the controller can employ to reduce the risks, factoring  the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed.

Amendments Protecting Minors Effective October 1, 2025.

The amendments add new definitions and three new provisions specifically focused on minors. The CPA as enacted already had provisions regarding a consumer that is a child—defined as an individual under the age of 13 years. The amendments add the term “minor”—defined as a consumer under the age of 18 years. The three new provisions include:

• Special provisions allocating responsibilities with respect to minors to controllers and processors by role;
• Specific duty of care requirements on controllers offering an online service, product or feature to a consumer that the controller knowns or willfully disregards is a minor, including reasonable care to avoid increased risk of harm (as defined in the amendments) to the minor and prohibitions on processing minor’s personal data for targeted advertising, selling minors’ personal data, processing personal data for profiling in furtherance of a legal or similarly significant decision, processing minors’ personal data for a secondary purpose, using any system design feature to significantly increase, sustain, or extend a minor’s use of the online service, product, or feature, or processing precise geolocation data with limited exceptions;
• Special data protection assessments for minors.

Notably, minors under 13 need a parent or guardian to consent to certain processing otherwise prohibited, but minors 13 to 17 years old can consent for themselves.