Blogs

What You Need to Know About Colorado’s Upcoming Biometric Law

By Mark Decker posted 02-26-2025 08:06 AM

  

On July 1, 2025, the Colorado Privacy Act (CPA) will be amended by Colorado’s Biometric Data Privacy Law. This amendment includes specific provisions that regulate the collection and use of employees’ biometric information.  

Scope 

The law applies to entities, including nonprofits, conducting business in Colorado or targeting Colorado residents, regardless of size or data volume. This includes employers collecting identifiable biometric information from employees. Exemptions are limited and include entities such as financial institutions subject to the Gramm-Leach-Bliley Act. In short, if you are an employer operating in or targeting Colorado and you gather biometric information from your employees, you are subject to the law. 

Understanding the Biometric Amendment 

The law includes two key definitions: 

  • Biometric identifiers are defined as data generated from the technological processing of an individual's biological, physical, or behavioral characteristics that can uniquely identify them, such as fingerprints, voiceprints, retina or iris scans, and facial geometry.  

  • Biometric data refers to one or more biometric identifiers used or intended for identification purposes. Notably, this includes data derived from photographs or audio recordings if used for identification.  

Informed Consent  

Before collecting or using biometric identifiers, employers must secure specific, informed, and unambiguous consent from employees and prospective employees. This consent must be obtained through a clear affirmative action, meaning implied consent is insufficient. Importantly, while the CPA generally requires refreshed consent every two years, employers are exempt from this requirement unless the biometric information is used for new purposes.  

Developing a Written Biometric Policy 

Employers are mandated to establish a written policy that details the collection, storage, and destruction of biometric identifiers and data. This policy must specify the purpose and duration for which the biometric information will be retained and outline protocols for responding to security incidents that involve biometric identifiers and data. This policy needs to be available to employees.  

How to Prepare 

To ensure compliance by the July 1, 2025, deadline, employers should do the following: 

  • Conduct a Data Audit: Identify any employee biometric information currently collected or processed within the organization. 

  • Review and Update Policies: Members should develop or revise existing data privacy policies to include provisions specific to biometric data, ensuring they meet the requirements set forth in the law. 

  • Implement Consent Procedures: Members should establish clear processes for obtaining and documenting informed consent from employees and job applicants prior to the collection of biometric identifiers. 

  • Train Staff: Members should educate human resources and management personnel about the new requirements to ensure proper handling of biometric data and when to obtain informed consent. 

  • Assess Data Security Measures: Members should evaluate and enhance security practices to protect biometric information from unauthorized access or breaches. 

Employers Council will release a whitepaper before the law’s effective date to help prepare members. Contact us if you have any questions. 

Mark Decker is an attorney for Employers Council. 

 

0 comments
113 views

Related Content

Permalink

https://members.employerscouncil.org/blogs/mark-decker/2025/02/25/what-you-need-to-know-about-colorados-upcoming-bio