On May 31, Colorado enacted H.B. 24-1130, an amendment to the Colorado Privacy Act (CPA) regarding the use of biometric information (the “Biometric Amendment”). The Biometric Amendment, effective July 1, 2025, requires employers to obtain consent before collecting and using biometric information, and to adopt biometric policies. However, employers escape many additional burdens that the Biometric Amendment imposes on the collection and use of biometric information from consumers.
In even better news for employers, although the Biometric Amendment’s requirements are analogous to those of Illinois’s Biometric Information Privacy Act (BIPA), the Biometric Amendment poses much less risk. Unlike BIPA, which has been the subject of hundreds of class action lawsuits, the Biometric Amendment does not provide a private right of action for violations. Instead, the Biometric Amendment, like the CPA, can only be enforced by the Colorado attorney general and district attorneys.
Do All Provisions of the Biometric Amendment Apply to Employers?
The Biometric Amendment establishes a broad array of new requirements regarding the collection and use of biometric information, including a notice at collection, prohibitions on selling and trading this data, and security safeguards. Under the law’s plain language, these requirements apply only to the biometric information of “consumers,” and the CPA, to which the Biometric Amendment has been added, defines the term “consumer” to exclude employees and job applicants. Consequently, absent regulatory clarification to the contrary, employers could take the position that the only provisions of the Biometric Amendment that apply to them are those that do not refer to the biometric information of “consumers.”
What Are the Key New Requirements for Employers?
The Biometric Amendment introduces two new sets of obligations that explicitly apply to employers. First, a new section of the CPA requires employers to obtain consent from workers prior to collecting their biometric identifiers. Importantly, and as explained in more detail below, employers can condition continued employment on consent in the situations where employers most commonly collect biometric identifiers.
Second, the Biometric Amendment requires organizations that process biometric identifiers to adopt a written biometric policy that, as described in more detail below, establishes a retention period and a protocol for responding to security incidents involving biometric information. While businesses generally are required to make this policy publicly available, the Biometric Amendment specifically excludes from this requirement a policy that addresses the collection of biometric identifiers only from current employees without stating whether employers are required to make the policy available to employees and, if so, how. The Colorado Attorney General may address this point in implementing regulations.
While the Biometric Amendment requires notice only to “consumers” that their biometric information will be collected, employers may consider providing a similar notice to employees and job applicants when obtaining consent. This notice may help to satisfy the CPA’s requirement that consent be “informed.”
The Biometric Amendment requires that the notice to consumers include the following information: 1) a disclosure that a biometric identifier is being collected, 2) the specific purpose for collecting the biometric identifier, 3) the retention period applicable to the biometric identifier, and 4) if the biometric information will be disclosed to a third party, including a third-party service provider, the specific purpose for disclosing the biometric identifier.
Notably, an existing limitation to the scope of the CPA creates uncertainty about the extent of employers’ obligations with respect to biometric information about employees. Specifically, Section 6-1-1304(2)(k) of Part 13 of the Colorado Revised Statutes states, “[t]his Part 13 does not apply to [d]ata maintained for employment records purposes.” Part 13 encompasses not only the CPA but all the provisions of the Biometric Amendment, thereby apparently exempting employers from the new requirements of consent and a written biometric policy, at least with respect to biometric information maintained for purposes of “employment records.” This is another point that implementing regulations may clarify.
What Information Falls Within Scope of the Biometric Amendment?
The Biometric Amendment defines two types of biometric information: “biometric identifiers” and “biometric data.” The requirement that employers obtain consent applies only to “biometric identifiers.” However, the written biometric policy must cover both “biometric identifiers” and “biometric data.”
“Biometric identifier” is defined as “data generated by the technological processing, measurement, or analysis of a consumer’s biological, physical, or behavioral characteristics, which data can be processed for the purpose of uniquely identifying an individual,” including an individual’s fingerprint, voiceprint, retina scan, and facial geometry. “Biometric data” means one or more “biometric identifiers” that “are used or intended to be used” for identification purposes, either alone or in combination with other “biometric identifiers” or personal data. “Biometric data” does not include digital or physical photograph, an audio or voice recording, or data generated from those sources unless they are used for identification purposes.
A key difference between “biometric identifiers” and “biometric data” is that “biometric identifiers” include measurements not used for identification purposes. For example, a technology that measures an individual’s facial geometry to determine whether the individual is smiling might not identify, or be intended to identify, that individual, but could still qualify as a “biometric identifier.” As a result, employers may need to obtain consent to collect information that they would not ordinarily consider to be biometric information.
Which Employers Must Comply with the Biometric Amendment?
Except for a few exempted organizations, employers that collect any amount of biometric identifiers or biometric data must comply. Also, unlike many other state data protection laws, the CPA and the Biometric Amendment apply to nonprofits, as well as for-profit organizations. However, financial institutions, Colorado state institutions of higher education, governmental entities, air carriers, and national securities associations are exempted.
Which Workers Must Consent to the Collection of a Biometric Identifier?
The requirement for employers to obtain consent applies to both “employees” and “prospective employees.” The Biometric Amendment defines “employee” broadly to cover “an individual who is employed full-time, part-time, or on-call or who is hired as a contractor, subcontractor, intern, or fellow.” As a result, the consent requirement applies to virtually every member of the current workforce and to applicants to fill virtually any role in the workforce.
When Can Employers Condition Continued Employment on Consent?
The Biometric Amendment requires that employers obtain employees’ consent to collect their biometric identifiers. Under the CPA, consent must be “specific, informed, and unambiguous” and by “clear affirmative action.” Consequently, opt-out consent, i.e., consent implied from notice, would not be valid; however, the CPA expressly allows consent “by electronic means.”
Critically, employers can condition employment, or continued employment, on consent only in relation to the following four, common workplace uses of biometric identifiers:
- Permit access to secure physical locations and secure electronic hardware and software applications; except that an employer shall not obtain the employee’s or prospective employee’s consent to retain biometric data that is used for current employee location tracking or the tracking of how much time the employee spends using a hardware or software application;
- Record the commencement and conclusion of the employee’s full workday, including meal breaks and rest breaks in excess of 30 minutes;
- Improve or monitor workplace safety or security or ensure the safety or security of employees; or
- Improve or monitor the safety or security of the public in the event of an emergency or crisis situation.
In all other circumstances, consent cannot be a condition of employment, and the employer may not retaliate against the individual for refusing to consent. Use cases falling within this category might include some forms of emotion tracking, location tracking, and performance monitoring.
The Biometric Amendment eliminates the consent requirement in two narrow sets of circumstances. First, with respect to employees, where the employee reasonably should expect collection of a biometric identifier based on the employee’s job description, such as, for example, security staff. Second, with respect to job applicants based on a reasonable background check, application, or identification requirements.
What Must the Written Biometric Policy Include?
Under the Biometric Amendment, the written policy must include a retention schedule for biometric identifiers and biometric data, a plan for responding to a data security incident that may compromise the security of biometric identifiers or biometric data, and guidelines for the deletion of biometric identifiers.
Moreover, the policy must require the deletion of biometric identifiers at the earliest of the following dates: 1) when the initial purpose of collection of the biometric identifier is satisfied, 2) 24 months after the individual’s last interaction with the employer, or 3) within 45 days of the employer’s determination that storage of the biometric identifier is no longer necessary, adequate, or relevant to the purpose for collection.
How Does the Biometric Amendment Compare to Other U.S. Biometric Laws?
There are a few states with laws governing the collection and use of biometric information in the employment context. For example, the Biometric Amendment is similar to Illinois law in that both require employers to obtain consent from individuals to collect and process biometric information and distribute a written biometric policy. However, Illinois law requires that the biometric policy be publicly posted in all circumstances and does not include the exception for the biometric policies that apply only to current employees in the Biometric Amendment, discussed above. Similarly, Texas law requires that employers obtain consent, but does not include a requirement that the employers create a biometric policy.
Maryland also has a biometric law that applies to employers, however only in limited circumstances. Maryland’s law requires consent for the use of a facial recognition service for the purpose of creating a facial template during an applicant’s interview for employment.
How Is the Biometric Amendment Enforced?
The Biometric Amendment and the CPA are enforced concurrently by the Colorado attorney general and district attorneys, who may bring an action in the name of the state or on behalf of residents of Colorado. The law does not provide for a private right of action.
A violation of the CPA is a deceptive trade practice under the Colorado Consumer Protection Act and carries potential civil penalties of up to $20,000 for each violation. The attorney general or district attorney can also seek a restraining order or injunction prohibiting continuing violations of the law or an assurance of discontinuance of the violation.
Will There Be Regulations?
The Biometric Amendment authorizes the Colorado Department of Law to promulgate rules related to the implementation of the Biometric Amendment. The rules may establish more stringent requirements for the security standards for biometric identifiers and biometric data and may be created in consultation with the office of information technology and the department of regulatory agencies. To date, no regulations have been promulgated.
Takeaways
Employers should consider the following steps:
- Conduct an audit to determine what technology at the organization, if any, collects information within the scope of the Biometric Amendment and other biometric laws. Employers should bear in mind that, with the growth of artificial intelligence, an increasing number of workplace technologies collect biometric information in some form.
- Identify the states where the employer collects biometric information and purposes of use to determine consent and other compliance requirements.
- Obtain appropriate consent and implement biometric policies, as needed.
- Finally, keep an eye out for clarification from the Colorado Department of Law regarding the implementation of the Biometric Amendment and for legislation in other states, as many state legislatures are considering additional biometric legislation.
Zoe M. Argento and Philip L. Gordon are attorneys with Littler in Denver. Kwabena A. Appenteng and Orly Henry are attorneys with Littler in Chicago. Alyssa Daniels is an attorney with Littler in Cleveland. © 2024 Littler. All rights reserved. Reposted with permission.
Advertisement
An organization run by AI is not a futuristic concept. Such technology is already a part of many workplaces and will continue to shape the labor market and HR. Here's how employers and employees can successfully manage generative AI and other AI-powered systems.
Advertisement