As a reminder for covered entities in Colorado, House Bill 24-1130 introduces new biometric information requirements effective July 1, 2025. Signed into law on May 31, 2024, the bill expands obligations under the Colorado Privacy Act (CPA), even for entities already in compliance.

• Entities managing biometric data in Colorado should begin reviewing and updating their policies, consent practices, and data handling procedures to ensure compliance by the July 2025 deadline.

Key Requirements for Employers and Controllers:

• Written Policy: Employers must adopt a written policy covering:
  
  • A retention schedule for biometric identifiers and data.
  • A protocol for responding to security incidents.
  • Annual reviews and deletion guidelines for biometric data.
  • Public availability of the policy, with limited exceptions.

• Consent & Notice:
  
  • Clear notice and valid consent are required before collecting biometric identifiers from employees or applicants.
  • Consent may be a condition of employment for certain uses.
  • Controllers must obtain consent before selling, leasing, or trading biometric identifiers.

• Privacy & Security Obligations:
  
  • Provide a clear, accessible privacy notice with specific content.
  • Honor consumer rights regarding their biometric data.
  • Implement appropriate security measures for storage and transmission.

• Additional Provisions:
  
  • Prohibits purchasing biometric identifiers without consumer consent and compensation, unless tied to a product or service.
  • Requires enhanced disclosures for high-volume data processors, including data sources and third-party recipients.

For additional information:

• Colorado Proposes Amendments to the Colorado Privacy Act Rules (VensureHR)
• HB 24-1130

This communication is intended solely for the purpose of conveying information. The present post might incorporate hyperlinks directing readers to websites managed by third-party entities. The inclusion of any links within this communication is meant to serve as points of reference and could encompass opinion articles from various law firms, articles from HR associations, official websites, news releases, and documents of government agencies, and other relevant third-party sources. Vensure has no authority over these external websites and bears no responsibility for their content. Furthermore, Vensure does not endorse the materials present on these websites. The contents of this communication should not be interpreted as legal advice or as a legal standpoint concerning specific facts or scenarios. Nor should it be deemed an exhaustive compilation of facts potentially pertinent to federal, state, or local laws. It is strongly advised that employers solicit legal guidance from an employment attorney when undertaking actions in response to any legal updates provided. This is due to the possibility of future alterations occurring in federal, state, and local laws, regulations, as well as the directives and guidelines issued by governing agencies. These changes may transpire at any given time, potentially rendering certain portions of the content within this update void or inaccurate.