On 29 January 2024, the Bill amending the Colorado Privacy Act (HB 24-1130) was introduced in the Colorado Legislature. The Bill aims to add protections for an individual's biometric data. It would require a controller, who determines the purposes for and means of processing biometric data, to adopt a written policy that establishes a retention schedule for biometric identifiers, includes a protocol for responding to a security breach of biometric data, and guidelines for the permanent destruction of a biometric identifier. The Bil would also prohibit a controller from collecting a biometric identifier unless certain disclosure and consent requirements are met. It specifies certain prohibited acts and requirements for controllers that collect and use biometric data and requires a controller to allow a consumer to access and update a biometric identifier. The amendment restricts an employer's permissible reasons for obtaining an employee's consent for the collection of biometric identifiers and authorises the Attorney General to issue rules to implement the Bill.
Original source