On 22 April 2024, the Bill amending the Colorado Privacy Act (HB 24-1130) was adopted. The Bill aims to add protections for an individual's biometric data. It would require a controller, who determines the purposes for and means of processing biometric data, to adopt a written policy that establishes a retention schedule for biometric identifiers, includes a protocol for responding to a security breach of biometric data, and guidelines for the permanent destruction of a biometric identifier. The Bill would also prohibit a controller from collecting a biometric identifier unless certain disclosure and consent requirements are met. It specifies certain prohibited acts and requirements for controllers that process biometric identifiers and biometric data, and it requires a controller to allow a consumer to access and update a biometric identifier. The engrossed Bill extends certain prohibitions to processors of biometric identifiers and biometric data from collectors and users of such data. The amendment restricts an employer's permissible reasons for obtaining an employee's consent for the collection of biometric identifiers and authorises the Attorney General to issue rules to implement the Bill.
Original source