On 31 May 2024, the Bill amending the Colorado Privacy Act (HB 24-1130) was signed into law by the Colorado Governor. The Bill adds protections for an individual's biometric data. It requires a controller, who determines the purposes for and means of processing biometric data, to adopt a written policy that establishes a retention schedule for biometric identifiers, includes a protocol for responding to a security breach of biometric data, and guidelines for the permanent destruction of a biometric identifier. The Bill further prohibits a controller from collecting a biometric identifier unless certain disclosure and consent requirements are met. It specifies certain prohibited acts and requirements for controllers that process biometric identifiers and biometric data, and it requires a controller to allow a consumer to access and update a biometric identifier. The Bill extends certain prohibitions to processors of biometric identifiers and biometric data from collectors and users of such data. The amendment restricts an employer's permissible reasons for obtaining an employee's consent for the collection of biometric identifiers and authorises the Attorney General to issue rules to implement the Bill. The Act enters into force on 1 July 2025 if no referendum petition is filed.
Original source