United States of America: Act amending Colorado Privacy Act for enhanced biometric data protection entered into force (Bill No. HB 24-1130)

On 1 July 2025, the Act amending the Colorado Privacy Act for enhanced biometric data protection entered into force. The Act adds protections for an individual's biometric data. It requires a controller, who determines the purposes for and means of processing biometric data, to adopt a written policy that establishes a retention schedule for biometric identifiers, includes a protocol for responding to a security breach of biometric data, and guidelines for the permanent destruction of a biometric identifier. The Act further prohibits a controller from collecting a biometric identifier unless certain disclosure and consent requirements are met. It specifies certain prohibited acts and requirements for controllers that process biometric identifiers and biometric data, and it requires a controller to allow a consumer to access and update a biometric identifier. The Act extends certain prohibitions to processors of biometric identifiers and biometric data from collectors and users of such data. The amendment restricts an employer's permissible reasons for obtaining an employee's consent for the collection of biometric identifiers and authorises the Attorney General to issue rules to implement the Act.