Colorado's Biometric Privacy Law Takes Effect July 1: Are You Ready?

Forbes

4 days ago

Colorado's biometric privacy law reflects a broader movement to treat biometric information as a ... More distinct and highly sensitive category of personal data.
Biometric compliance isn't hypothetical anymore in Colorado; it's here.
Colorado's new biometric privacy law, House Bill 24-1130, takes effect on July 1, 2025. Enacted more than a year ago, the law now moves from policy to practice. Employers and businesses that collect biometric information, such as fingerprints, facial scans, iris images, or voiceprints, must ensure their systems and policies comply with the statute's requirements.
The law expands the Colorado Privacy Act (CPA) by creating specific protections for biometric identifiers and biometric data. These protections reflect a growing concern: once compromised, biometric information cannot be replaced. A person's voice, face, or fingerprint is uniquely their own. The risks of misuse are real and lasting.
As biometric technologies become more common in authentication, timekeeping, and access control, Colorado's law introduces a structured framework that protects individuals while guiding businesses toward responsible use.
Who Is Covered?
Colorado's biometric privacy requirements apply to any business that collects, uses, or stores biometric identifiers or biometric data from Colorado residents. Importantly, these requirements apply even if a business does not meet the CPA's general thresholds for covered entities. That means a company may be exempt from other CPA provisions, but still obligated to follow biometric-specific rules.
This distinction is especially relevant for employers. While the CPA generally exempts personal data collected in the employment context, the biometric provisions specifically cover data collected from employees, job applicants, contractors, interns, and fellows.
Understanding the Terminology
Colorado distinguishes between 'biometric identifiers' and 'biometric data.' A biometric identifier is a unique biological, physical, or behavioral characteristic that can be used to identify someone. This includes fingerprints, voiceprints, facial geometry, iris scans, and similar measurements. The term biometric data includes one or more biometric identifiers that are used or intended to be used to identify an individual. In other words, the data becomes regulated once it is used for identification.
Digital photographs, audio recordings, and video files are excluded from the law unless they are used to extract biometric identifiers for identification purposes. That distinction matters for companies that rely on technologies like computer vision or speech analytics, which can convert images or recordings into data points such as facial geometry or voiceprints. If those tools extract biometric information and use it to identify a person, the data becomes subject to Colorado's law.
What Must Businesses Do?
Colorado's law imposes strict requirements on how biometric information is collected, stored, used, and shared. Businesses must:
Businesses must adopt a publicly available policy that explains how they handle biometric information. The policy must include:
Biometric identifiers must be deleted when the original purpose for collection has been fulfilled, within 24 months of the last interaction with the individual, or as soon as they are no longer necessary for the purpose identified by the business, whichever comes first. A 45-day extension is permitted if needed to finalize deletion.
Policies do not need to be made public if they only apply to internal employee operations, but they still must be documented and followed.
Before collecting biometric identifiers, businesses must provide individuals with a clear and understandable notice. The notice must include:
Consent must be obtained before collection. The law requires that consent be freely given, specific, informed, and unambiguous. Consent must be separate from other agreements and may not be bundled with terms of service or other privacy acknowledgments.
In the employment context, employers are permitted to use biometric data in limited, clearly defined situations. These include securing access to physical spaces or software systems, recording work hours, and monitoring workplace or public safety during emergencies. Employers may not collect biometric data to track an employee's location or monitor productivity without separate, voluntary consent. Any other purpose requires a separate and voluntary consent. Employers may not retaliate against employees or job applicants who decline to provide additional consent.
The law prohibits the sale, lease, or trade of biometric identifiers. Disclosure to third parties is permitted only if:
Additionally, businesses may not refuse goods or services to someone who declines to provide biometric data, unless the data is necessary to provide that service.
Individuals have the right to request information about the biometric data collected about them, but only if the business is subject to the general thresholds of the Colorado Privacy Act. If a business is a controller subject to the CPA's general thresholds, it must disclose the types of biometric data collected, the purpose for collection, the source of the data, the third parties with whom it has been shared, and the categories of information disclosed. This information must be provided free of charge upon request by the individual or their authorized representative.
Businesses that are not subject to the CPA's general thresholds, such as some small employers, are not required to respond to access requests, but must still comply with all other biometric data requirements under the law.
Both controllers and processors must protect biometric information using industry-standard safeguards. Security measures should support timely deletion in accordance with the business's documented retention schedule. If a data breach affects biometric identifiers or biometric data, the controller or processor must follow its response protocol and notify affected individuals if required by law.
Enforcement and Penalties
Failure to comply with Colorado's biometric privacy requirements may trigger enforcement by the Colorado Attorney General. Businesses may face civil penalties, injunctive relief, or other remedies available under the Colorado Privacy Act.
How Should Employers Prepare?
With the law taking effect on July 1, 2025, employers should evaluate their timekeeping systems, access control technologies, and any software or hardware that collects biometric data. These tools must align with the employee's role and the reasonable expectations associated with that position. Internal policies should be updated to reflect lawful use, clear notice, and proper consent. It is essential that staff are trained on proper data handling and deletion timelines. Employers should coordinate with vendors to ensure that they follow applicable obligations.
Parting Thoughts
Colorado's biometric privacy law reflects a broader movement to treat biometric information as a distinct and highly sensitive category of personal data. While Illinois set the precedent for biometric privacy laws, Colorado's statute reflects a growing national trend. Other states are now following suit. For businesses operating in Colorado, the time for compliance planning has passed. Now is the time for implementation.
House Bill 24-1130 sends a clear message. Colorado residents have a right to control how their biometric data is collected and used. And businesses, starting July 1, are required to honor that right.