Colorado's Restriction on Biometric Identifiers

Colorado has implemented tough rules on how businesses can use biometric identifiers (e.g., fingerprints, voiceprints, facial data, etc.). This is in addition to already requiring consent before processing sensitive data.

Here’s what you need to know.

1. No Selling

Businesses are prohibited from selling biometric identifiers—no exceptions. Keep in mind that Colorado’s definition of “selling” includes exchanging data for anything of value. This can include  granting access to data in order to access software or other services.

2. No Purchasing

Businesses may not purchase biometric identifiers unless all the following conditions are met:

  • The controller pays the consumer
  • The purchase is unrelated to provision of a product/service
  • The consumer consents

For most businesses, this amounts to a de facto prohibition on purchasing biometric identifiers.

3. No Disclosure Without Consent

Businesses may not disclose biometric data to any outside parties unless at least one of the following conditions are met:

  • The consumer consents
  • It is requested or authorized by consumer as part of completing a transaction
  • The disclosure is to a processor for a purpose to which the consumer already consented
  • The disclosure is required by law

4. Providing Access

Upon request by a consumer, businesses must provide the following information regarding biometric data:

  • The source from which they collected the biometric data
  • The purpose for which they collected the biometric data and any associated personal data
  • The identity of any third party to which the data was disclosed, as well as the purpose for the disclosure
  • The category or a description of the specific biometric data that it discloses to third parties

5. Handle with Care

Businesses must use an industry standard of care when storing, transmitting, and protecting biometric identifiers.

6. No Discrimination

Businesses may not refuse to provide a good or service to a consumer based on the consumer’s refusal to consent to the processing of their biometric identifiers, unless the biometric identifiers are necessary for the provision of the good or service.

7. Consent for Employees

Though the Colorado Privacy Act for the most part does not apply to employee data, the law does specify that employers must generally get consent before collecting and processing employees’ and prospective employees’ biometric identifiers.

Employers can require consent as a condition of employment in the following circumstances:

  1. To permit access to secure locations and secure electronic hardware & software; HOWEVER, this does not include:
    1. Using biometric data to track employees’ locations
    2. Tracking how much time the employee spends using a hardware or software
  2. To record the start and conclusion of the work day
  3. To improve or monitor workplace safety or security or ensure the safety or security of employees

8. Written Policy

Businesses that handle biometric identifiers must adopt a written policy that addresses the following:

  • Establishes a retention schedule for biometric identifiers
  • Includes a protocol for responding to security incidents that may compromise biometric identifiers or biometric data
  • Identifies guidelines for automatically deleting biometric identifiers at certain points

Businesses must make the policy publicly available. This does not apply to policies that apply solely to employees, and businesses are not required to make public their internal protocols for responding to security incidents.

If this requirement applies to your business, you will be prompted in your TrueVault account at https://polaris.truevault.com/privacy-center/us-states to add your written biometric identifiers policy to your Colorado-specific privacy notice.