The Colorado Attorney General’s Office has published proposed draft amendments to the Colorado Privacy Act (CPA) Rules, focusing on new regulations for biometric data collection and use, as well as children’s privacy protections.
Announced on September 13, the amendments aim to align the CPA with recently enacted legislation, including Senate Bill 41, Privacy Protections for Children’s Online Data, and House Bill 1130, Privacy of Biometric Identifiers & Data, set to take effect in 2025.
One significant aspect of the proposed amendments is the introduction of new obligations for businesses that collect biometric data from Colorado residents. Regardless of whether a business meets the CPA’s applicability thresholds, any entity collecting biometric identifiers from consumers or employees would be required to provide a “Biometric Identifier Notice” before collection or processing. This notice must detail which biometric identifiers are being collected, the purpose of collection, the retention period, and whether the data will be disclosed to processors.
The draft amendments also revisit consent requirements for biometric data. Controllers would need to obtain explicit consent from individuals before selling, leasing, trading, or disseminating their biometric information. While employers may collect and process biometric identifiers as a condition of employment, this is permitted only under limited circumstances.
The proposed changes also address data protection assessments, particularly in processing activities that pose a heightened risk to minors. Businesses would need to disclose if personal data from minors is processed and identify potential risks associated with offering online services to this demographic.
Furthermore, the amendments introduce mechanisms for businesses to seek regulatory guidance. Entities could request opinion letters from the Colorado AG for clarity on CPA applications, which could serve as a good faith defense in future compliance disputes. An additional process for obtaining interpretive guidance, though non-binding, is also proposed.
Public comments on the draft amendments can be submitted starting September 25, 2024, ahead of a rulemaking hearing scheduled for November 7, 2024. If finalized, these amendments would become effective on July 1, 2025.
For more on the role that laws and regulations play in the biometrics and identity spaces, be sure to check out ID Tech’s recent conversation with Terry Brenner, IDVerse’s VP and Head of Legal and Compliance. Terry, a legal expert at a major identity assurance vendor, offered a unique perspective that is not often heard. The discussion touched on the evolving regulatory landscape, the importance of educating clients about risk, and the necessity of establishing an ethical framework.
Source: The National Law Review
–
September 24, 2024 – by Ali Nassar-Smith
Related News
Getaround Sued for Alleged Violations of Illinois Biometric Privacy Law
Verizon Faces Class Action Lawsuit Over Alleged Unlawful Collection of Voiceprints
Minnesota Gets Its Own Comprehensive Data Privacy Act- Colorado Amends Privacy Act to Strengthen Biometric Data Protections
Wendy’s Settles Its BIPA Beef – Identity News Digest
NZ Privacy Commissioner to Publish Draft Biometrics Code in Early 2024
Follow Us