The Colorado Privacy Act has been amended with new provisions specific to biometric data, following the signing of HB 1130 by Governor Jared Polis on May 31, 2024.
The updated law aligns with the Illinois Biometric Information Privacy Act (BIPA) by mandating that controllers provide notice and obtain consent before collecting or processing biometric identifiers. It also restricts the sale or disclosure of such data without customer consent, unless necessary for transaction completion or required by law.
Last month, a significant amendment to BIPA passed the state House Judiciary-Civil Committee, with the changes limiting violators to a maximum fine of $1,000 per person for recording biometric information without express, written consent, shifting away from the current framework that allows for damages per individual infraction.
The amended Colorado law introduces several new requirements, including a prohibition on purchasing biometric identifiers unless three conditions are met: the consumer is compensated, the consumer consents, and the purchase is not related to providing a product or service to the customer.
Companies meeting certain thresholds must disclose detailed information about their biometric data practices upon consumer request. Controllers must also adopt written guidelines for the destruction of biometric data, which must occur by the earliest of the purpose being fulfilled, 24 months after last consumer interaction, or within 45 days of determining the data is no longer necessary.
For employers, the law allows the collection of biometric data as a condition of employment strictly for secure access, time recording, and safety improvement purposes, requiring employee consent for other uses. The law also mandates a protocol for responding to biometric data security breaches.
This news come only a few weeks after the state of Colorado passed House Bill 1468, which aims to expand the responsibilities and membership of Colorado’s task force on facial recognition and biometric technologies. The bill proposes increasing the task force’s membership from 15 to 17 by adding experts in generative AI and biometrics or social media, and broadening its focus to include AI and biometric technologies beyond government applications.
Source: Inside Privacy
–
June 3, 2024 – by Tony Bitzionis
Related News
Colorado AG Proposes Amendments to Privacy Act, Including Biometric Data Regulations
After Facebook Settlement, Texas AG Launches Privacy Enforcement Team- Janitorial Services Firm Reaches $1.85M BIPA Settlement
Proposed UK Data Protection Amendments Touch On Police Biometrics
Decentralized Biometrics Can Avoid Risks of ‘Service Provider Supply Chain’: Privado ID Co-Founder
BNSF Settles Landmark BIPA Case for $75M
Follow Us