Colorado has proposed significant amendments to its Privacy Act (CPA) rules, introducing new requirements for biometric data handling and enhanced protections for minors’ online privacy. The amendments, which follow similar biometric privacy regulations in Illinois and other states, establish specific obligations for businesses collecting and processing biometric information, with implementation set to begin July 1, 2025.
Under the new rules, organizations collecting biometric data such as fingerprints, voiceprints, iris scans, or facial geometry must provide detailed notice to individuals before collection. The notice must specify what data is collected, its purpose, retention period, and any sharing arrangements. Businesses must obtain explicit consent, with employers required to secure written or electronic permission from Colorado employees before collecting their biometric data. This follows recent legal challenges over facial recognition use by major retailers and employers.
The amendments also address children’s privacy protection, with provisions taking effect October 1, 2025. Organizations offering online services to minors must obtain parental or guardian consent for data processing, conduct protection assessments for features designed to increase minor engagement, and implement limitations on data retention periods. These requirements are consistent with recent investigations into tech platforms’ data collection from minors and strengthen protections beyond existing federal COPPA requirements.
A notable addition allows businesses to request opinion letters and interpretive guidance from the Attorney General regarding CPA compliance. These letters may provide a “good faith reliance defense,” and can potentially benefit entities beyond the original requestor, at the Attorney General’s discretion. This approach mirrors successful regulatory guidance programs in other jurisdictions.
The implementation timeline indicates that the rules will become effective 30 days after publication in the state register, following the Colorado Attorney General’s signature and filing with the Secretary of State. The move follows the growing global trend of establishing comprehensive biometric data retention policies and privacy frameworks.
For compliance, businesses are advised to audit their current data collection practices, implement comprehensive notice and consent procedures, enhance protections for minors’ data, and consider seeking clarification through opinion letters when needed. Organizations should pay particular attention to their biometric data handling practices, as recent class action lawsuits have highlighted the significant legal risks of improper biometric data management.
Sources: Fisher Phillips, Ropes Data Philes, JD Supra
–
December 18, 2024 – by the ID Tech Editorial Team
Related News
Illinois Residents Get Their $32.56 Payouts for Instagram’s Biometric Privacy Violations
NZ Privacy Commissioner to Publish Draft Biometrics Code in Early 2024
Texas AG Expands Privacy Investigations into Major Tech Platforms, Targeting Data Collection from Minors
Australia Issues Strict Privacy Guidelines for Commercial Facial Recognition Technology
Photobucket Faces Class Action Lawsuit Over AI Data Sale Plans
EufyCam S3 Pro Delivers Advanced Night Vision Technology—and Retains Facial Recognition
Follow Us