Second Regular Session
Seventy-fourth General Assembly
STATE OF COLORADO
REENGROSSED
This Version Includes All Amendments
Adopted in the House of Introduction
LLS NO. 24-0534.01 Richard Sweetman x4333
HOUSE BILL 24-1130
House Committees Senate Committees
Judiciary
A BILL FOR AN ACT
C
ONCERNING PROTECTING THE PRIVACY OF AN INDIVIDUAL 'S101
BIOMETRIC DATA.102
Bill Summary
(Note: This summary applies to this bill as introduced and does
not reflect any amendments that may be subsequently adopted. If this bill
passes third reading in the house of introduction, a bill summary that
applies to the reengrossed version of this bill will be available at
http://leg.colorado.gov
.)
The bill amends the "Colorado Privacy Act" to add protections for
an individual's biometric data by requiring a person that, alone or jointly
with others, determines the purposes for and means of processing
biometric data (controller) to adopt a written policy that:
! Establishes a retention schedule for biometric identifiers;
! Includes a protocol for responding to a breach of security
HOUSE
Amended 3rd Reading
February 20, 2024
HOUSE
Amended 2nd Reading
February 16, 2024
HOUSE SPONSORSHIP
Daugherty and Lynch, Amabile, Bacon, Bird, Boesenecker, Brown, deGruy Kennedy,
Duran, Hamrick, Herod, Jodeh, Kipp, Lieder, Lindsay, Mabrey, Marshall, Marvin,
McCluskie, Parenti, Rutinel, Sirota, Titone, Valdez, Weinberg, Weissman, Young
SENATE SPONSORSHIP
Lundeen and Hansen,
Shading denotes HOUSE amendment. Double underlining denotes SENATE amendment.
Capital letters or bold & italic numbers indicate new material to be added to existing law.
Dashes through the words or numbers indicate deletions from existing law. of biometric data; and
! Includes guidelines that require the permanent destruction
of a biometric identifier by the earliest of certain dates.
The bill also:
! Prohibits a controller from collecting a biometric identifier
unless the controller first satisfies certain disclosure and
consent requirements;
! Specifies certain prohibited acts and requirements for
controllers that collect and use biometric data;
! Requires a controller to allow a consumer to access and
update a biometric identifier;
! Restricts an employer's permissible reasons for obtaining
an employee's consent for the collection of biometric
identifiers; and
! Authorizes the attorney general to promulgate rules to
implement the bill.
Be it enacted by the General Assembly of the State of Colorado:1
SECTION 1. Legislative declaration. (1) The general assembly2
finds that:3
(a) Businesses increasingly use biometric identifiers to attempt to4
verify customer identities, streamline transactions, control access to5
secure areas, and maximize revenues;6
(b) Biometric identifiers are unlike other unique identifiers that7
are used to verify identity or to access finances or other sensitive8
information because, unlike social security numbers, for example,9
biometric identifiers cannot be changed; they are unique to an individual,10
and once an individual's biometric identifiers are compromised, the11
individual has no recourse, is at heightened risk for identity theft, and12
may no longer feel safe participating in biometric-facilitated transactions;13
(c) The public has grown wary of the use of biometric identifiers14
due to recent data breaches that have exposed many individuals' biometric15
identifiers, leaving those individuals vulnerable to harm; and16
1130-2- (d) Biometric identifiers can be collected without an individual's1
knowledge, applied instantaneously to identify the individual in2
circumstances where the individual has an expectation of privacy and3
anonymity, and used to identify and track the individual's movements,4
activities, and associations.5
(2) The general assembly further finds that:6
(a) One increasingly prevalent biometric collection and matching7
technology, facial recognition technology, has been shown to have higher8
rates of misidentification and misclassification when it is used on faces9
of color, of women, of children, of the elderly, and of transgender and10
nonbinary persons; and11
(b) This misidentification and misclassification has led to12
documented cases of businesses refusing admission or service to13
individuals because facial recognition systems incorrectly "matched" the14
individuals to photos of suspected shoplifters or other individuals who15
had been barred from the premises.16
(3) Therefore, the general assembly declares that the public17
welfare, security, and safety will be served by regulating the collection,18
use, safeguarding, handling, storage, retention, and destruction of19
biometric identifiers.20
SECTION 2. In Colorado Revised Statutes, add 6-1-1314 as21
follows:22
6-1-1314. Biometric data and biometric identifiers -23
controllers - duties and requirements - written policy - prohibited24
acts - right to correct biometric identifiers - right to access biometric25
identifiers - remedies and civil actions - definitions. (1) A
S USED IN26
THIS SECTION, UNLESS THE CONTEXT OTHERWISE REQUIRES :27
1130
-3- (a) "COLLECT", "COLLECTION", OR "COLLECTING" MEANS TO1
ACCESS, ASSEMBLE, BUY, RENT, GATHER, PROCURE, RECEIVE, CAPTURE, OR2
OTHERWISE OBTAIN ANY BIOMETRIC IDENTIFIER OR BIOMETRIC DATA3
PERTAINING TO A CONSUMER BY ANY MEANS , ONLINE OR OFFLINE,4
INCLUDING:5
(I) A
CTIVELY OR PASSIVELY RECEIVING
A BIOMETRIC IDENTIFIER6
OR BIOMETRIC DATA FROM THE CONSUMER OR FROM A THIRD PARTY ; AND7
(II) O
BTAINING BIOMETRIC DATA BY OBSERVING THE CONSUMER 'S8
BEHAVIOR.9
(b) "E
MPLOYEE" MEANS AN INDIVIDUAL WHO IS EMPLOYED10
FULL-TIME, PART-TIME, OR ON-CALL OR WHO IS HIRED AS A CONTRACTOR,11
SUBCONTRACTOR, INTERN, OR FELLOW.12
(2) Written policy required. (a) A
CONTROLLER
THAT CONTROLS13
OR PROCESSES ONE OR MORE BIOMETRIC IDENTIFIERS SHALL ADOPT A14
WRITTEN POLICY THAT:15
(I) E
STABLISHES A RETENTION SCHEDULE FOR BIOMETRIC16
IDENTIFIERS;17
(II) I
NCLUDES A PROTOCOL FOR RESPONDING TO A BREACH OF18
SECURITY OF
BIOMETRIC IDENTIFIERS OR BIOMETRIC DATA , INCLUDING A19
PROCESS FOR NOTIFYING A CONSUMER WHEN THE SECURITY OF THE20
CONSUMER'S BIOMETRIC IDENTIFIER OR BIOMETRIC DATA HAS BEEN21
BREACHED; AND22
(III) I
NCLUDES GUIDELINES THAT REQUIRE THE PERMANENT23
DESTRUCTION OF A BIOMETRIC IDENTIFIER ON OR BEFORE THE EARLIEST OF24
THE FOLLOWING DATES:25
(A) T
HE DATE UPON WHICH THE INITIAL PURPOSE FOR COLLECTING26
THE BIOMETRIC IDENTIFIER HAS BEEN SATISFIED;27
1130
-4- (B) ONE YEAR AFTER THE CONSUMER INTERACTED WITH THE1
CONTROLLER; OR2
(C) N
O MORE THAN
FORTY-FIVE DAYS AFTER RECEIVING A3
VERIFIED REQUEST TO DELETE THE BIOMETRIC IDENTIFIER .4
(b) A
CONTROLLER SHALL COMPLY WITH ITS POLICY ADOPTED5
PURSUANT TO SUBSECTION (2)(a) OF THIS SECTION UNLESS OTHERWISE6
DIRECTED BY:7
(I) A
WARRANT ISSUED BY A COURT OF COMPETENT JURISDICTION8
FOR A SPECIFIC CONSUMER OR CONTROLLER UNDER INVESTIGATION OR9
FORMALLY CHARGED WITH A CRIME ; OR10
(II) A
COMPULSORY REQUEST OR DEMAND ISSUED BY A STATE11
AGENCY OR A DISTRICT ATTORNEY PURSUANT TO AN INVESTIGATION OF A12
VIOLATION OF THIS PART 13.13
(c) A
CONTROLLER SHALL MAKE ITS POLICY ADOPTED PURSUANT14
TO SUBSECTION (2)(a) OF THIS SECTION AVAILABLE TO THE PUBLIC ;15
EXCEPT THAT A CONTROLLER IS NOT REQUIRED TO MAKE AVAILABLE TO16
THE PUBLIC A WRITTEN POLICY THAT:17
(I) A
PPLIES ONLY TO CURRENT EMPLOYEES OF THE CONTROLLER ;18
AND19
(II) I
S USED SOLELY BY EMPLOYEES AND AGENTS OF THE20
CONTROLLER FOR THE OPERATION OF THE CONTROLLER .21
(3) Collection and retention of biometric identifiers -22
requirements - prohibited acts. (a) A
CONTROLLER SHALL NOT COLLECT23
OR PROCESS A BIOMETRIC IDENTIFIER OF A CONSUMER UNLESS THE24
CONTROLLER FIRST:25
(I) S
ATISFIES ALL DUTIES REQUIRED BY SECTION 6-1-1308;26
(II) I
NFORMS THE CONSUMER OR THE CONSUMER 'S LEGALLY27
1130
-5- AUTHORIZED REPRESENTATIVE IN WRITING THAT A BIOMETRIC IDENTIFIER1
IS BEING COLLECTED;2
(III) I
NFORMS THE CONSUMER OR THE CONSUMER 'S LEGALLY3
AUTHORIZED REPRESENTATIVE IN WRITING OF THE SPECIFIC PURPOSE FOR4
WHICH A BIOMETRIC IDENTIFIER IS BEING COLLECTED AND THE LENGTH OF5
TIME THAT THE CONTROLLER WILL RETAIN THE BIOMETRIC IDENTIFIER ;6
(IV) I
NFORMS THE CONSUMER OR THE CONSUMER 'S LEGALLY7
AUTHORIZED REPRESENTATIVE IN WRITING OF THE BUSINESS NAME OF ANY8
PROCESSOR TO WHICH THE BIOMETRIC IDENTIFIER WILL BE DISCLOSED ,9
REDISCLOSED, OR OTHERWISE DISSEMINATED; THE SPECIFIC PURPOSE FOR10
WHICH THE BIOMETRIC IDENTIFIER IS BEING SHARED WITH A PROCESSOR ;11
AND THE LENGTH OF TIME THAT A PROCESSOR WILL RETAIN THE BIOMETRIC12
IDENTIFIER; AND13
(V) O
BTAINS THE CONSUMER'S CONSENT OR, IN THE CASE OF THE14
BIOMETRIC IDENTIFIER OF A KNOWN CHILD, OBTAINS CONSENT FROM THE15
CHILD'S PARENT OR LAWFUL GUARDIAN , AS REQUIRED BY SECTION16
6-1-1308
(7).17
(b) A
PROCESSOR SHALL SATISFY ALL THE DUTIES DESCRIBED IN18
THIS SUBSECTION (3); EXCEPT THAT A PROCESSOR IS NOT REQUIRED TO19
OBTAIN CONSENT DIRECTLY FROM A CONSUMER OR THE CONSUMER 'S20
LEGALLY AUTHORIZED REPRESENTATIVE IF THE CONTROLLER HAS21
ACQUIRED SUCH CONSENT AND HAS DISCLOSED TO THE CONSUMER OR THE22
CONSUMER'S LEGALLY AUTHORIZED REPRESENTATIVE THE INFORMATION23
DESCRIBED IN SUBSECTIONS (3)(a)(II) AND (3)(a)(III) OF THIS SECTION.24
(c) A
CONTROLLER THAT
PROCESSES A CONSUMER'S BIOMETRIC25
IDENTIFIER SHALL NOT:26
(I) S
ELL, LEASE, OR TRADE THE BIOMETRIC IDENTIFIER WITH ANY27
1130
-6- ENTITY;1
(II) P
ERMIT ANY ENTITY TO WHICH THE BIOMETRIC IDENTIFIER IS2
TRANSFERRED TO SELL, LEASE, OR TRADE THE BIOMETRIC IDENTIFIER; OR3
(III) D
ISCLOSE, REDISCLOSE, OR OTHERWISE DISSEMINATE THE4
BIOMETRIC IDENTIFIER UNLESS:5
(A) T
HE CONSUMER OR THE CONSUMER 'S LEGALLY AUTHORIZED6
REPRESENTATIVE CONSENTS TO THE DISCLOSURE , REDISCLOSURE, OR7
OTHER DISSEMINATION;8
(B) T
HE DISCLOSURE, REDISCLOSURE, OR OTHER DISSEMINATION9
IS REQUESTED OR AUTHORIZED BY THE CONSUMER OR THE CONSUMER 'S10
LEGALLY AUTHORIZED REPRESENTATIVE FOR THE PURPOSE OF11
COMPLETING A FINANCIAL TRANSACTION ;12
(C) T
HE DISCLOSURE, REDISCLOSURE, OR OTHER DISSEMINATION13
IS TO A PROCESSOR AND IS NECESSARY FOR THE PURPOSE FOR WHICH THE14
BIOMETRIC IDENTIFIER WAS COLLECTED AND TO WHICH THE CONSUMER OR15
THE CONSUMER'S LEGALLY AUTHORIZED REPRESENTATIVE CONSENTED ;16
(D) T
HE DISCLOSURE, REDISCLOSURE, OR OTHER DISSEMINATION17
IS REQUIRED BY STATE OR FEDERAL LAW ; OR18
(E) T
HE DISCLOSURE, REDISCLOSURE, OR OTHER DISSEMINATION19
IS REQUIRED PURSUANT TO A WARRANT ISSUED BY A COURT OF20
COMPETENT JURISDICTION FOR A CONSUMER OR CONTROLLER UNDER21
INVESTIGATION OR FORMALLY CHARGED WITH A CRIME OR PURSUANT TO22
A COMPULSORY REQUEST OR DEMAND ISSUED BY A STATE AGENCY OR A23
DISTRICT ATTORNEY PURSUANT TO AN INVESTIGATION OF A VIOLATION OF24
THIS PART 13.25
(d) A
CONTROLLER SHALL NOT:26
(I) R
EFUSE TO PROVIDE A GOOD OR SERVICE TO A
CONSUMER,27
1130
-7- BASED ON THE CONSUMER'S REFUSAL TO CONSENT TO THE CONTROLLER'S1
COLLECTION, USE, DISCLOSURE, TRANSFER, SALE, RETENTION, OR2
PROCESSING OF A BIOMETRIC IDENTIFIER, UNLESS THE CONSUMER3
CONSENTS TO ALLOW THE CONTROLLER TO COLLECT , USE, DISCLOSE,4
TRANSFER, SELL, RETAIN, OR PROCESS A BIOMETRIC IDENTIFIER UNLESS5
THE COLLECTION, USE, DISCLOSURE, TRANSFER, SALE, RETENTION, OR6
PROCESSING OF THE BIOMETRIC IDENTIFIER IS NECESSARY TO PROVIDE THE7
GOOD OR SERVICE; 8
(II) C
HARGE A DIFFERENT PRICE OR RATE FOR A GOOD OR SERVICE9
OR PROVIDE A DIFFERENT LEVEL OF QUALITY OF A GOOD OR SERVICE TO10
ANY CONSUMER WHO EXERCISES THE CONSUMER 'S RIGHTS UNDER THIS11 PART 13; OR12
(III) PURCHASE A BIOMETRIC IDENTIFIER UNLESS THE CONTROLLER13
PAYS THE CONSUMER FOR THE COLLECTION OF THE CONSUMER 'S14
BIOMETRIC IDENTIFIER, THE PURCHASE IS UNRELATED TO THE PROVISION15
OF A PRODUCT OR SERVICE TO THE CONSUMER, AND THE CONTROLLER HAS16
OBTAINED CONSENT AS DESCRIBED IN SUBSECTION (3)(a) OF THIS SECTION.17
(e) A
CONTROLLER SHALL STORE, TRANSMIT, AND PROTECT FROM18
DISCLOSURE ALL BIOMETRIC
IDENTIFIERS USING THE REASONABLE19
STANDARD OF CARE WITHIN THE CONTROLLER 'S INDUSTRY. IF NO SUCH20
STANDARD EXISTS, A CONTROLLER SHALL STORE, TRANSMIT, AND PROTECT21
FROM DISCLOSURE ALL BIOMETRIC IDENTIFIERS IN A MANNER THAT IS22
EQUAL TO OR MORE PROTECTIVE THAN THE MANNER IN WHICH THE23
CONTROLLER STORES, TRANSMITS, AND PROTECTS OTHER CONFIDENTIAL24
INFORMATION.25
(4) Right to update biometric identifiers. A
T THE REQUEST OF26
A CONSUMER OR A CONSUMER 'S LEGALLY AUTHORIZED REPRESENTATIVE ,27
1130
-8- A CONTROLLER THAT COLLECTS THE CONSUMER 'S BIOMETRIC IDENTIFIER1
SHALL UPDATE THE BIOMETRIC IDENTIFIER AS REQUESTED BY THE2
CONSUMER. THE CONTROLLER SHALL COMPLETE THE UPDATE AND DELETE3
ANY REPLACED DATA WITHIN SIXTY DAYS AFTER RECEIVING THE REQUEST .4
(5) Right to access biometric identifiers - applicability -5
definitions. (a) E
XCEPT AS DESCRIBED IN SUBSECTION (5)(b) OF THIS6
SECTION, AT THE REQUEST OF A CONSUMER OR A CONSUMER 'S LEGALLY7
AUTHORIZED REPRESENTATIVE , A CONTROLLER THAT COLLECTS THE8
CONSUMER'S BIOMETRIC IDENTIFIER SHALL DISCLOSE TO THE CONSUMER ,9
FREE OF CHARGE, THE
CATEGORY OR DESCRIPTION OF THE CONSUMER'S10
BIOMETRIC IDENTIFIER AND THE FOLLOWING INFORMATION :11
(I) T
HE SOURCE FROM WHICH THE CONTROLLER COLLECTED THE12
BIOMETRIC IDENTIFIER;13
(II) T
HE PURPOSE FOR WHICH THE CONTROLLER USED THE14
BIOMETRIC IDENTIFIER AND ANY ASSOCIATED PERSONAL DATA ;15
(III) T
HE IDENTITY OF ANY THIRD PARTY WITH WHICH THE16
CONTROLLER SHARED OR SHARES THE BIOMETRIC IDENTIFIER AND THE17
PURPOSES FOR SHARING; AND18
(IV) T
HE CATEGORY OR A DESCRIPTION OF THE SPECIFIC19
BIOMETRIC IDENTIFIERS THAT THE CONTROLLER DISCLOSES TO THIRD20
PARTIES.21
(b) T
HE REQUIREMENTS OF SUBSECTION (5)(a) OF THIS SECTION22
APPLY ONLY TO:23
(I) A
SOLE PROPRIETORSHIP, A PARTNERSHIP, A LIMITED LIABILITY24
COMPANY, A CORPORATION, AN ASSOCIATION, OR ANOTHER LEGAL ENTITY25
THAT:26
(A) C
ONDUCTS BUSINESS IN COLORADO OR PRODUCES OR27
1130
-9- DELIVERS COMMERCIAL PRODUCTS OR SERVICES THAT ARE MARKETED TO1
C
OLORADO RESIDENTS;2
(B) C
OLLECTS BIOMETRIC IDENTIFIERS OR HAS BIOMETRIC3
IDENTIFIERS COLLECTED ON ITS BEHALF; AND4
(C) E
ITHER COLLECTS OR PROCESSES THE PERSONAL DATA OF ONE5
HUNDRED THOUSAND INDIVIDUALS OR MORE DURING A CALENDAR YEAR6
OR COLLECTS AND PROCESSES THE PERSONAL DATA OF TWENTY -FIVE7
THOUSAND INDIVIDUALS OR MORE AND DERIVES REVENUE FROM , OR8
RECEIVES A DISCOUNT ON THE PRICE OF GOODS OR SERVICES FROM , THE9
SALE OF PERSONAL DATA;10
(II) A
CONTROLLER THAT CONTROLS OR IS CONTROLLED BY11
ANOTHER CONTROLLER AND THAT SHARES COMMON BRANDING WITH THE12
OTHER CONTROLLER. AS USED IN THIS SUBSECTION (5)(b)(II):13
(A) "C
OMMON BRANDING " MEANS A SHARED NAME , SERVICE14
MARK, OR TRADEMARK THAT A CONSUMER WOULD REASONABLY15
UNDERSTAND TO INDICATE THAT TWO OR MORE ENTITIES ARE COMMONLY16
OWNED.17
(B) "C
ONTROL" MEANS THE OWNERSHIP OF , CONTROL OF, OR18
POWER TO VOTE MORE THAN TWENTY -FIVE PERCENT OR MORE OF THE19
OUTSTANDING SHARES OF ANY CLASS OF VOTING SECURITY OF A20
CONTROLLER; CONTROL IN ANY MANNER OVER THE ELECTION OF A21
MAJORITY OF THE DIRECTORS OF A CONTROLLER OR OF INDIVIDUALS22
EXERCISING SIMILAR FUNCTIONS; OR THE POWER TO EXERCISE, DIRECTLY23
OR INDIRECTLY, A CONTROLLING INFLUENCE OVER THE MANAGEMENT OF24
A CONTROLLER.25
(III) A
JOINT VENTURE OR PARTNERSHIP CONSISTING OF NO MORE26
THAN TWO BUSINESSES THAT SHARE CONSUMERS ' PERSONAL DATA WITH27
1130
-10- EACH OTHER.1
(6) Use of consent by employers. (a) AN EMPLOYER MAY2
REQUIRE AS A CONDITION OF EMPLOYMENT THAT AN EMPLOYEE OR A3
PROSPECTIVE EMPLOYEE CONSENT TO ALLOWING THE EMPLOYER TO4
COLLECT AND PROCESS THE EMPLOYEE'S OR THE PROSPECTIVE EMPLOYEE'S5
BIOMETRIC IDENTIFIER ONLY TO:6
(I) PERMIT ACCESS TO SECURE PHYSICAL LOCATIONS AND SECURE7
ELECTRONIC HARDWARE AND SOFTWARE APPLICATIONS ; EXCEPT THAT AN8
EMPLOYER SHALL NOT OBTAIN THE EMPLOYEE 'S OR PROSPECTIVE9
EMPLOYEE'S CONSENT TO RETAIN BIOMETRIC DATA THAT IS USED FOR10
CURRENT EMPLOYEE LOCATION TRACKING OR THE TRACKING OF HOW11
MUCH TIME THE EMPLOYEE SPENDS USING A HARDWARE OR SOFTWARE12
APPLICATION; OR13
(II) RECORD THE COMMENCEMENT AND CONCLUSION OF THE14
EMPLOYEE'S FULL WORK DAY, INCLUDING MEAL BREAKS AND REST BREAKS15
IN EXCESS OF THIRTY MINUTES.16
(b) AN EMPLOYER MAY COLLECT AND PROCESS AN EMPLOYEE 'S OR17
PROSPECTIVE EMPLOYEE'S BIOMETRIC IDENTIFIER FOR USES OTHER THAN18
THOSE DESCRIBED IN SUBSECTION (6)(a) OF THIS SECTION ONLY WITH THE19
EMPLOYEE'S OR PROSPECTIVE EMPLOYEE'S CONSENT. AN EMPLOYER MAY20
NOT REQUIRE THAT AN EMPLOYEE OR PROSPECTIVE EMPLOYEE CONSENT21
TO SUCH COLLECTION OR PROCESSING AS A CONDITION OF EMPLOYMENT22
OR RETALIATE AGAINST AN EMPLOYEE OR PROSPECTIVE EMPLOYEE WHO23
DOES NOT CONSENT TO SUCH COLLECTION OR PROCESSING .24
(c) SO LONG AS CONSENT THAT IS OBTAINED FOR COLLECTION AND25
PROCESSING AS DESCRIBED IN SUBSECTION (6)(a) OF THIS SECTION26
SATISFIES THE DEFINITION OF CONSENT PROVIDED IN SECTION 6-1-1303 (5),27
1130
-11- CONSENT IS CONSIDERED TO BE FREELY GIVEN AND VALID FOR THE LIMITED1
PURPOSES DESCRIBED IN SUBSECTION (6)(a) OF THIS SECTION.2
(7) Rules. T
HE DEPARTMENT OF LAW MAY PROMULGATE RULES3
FOR THE IMPLEMENTATION OF THIS SECTION , INCLUDING RULES4
PROMULGATED IN CONSULTATION WITH THE OFFICE OF INFORMATION5
TECHNOLOGY AND THE DEPARTMENT OF REGULATORY AGENCIES6
ESTABLISHING APPROPRIATE SECURITY STANDARDS FOR
BIOMETRIC7
IDENTIFIERS AND BIOMETRIC DATA THAT ARE MORE STRINGENT THAN THE8
REQUIREMENTS DESCRIBED IN THIS SECTION .9
SECTION 3. In Colorado Revised Statutes, 6-1-1303, add (2.2)10
and (2.4) as follows:11
6-1-1303. Definitions. As used in this part 13, unless the context12
otherwise requires:13
(2.2) (a) "BIOMETRIC DATA" MEANS ONE OR MORE BIOMETRIC14
IDENTIFIERS THAT ARE USED OR INTENDED TO BE USED , SINGLY OR IN15
COMBINATION WITH EACH OTHER OR WITH OTHER PERSONAL DATA , FOR16
IDENTIFICATION PURPOSES.17
(b) "BIOMETRIC DATA" DOES NOT INCLUDE:18
(I) A DIGITAL OR PHYSICAL PHOTOGRAPH;19
(II) AN AUDIO OR VOICE RECORDING; OR20
(III) ANY DATA GENERATED FROM A DIGITAL OR PHYSICAL21
PHOTOGRAPH OR AN AUDIO OR VIDEO RECORDING .22
(2.4) "B
IOMETRIC IDENTIFIER" MEANS DATA GENERATED BY THE23
TECHNOLOGICAL PROCESSING , MEASUREMENT, OR ANALYSIS OF A24
CONSUMER'S BIOLOGICAL, PHYSICAL, OR BEHAVIORAL CHARACTERISTICS,25
WHICH DATA CAN BE PROCESSED FOR THE PURPOSE OF UNIQUELY26
IDENTIFYING AN INDIVIDUAL. "BIOMETRIC IDENTIFIER" INCLUDES:27
1130
-12- (a) A FINGERPRINT;1
(b) A
VOICEPRINT;2
(c) A
SCAN OR RECORD OF AN EYE RETINA OR IRIS;3
(d) A
FACIAL MAP, FACIAL GEOMETRY, OR FACIAL TEMPLATE; AND4
(e) O
THER UNIQUE BIOLOGICAL, PHYSIOLOGICAL, OR BEHAVIORAL5
PATTERNS OR CHARACTERISTICS .6
SECTION 4. In Colorado Revised Statutes, 6-1-1304, amend (1);7
and add (6) as follows:8
6-1-1304. Applicability of part. (1) Except as specified in9
subsection (2) of this section, this part 13 applies to a controller that:10
(a) (I) Conducts business in Colorado or produces or delivers11
commercial products or services that are intentionally targeted to12
residents of Colorado; and13
(b)
(II) Satisfies one or both of the following thresholds:14
(I) (A) Controls or processes the personal data of one hundred15
thousand consumers or more during a calendar year; or16
(II) (B) Derives revenue or receives a discount on the price of17
goods or services from the sale of personal data and processes or controls18
the personal data of twenty-five thousand consumers or more;
OR19
(b) CONTROLS OR PROCESSES ANY AMOUNT OF BIOMETRIC20
IDENTIFIERS OR BIOMETRIC DATA REGARDLESS OF THE AMOUNT OF21
BIOMETRIC IDENTIFIERS OR BIOMETRIC DATA CONTROLLED OR PROCESSED22
ANNUALLY; EXCEPT THAT A CONTROLLER THAT MEETS THE23
QUALIFICATIONS OF THIS SUBSECTION (1)(b) BUT DOES NOT MEET THE24
QUALIFICATIONS OF SUBSECTION (1)(a) OF THIS SECTION SHALL COMPLY25
WITH THIS PART 13 ONLY FOR THE PURPOSES OF A BIOMETRIC IDENTIFIER26
OR BIOMETRIC DATA THAT THE CONTROLLER COLLECTS AND PROCESSES .27
1130
-13- (6) NOTHING IN THIS PART 13 SHALL BE CONSTRUED TO IMPACT1
THE ADMISSION OR DISCOVERY OF A BIOMETRIC IDENTIFIER IN ANY ACTION2
OF ANY KIND IN ANY COURT OR BEFORE ANY TRIBUNAL , BOARD, OR3
AGENCY.4
SECTION 5. Act subject to petition - effective date -5
applicability. (1) This act takes effect July 1, 2025; except that, if a6
referendum petition is filed pursuant to section 1 (3) of article V of the7
state constitution against this act or an item, section, or part of this act8
within the ninety-day period after final adjournment of the general9
assembly, then the act, item, section, or part will not take effect unless10
approved by the people at the general election to be held in November11
2024 and, in such case, will take effect July 1, 2025, or on the date of the12
official declaration of the vote thereon by the governor, whichever is13
later.14
(2) This act applies to the collection, retention, processing, and15
use of biometric identifiers on and after the applicable effective date of16
this act.17
1130
-14-