Second Regular Session
Seventy-fourth General Assembly
STATE OF COLORADO
REREVISED
This Version Includes All Amendments
Adopted in the Second House
LLS NO. 24-0534.01 Richard Sweetman x4333
HOUSE BILL 24-1130
House Committees Senate Committees
Judiciary Judiciary
A BILL FOR AN ACT
C
ONCERNING PROTECTING THE PRIVACY OF AN INDIVIDUAL 'S101
BIOMETRIC DATA.102
Bill Summary
(Note: This summary applies to this bill as introduced and does
not reflect any amendments that may be subsequently adopted. If this bill
passes third reading in the house of introduction, a bill summary that
applies to the reengrossed version of this bill will be available at
http://leg.colorado.gov
.)
The bill amends the "Colorado Privacy Act" to add protections for
an individual's biometric data by requiring a person that, alone or jointly
with others, determines the purposes for and means of processing
biometric data (controller) to adopt a written policy that:
! Establishes a retention schedule for biometric identifiers;
! Includes a protocol for responding to a breach of security
SENATE
3rd Reading Unamended
April 19, 2024
SENATE
Amended 2nd Reading
April 18, 2024
HOUSE
Amended 3rd Reading
February 20, 2024
HOUSE
Amended 2nd Reading
February 16, 2024
HOUSE SPONSORSHIP
Daugherty and Lynch, Amabile, Bacon, Bird, Boesenecker, Brown, deGruy Kennedy,
Duran, Hamrick, Herod, Jodeh, Kipp, Lieder, Lindsay, Mabrey, Marshall, Marvin,
McCluskie, Parenti, Rutinel, Sirota, Titone, Valdez, Weinberg, Weissman, Young
SENATE SPONSORSHIP
Lundeen and Hansen, Baisley, Bridges, Buckner, Cutter, Gardner, Ginal, Gonzales,
Hinrichsen, Michaelson Jenet, Pelton B., Priola, Van Winkle, Will
Shading denotes HOUSE amendment. Double underlining denotes SENATE amendment.
Capital letters or bold & italic numbers indicate new material to be added to existing law.
Dashes through the words or numbers indicate deletions from existing law. of biometric data; and
! Includes guidelines that require the permanent destruction
of a biometric identifier by the earliest of certain dates.
The bill also:
! Prohibits a controller from collecting a biometric identifier
unless the controller first satisfies certain disclosure and
consent requirements;
! Specifies certain prohibited acts and requirements for
controllers that collect and use biometric data;
! Requires a controller to allow a consumer to access and
update a biometric identifier;
! Restricts an employer's permissible reasons for obtaining
an employee's consent for the collection of biometric
identifiers; and
! Authorizes the attorney general to promulgate rules to
implement the bill.
Be it enacted by the General Assembly of the State of Colorado:1
SECTION 1. Legislative declaration. (1) The general assembly2
finds that:3
(a) Businesses increasingly use biometric identifiers to attempt to4
verify customer identities, streamline transactions, control access to5
secure areas, and maximize revenues;6
(b) Biometric identifiers are unlike other unique identifiers that7
are used to verify identity or to access finances or other sensitive8
information because, unlike social security numbers, for example,9
biometric identifiers cannot be changed; they are unique to an individual,10
and once an individual's biometric identifiers are compromised, the11
individual has no recourse, is at heightened risk for identity theft, and12
may no longer feel safe participating in biometric-facilitated transactions;13
(c) The public has grown wary of the use of biometric identifiers14
due to recent data breaches that have exposed many individuals' biometric15
identifiers, leaving those individuals vulnerable to harm; and16
1130-2- (d) Biometric identifiers can be collected without an individual's1
knowledge, applied instantaneously to identify the individual in2
circumstances where the individual has an expectation of privacy and3
anonymity, and used to identify and track the individual's movements,4
activities, and associations.5
(2) The general assembly further finds that:6
(a) One increasingly prevalent biometric collection and matching7
technology, facial recognition technology, has been shown to have higher8
rates of misidentification and misclassification when it is used on faces9
of color, of women, of children, of the elderly, and of transgender and10
nonbinary persons; and11
(b) This misidentification and misclassification has led to12
documented cases of businesses refusing admission or service to13
individuals because facial recognition systems incorrectly "matched" the14
individuals to photos of suspected shoplifters or other individuals who15
had been barred from the premises.16
(3) While increasing protections for individuals' biometric17
identifiers is of the utmost importance, critical privacy protections must18
be balanced with the use of biometric data to support public safety as19
outlined in state and federal statutes. The "Colorado Privacy Act", part 1320
of article 1 of title 6, includes a variety of exceptions to the requirements21
established in this act, including permitted uses of biometric data for22
public safety needs, and all of the exceptions that apply to the entirety of23
the "Colorado Privacy Act" apply to the protections established for24
biometric data and biometric identifiers in this act.25
(4) Therefore, the general assembly declares that the public26
welfare, security, and safety will be served by regulating the collection,27
1130
-3- use, safeguarding, handling, storage, retention, and destruction of1
biometric identifiers.2
SECTION 2. In Colorado Revised Statutes, add 6-1-1314 as3
follows:4
6-1-1314. Biometric data and biometric identifiers -5
controllers - duties and requirements - written policy - prohibited6
acts - right to correct biometric identifiers - right to access biometric7
identifiers - remedies and civil actions - definitions. (1) A
S USED IN8
THIS SECTION, UNLESS THE CONTEXT OTHERWISE REQUIRES :9
(a) "C
OLLECT", "COLLECTION", OR "COLLECTING" MEANS TO10
ACCESS, ASSEMBLE, BUY, RENT, GATHER, PROCURE, RECEIVE,
CAPTURE, OR11
OTHERWISE OBTAIN ANY BIOMETRIC IDENTIFIER OR BIOMETRIC DATA12
PERTAINING TO A CONSUMER BY ANY MEANS , ONLINE OR OFFLINE,13
INCLUDING:14
(I) A
CTIVELY OR PASSIVELY RECEIVING
A BIOMETRIC IDENTIFIER15
OR BIOMETRIC DATA FROM THE CONSUMER OR FROM A THIRD PARTY ; AND16
(II) O
BTAINING BIOMETRIC DATA BY OBSERVING THE CONSUMER 'S17
BEHAVIOR.18
(b) "E
MPLOYEE" MEANS AN INDIVIDUAL WHO IS EMPLOYED19
FULL-TIME, PART-TIME, OR ON-CALL OR WHO IS HIRED AS A CONTRACTOR,20
SUBCONTRACTOR, INTERN, OR FELLOW.21
(c) "L
EGALLY AUTHORIZED REPRESENTATIVE " MEANS A PARENT
22
OR LEGAL GUARDIAN OF A MINOR OR A LEGAL GUARDIAN OF AN ADULT .23
(2) Written policy required. (a) A
CONTROLLER
THAT CONTROLS24
OR PROCESSES ONE OR MORE BIOMETRIC IDENTIFIERS SHALL ADOPT A25
WRITTEN POLICY THAT:26
(I) E
STABLISHES A RETENTION SCHEDULE FOR BIOMETRIC27
1130
-4- IDENTIFIERS AND BIOMETRIC DATA;1
(II) I
NCLUDES A PROTOCOL FOR RESPONDING TO A DATA SECURITY
2
INCIDENT THAT MAY COMPROMISE THE SECURITY OF BIOMETRIC3
IDENTIFIERS OR BIOMETRIC DATA, INCLUDING A PROCESS FOR NOTIFYING4
A CONSUMER WHEN THE SECURITY OF THE CONSUMER 'S BIOMETRIC5
IDENTIFIER OR BIOMETRIC DATA HAS BEEN BREACHED , PURSUANT TO6
SECTION 6-1-716; AND7
(III) I
NCLUDES GUIDELINES THAT REQUIRE THE DELETION OF A
8
BIOMETRIC IDENTIFIER ON OR BEFORE THE EARLIEST OF THE FOLLOWING9
DATES:10
(A) T
HE DATE UPON WHICH THE INITIAL PURPOSE FOR COLLECTING11
THE BIOMETRIC IDENTIFIER HAS BEEN SATISFIED;12
(B) T
WENTY-FOUR MONTHS AFTER THE CONSUMER LAST
13
INTERACTED WITH THE CONTROLLER ; OR14
(C) T
HE EARLIEST REASONABLY FEASIBLE DATE , WHICH DATE
15
MUST BE NO MORE THAN FORTY -FIVE DAYS AFTER A CONTROLLER16
DETERMINES THAT STORAGE OF THE BIOMETRIC IDENTIFIER IS NO LONGER17
NECESSARY, ADEQUATE, OR RELEVANT TO THE EXPRESS PROCESSING18
PURPOSE IDENTIFIED BY A REVIEW CONDUCTED BY THE CONTROLLER AT19
LEAST ONCE ANNUALLY . THE CONTROLLER MAY EXTEND THE20
FORTY-FIVE-DAY PERIOD DESCRIBED IN THIS SUBSECTION (2)(a)(III)(C) BY21
UP TO FORTY-FIVE ADDITIONAL DAYS IF SUCH AN EXTENSION IS22
REASONABLY NECESSARY , TAKING INTO ACCOUNT THE COMPLEXITY AND23
NUMBER OF BIOMETRIC IDENTIFIERS REQUIRED TO BE DELETED .24
(b) A CONTROLLER SHALL MAKE ITS POLICY ADOPTED PURSUANT25
TO SUBSECTION (2)(a) OF THIS SECTION AVAILABLE TO THE PUBLIC ;26
EXCEPT THAT A CONTROLLER IS NOT REQUIRED TO MAKE AVAILABLE TO27
1130
-5- THE PUBLIC:1
(I) A
WRITTEN POLICY THAT APPLIES ONLY TO CURRENT
2
EMPLOYEES OF THE CONTROLLER ;3
(II) A
WRITTEN POLICY THAT IS USED SOLELY BY EMPLOYEES AND
4
AGENTS OF THE CONTROLLER FOR THE OPERATION OF THE CONTROLLER ;5
OR6
(III) T
HE INTERNAL PROTOCOL FOR RESPONDING TO A DATA
7
SECURITY INCIDENT THAT MAY COMP ROMISE THE SECURITY OF BIOMETRIC8
IDENTIFIERS OR BIOMETRIC DATA.9
(3) Processors - security breach protocols. A
PROCESSOR OF
10
BIOMETRIC IDENTIFIERS OR BIOMETRIC DATA MUST HAVE A PROTOCOL FOR11
RESPONDING TO A DATA SECURITY INCIDENT THAT MAY COMPROMISE THE12
SECURITY OF BIOMETRIC IDENTIFIERS OR BIOMETRIC DATA , INCLUDING A13
PROCESS FOR NOTIFYING THE CONTROLLER WHEN THE SECURITY OF A14
CONSUMER'S BIOMETRIC IDENTIFIER OR BIOMETRIC DATA HAS BEEN15
BREACHED, PURSUANT TO SECTION 6-1-716.16
(4) Collection and retention of biometric identifiers -17
requirements - prohibited acts. (a) A
CONTROLLER SHALL NOT COLLECT18
OR PROCESS A BIOMETRIC IDENTIFI ER OF A CONSUMER UNLESS THE19
CONTROLLER FIRST:20
(I) S
ATISFIES ALL DUTIES REQUIRED BY SECTION 6-1-1308;21
(II) I
NFORMS THE CONSUMER OR THE CONSUMER 'S LEGALLY22
AUTHORIZED REPRESENTATIVE IN A CLEAR , REASONABLY ACCESSIBLE,
23
AND UNDERSTANDABLE MANNER THAT A BIOMETRIC IDENTIFIER IS BEING24
COLLECTED;25
(III) I
NFORMS THE CONSUMER OR THE CONSUMER 'S LEGALLY26
AUTHORIZED REPRESENTATIVE IN A CLEAR , REASONABLY ACCESSIBLE,
27
1130
-6- AND UNDERSTANDABLE MANNER OF THE SPECIFIC PURPOSE FOR WHICH A1
BIOMETRIC IDENTIFIER IS BEING COLLECTED AND THE LENGTH OF TIME2
THAT THE CONTROLLER WILL RETAIN THE BIOMETRIC IDENTIFIER ; AND3
(IV) I
NFORMS THE CONSUMER OR THE CONSUMER 'S LEGALLY4
AUTHORIZED REPRESENTATIVE IN A CLEAR , REASONABLY ACCESSIBLE ,
5
AND UNDERSTANDABLE MANNER IF THE BIOMETRIC IDENTIFIER WILL BE6
DISCLOSED, REDISCLOSED, OR OTHERWISE DISSEMINATED TO A PROCESSOR7
AND THE SPECIFIC PURPOSE FOR WHICH THE BIOMETRIC IDENTIFIER IS8
BEING SHARED WITH A PROCESSOR .9
(b) A CONTROLLER THAT PROCESSES A CONSUMER'S BIOMETRIC10
IDENTIFIER SHALL NOT:11
(I) S
ELL, LEASE, OR TRADE THE BIOMETRIC IDENTIFIER WITH ANY12
ENTITY; OR
13
(II) DISCLOSE, REDISCLOSE, OR OTHERWISE DISSEMINATE THE14
BIOMETRIC IDENTIFIER UNLESS:15
(A) T
HE CONSUMER OR THE CONSUMER 'S LEGALLY AUTHORIZED16
REPRESENTATIVE CONSENTS TO THE DISCLOSURE , REDISCLOSURE, OR17
OTHER DISSEMINATION;18
(B) T
HE DISCLOSURE, REDISCLOSURE, OR OTHER DISSEMINATION19
IS REQUESTED OR AUTHORIZED BY THE CONSUMER OR THE CONSUMER 'S20
LEGALLY AUTHORIZED REPRESENTATIVE FOR THE PURPOSE OF21
COMPLETING A FINANCIAL TRANSACTION ;22
(C) T
HE DISCLOSURE, REDISCLOSURE, OR OTHER DISSEMINATION23
IS TO A PROCESSOR AND IS NECESSARY FOR THE PURPOSE FOR WHICH THE24
BIOMETRIC IDENTIFIER WAS COLLECTED AND TO WHICH THE CONSUMER OR25
THE CONSUMER'S LEGALLY AUTHORIZED REPRESENTATIVE CONSENTED ; OR26
(D) T
HE DISCLOSURE, REDISCLOSURE, OR OTHER DISSEMINATION
27
1130
-7- IS REQUIRED BY STATE OR FEDERAL LAW .1
(c) A CONTROLLER SHALL NOT:2
(I) R
EFUSE TO PROVIDE A GOOD OR SERVICE TO A
CONSUMER,3
BASED ON THE CONSUMER'S REFUSAL TO CONSENT TO THE CONTROLLER'S4
COLLECTION, USE, DISCLOSURE, TRANSFER, SALE, RETENTION, OR5
PROCESSING OF A BIOMETRIC IDENTIFIER UNLESS THE COLLECTION, USE,6
DISCLOSURE, TRANSFER, SALE, RETENTION, OR PROCESSING OF THE7
BIOMETRIC IDENTIFIER IS NECESSARY TO PROVIDE THE GOOD OR SERVICE ;8
9
(II) C
HARGE A DIFFERENT PRICE OR RATE FOR A GOOD OR SERVICE10
OR PROVIDE A DIFFERENT LEVEL OF QUALITY OF A GOOD OR SERVICE TO11
ANY CONSUMER WHO EXERCISES THE CONSUMER 'S RIGHTS UNDER THIS12PART 13; OR13
(III) PURCHASE A BIOMETRIC IDENTIFIER UNLESS THE CONTROLLER14
PAYS THE CONSUMER FOR THE COLLECTION OF THE CONSUMER'S15
BIOMETRIC IDENTIFIER, THE PURCHASE IS UNRELATED TO THE PROVISION16
OF A PRODUCT OR SERVICE TO THE CONSUMER, AND THE CONTROLLER HAS17
OBTAINED CONSENT AS DESCRIBED IN SUBSECTION (4)(a) OF THIS18
SECTION.19
(d) A
CONTROLLER OR PROCESSOR SHALL STORE , TRANSMIT, AND
20
PROTECT FROM DISCLOSURE ALL BIOMETRIC IDENTIFIERS USING THE21
STANDARD OF CARE WITHIN THE CONTROLLER 'S INDUSTRY AND IN22
ACCORDANCE WITH SECTIONS 6-1-1305 (4) AND 6-1-1308 (5).23
(e) A
CONTROLLER SHALL OBTAIN CONSENT FROM A CONSUMER OR
24
FROM THE CONSUMER'S LEGALLY AUTHORIZED REPRESENTATIVE BEFORE25
COLLECTING THE CONSUMER'S BIOMETRIC DATA, AS REQUIRED BY SECTION26
6-1-1308
(7).
27
1130
-8- (5) Right to access biometric data - applicability - definition.1
(a) E
XCEPT AS DESCRIBED IN SUBSECTION (5)(b) OF THIS SECTION, AT THE
2
REQUEST OF A CONSUMER OR A CONSUMER 'S LEGALLY AUTHORIZED3
REPRESENTATIVE, A CONTROLLER THAT COLLECTS THE CONSUMER 'S4
BIOMETRIC DATA SHALL DISCLOSE TO THE CONSUMER , FREE OF CHARGE,5
THE CATEGORY OR DESCRIPTION OF THE CONSUMER 'S BIOMETRIC DATA6
AND THE FOLLOWING INFORMATION :7
(I) T
HE SOURCE FROM WHICH THE CONTROLLER COLLECTED THE
8
BIOMETRIC DATA;9
(II) T
HE PURPOSE FOR WHICH THE CONTROLLER COLLECTED OR
10
PROCESSED THE BIOMETRIC DATA AND ANY ASSOCIATED PERSONAL DATA ;11
(III) T
HE IDENTITY OF ANY THIRD PARTY WITH WHICH THE
12
CONTROLLER DISCLOSED OR DISCLOSES THE BIOMETRIC DATA AND THE13
PURPOSES FOR DISCLOSING; AND14
(IV) T
HE CATEGORY OR A DESCRIPTION OF THE SPECIFIC
15
BIOMETRIC DATA THAT THE CONTROLLER DISCLOSES TO THIRD PARTIES .16
(b) T
HE REQUIREMENTS OF SUBSECTION (5)(a) OF THIS SECTION17
APPLY ONLY TO:18
(I) A
SOLE PROPRIETORSHIP, A PARTNERSHIP, A LIMITED LIABILITY19
COMPANY, A CORPORATION, AN ASSOCIATION, OR ANOTHER LEGAL ENTITY20
THAT:21
(A) C
ONDUCTS BUSINESS IN COLORADO OR PRODUCES OR22
DELIVERS COMMERCIAL PRODUCTS OR SERVICES THAT ARE MARKETED TO23
C
OLORADO RESIDENTS;24
(B) C
OLLECTS BIOMETRIC DATA
OR HAS BIOMETRIC DATA25
COLLECTED ON ITS BEHALF; AND26
(C) E
ITHER COLLECTS OR PROCESSES THE PERSONAL DATA OF ONE27
1130
-9- HUNDRED THOUSAND INDIVIDUALS OR MORE DURING A CALENDAR YEAR1
OR COLLECTS AND PROCESSES THE PERSONAL DATA OF TWENTY -FIVE2
THOUSAND INDIVIDUALS OR MORE AND DERIVES REVENUE FROM , OR3
RECEIVES A DISCOUNT ON THE PRICE OF GOODS OR SERVICES FROM , THE4
SALE OF PERSONAL DATA;5
(II) A
CONTROLLER THAT CONTROLS OR IS CONTROLLED BY6
ANOTHER CONTROLLER AND THAT SHARES COMMON BRANDING WITH THE7
OTHER CONTROLLER. AS USED IN THIS SUBSECTION (5)(b)(II), "COMMON
8
BRANDING" MEANS A SHARED NAME , SERVICE MARK, OR TRADEMARK9
THAT A CONSUMER WOULD REASONABLY UNDERSTAND TO INDICATE THAT10
TWO OR MORE ENTITIES ARE COMMONLY OWNED .11
12
(III) A
JOINT VENTURE OR PARTNERSHIP CONSISTING OF NO MORE13
THAN TWO BUSINESSES THAT SHARE CONSUMERS ' PERSONAL DATA WITH14
EACH OTHER.15
(6) Use of consent by employers.
(a) AN EMPLOYER MAY16
REQUIRE AS A CONDITION OF EMPLOYMENT THAT AN EMPLOYEE OR A17
PROSPECTIVE EMPLOYEE CONSENT TO ALLOWING THE EMPLOYER TO18
COLLECT AND PROCESS THE EMPLOYEE'S OR THE PROSPECTIVE EMPLOYEE'S19
BIOMETRIC IDENTIFIER ONLY TO:20
(I) PERMIT ACCESS TO SECURE PHYSICAL LOCATIONS AND SECURE21
ELECTRONIC HARDWARE AND SOFTWARE APPLICATIONS ; EXCEPT THAT AN22
EMPLOYER SHALL NOT OBTAIN THE EMPLOYEE 'S OR PROSPECTIVE23
EMPLOYEE'S CONSENT TO RETAIN BIOMETRIC DATA THAT IS USED FOR24
CURRENT EMPLOYEE LOCATION TRACKING OR THE TRACKING OF HOW25
MUCH TIME THE EMPLOYEE SPENDS USING A HARDWARE OR SOFTWARE26
APPLICATION; 27
1130
-10- (II) RECORD THE COMMENCEMENT AND CONCLUSION OF THE1
EMPLOYEE'S FULL WORK DAY, INCLUDING MEAL BREAKS AND REST BREAKS2
IN EXCESS OF THIRTY MINUTES;3
(III) I
MPROVE OR MONITOR WORKPLACE SAFETY OR SECURITY OR
4
ENSURE THE SAFETY OR SECURITY OF EMPLOYEES ; OR5
(IV) I
MPROVE OR MONITOR THE SAFETY OR SECURITY OF THE
6
PUBLIC IN THE EVENT OF AN EMERGENCY OR CRISIS SITUATION .7
(b) A
N EMPLOYER AND ITS PROCESSOR MAY COLLECT AND PROCESS
8
AN EMPLOYEE'S OR PROSPECTIVE EMPLOYEE'S BIOMETRIC IDENTIFIER FOR9
USES OTHER THAN THOSE DESCRIBED IN SUBSECTION (6)(a) OF THIS10
SECTION ONLY WITH THE EMPLOYEE 'S OR PROSPECTIVE EMPLOYEE'S11
CONSENT. AN EMPLOYER MAY NOT REQUIRE THAT AN EMPLOYEE OR12
PROSPECTIVE EMPLOYEE CONSENT TO SUCH COLLECTION OR PROCESSING13
AS A CONDITION OF EMPLOYMENT OR RETALIATE AGAINST AN EMPLOYEE14
OR PROSPECTIVE EMPLOYEE WHO DOES NOT CONSENT TO SUCH15
COLLECTION OR PROCESSING.16
(c) SO LONG AS CONSENT THAT IS OBTAINED FOR COLLECTION AND17
PROCESSING AS DESCRIBED IN THIS SECTION SATISFIES THE DEFINITION18
OF CONSENT PROVIDED IN SECTION 6-1-1303 (5), CONSENT IS CONSIDERED19
TO BE FREELY GIVEN AND VALID FOR THE PURPOSES DESCRIBED IN20
SUBSECTION (6)(a) OF THIS SECTION.21
(d) N
OTHING IN THIS SECTION RESTRICTS AN EMPLOYER OR ITS
22
PROCESSOR'S ABILITY TO COLLECT AND PROCESS AN EMPLOYEE 'S OR23
PROSPECTIVE EMPLOYEE'S BIOMETRIC IDENTIFIER FOR USES ALIGNED WITH24
THE REASONABLE EXPECTATIONS OF :25
(I) A
N EMPLOYEE BASED ON THE EMPLOYEE 'S JOB DESCRIPTION OR
26
ROLE; OR27
1130
-11- (II) A PROSPECTIVE EMPLOYEE BASED ON A REASONABLE1
BACKGROUND CHECK , APPLICATION, OR IDENTIFICATION REQUIREMENTS2
IN ACCORDANCE WITH THIS SECTION.3
(7) Rules. T
HE DEPARTMENT OF LAW MAY PROMULGATE RULES4
FOR THE IMPLEMENTATION OF THIS SECTION , INCLUDING RULES5
PROMULGATED IN CONSULTATION WITH THE OFFICE OF INFORMATION6
TECHNOLOGY AND THE DEPARTMENT OF REGULATORY AGENCIES7
ESTABLISHING APPROPRIATE SECURITY STANDARDS FOR
BIOMETRIC8
IDENTIFIERS AND BIOMETRIC DATA THAT ARE MORE STRINGENT THAN THE9
REQUIREMENTS DESCRIBED IN THIS SECTION .10
SECTION 3. In Colorado Revised Statutes, 6-1-1303, add (2.2)11
and (2.4) as follows:12
6-1-1303. Definitions. As used in this part 13, unless the context13
otherwise requires:14
(2.2) (a) "BIOMETRIC DATA" MEANS ONE OR MORE BIOMETRIC15
IDENTIFIERS THAT ARE USED OR INTENDED TO BE USED , SINGLY OR IN16
COMBINATION WITH EACH OTHER OR WITH OTHER PERSONAL DATA , FOR17
IDENTIFICATION PURPOSES.18
(b) "BIOMETRIC DATA" DOES NOT INCLUDE THE FOLLOWING19
UNLESS THE BIOMETRIC DATA IS USED FOR IDENTIFICATION PURPOSES :20
(I) A DIGITAL OR PHYSICAL PHOTOGRAPH;21
(II) AN AUDIO OR VOICE RECORDING; OR22
(III) ANY DATA GENERATED FROM A DIGITAL OR PHYSICAL23
PHOTOGRAPH OR AN AUDIO OR VIDEO RECORDING .24
(2.4) "B
IOMETRIC IDENTIFIER" MEANS DATA GENERATED BY THE25
TECHNOLOGICAL PROCESSING , MEASUREMENT, OR ANALYSIS OF A26
CONSUMER'S BIOLOGICAL, PHYSICAL, OR BEHAVIORAL CHARACTERISTICS,27
1130
-12- WHICH DATA CAN BE PROCESSED FOR THE PURPOSE OF UNIQUELY1
IDENTIFYING AN INDIVIDUAL. "BIOMETRIC IDENTIFIER" INCLUDES:2
(a) A
FINGERPRINT;3
(b) A
VOICEPRINT;4
(c) A
SCAN OR RECORD OF AN EYE RETINA OR IRIS;5
(d) A
FACIAL MAP, FACIAL GEOMETRY, OR FACIAL TEMPLATE; OR
6
(e) O
THER UNIQUE BIOLOGICAL , PHYSICAL, OR BEHAVIORAL
7
PATTERNS OR CHARACTERISTICS .8
SECTION 4. In Colorado Revised Statutes, 6-1-1304, amend (1);9
and add (6) as follows:10
6-1-1304. Applicability of part. (1) Except as specified in11
subsection (2) of this section, this part 13 applies to a controller that:12
(a) (I) Conducts business in Colorado or produces or delivers13
commercial products or services that are intentionally targeted to14
residents of Colorado; and15
(b) (II) Satisfies one or both of the following thresholds:16
(I) (A) Controls or processes the personal data of one hundred17
thousand consumers or more during a calendar year; or18
(II) (B) Derives revenue or receives a discount on the price of19
goods or services from the sale of personal data and processes or controls20
the personal data of twenty-five thousand consumers or more;
OR21
(b) CONTROLS OR PROCESSES ANY AMOUNT OF BIOMETRIC22
IDENTIFIERS OR BIOMETRIC DATA REGARDLESS OF THE AMOUNT OF23
BIOMETRIC IDENTIFIERS OR BIOMETRIC DATA CONTROLLED OR PROCESSED24
ANNUALLY; EXCEPT THAT A CONTROLLER THAT MEETS THE25
QUALIFICATIONS OF THIS SUBSECTION (1)(b) BUT DOES NOT MEET THE26
QUALIFICATIONS OF SUBSECTION (1)(a) OF THIS SECTION SHALL COMPLY27
1130
-13- WITH THIS PART 13 ONLY FOR THE PURPOSES OF A BIOMETRIC IDENTIFIER1
OR BIOMETRIC DATA THAT THE CONTROLLER COLLECTS AND PROCESSES .2
3
SECTION 5. Act subject to petition - effective date -4
applicability. (1) This act takes effect July 1, 2025; except that, if a5
referendum petition is filed pursuant to section 1 (3) of article V of the6
state constitution against this act or an item, section, or part of this act7
within the ninety-day period after final adjournment of the general8
assembly, then the act, item, section, or part will not take effect unless9
approved by the people at the general election to be held in November10
2024 and, in such case, will take effect July 1, 2025, or on the date of the11
official declaration of the vote thereon by the governor, whichever is12
later.13
(2) This act applies to the collection, retention, processing, and14
use of biometric identifiers and biometric data on and after the applicable15
effective date of this act.16
1130
-14-