CO
Colorado House Bill HB1130

Colorado 2024 Regular Session

Colorado House Bill HB1130 Compare Versions

OldNewDifferences
1+Second Regular Session
2+Seventy-fourth General Assembly
3+STATE OF COLORADO
4+REREVISED
5+This Version Includes All Amendments
6+Adopted in the Second House
7+LLS NO. 24-0534.01 Richard Sweetman x4333
18 HOUSE BILL 24-1130
2-BY REPRESENTATIVE(S) Daugherty and Lynch, Amabile, Bacon, Bird,
3-Boesenecker, Brown, deGruy Kennedy, Duran, Hamrick, Herod, Jodeh,
4-Kipp, Lieder, Lindsay, Mabrey, Marshall, Marvin, Parenti, Rutinel, Sirota,
5-Titone, Valdez, Weinberg, Weissman, Young, McCluskie, Clifford, Frizell,
6-Joseph, Martinez, Ricks, Soper, Story;
7-also SENATOR(S) Lundeen and Hansen, Baisley, Bridges, Buckner,
8-Cutter, Gardner, Ginal, Gonzales, Hinrichsen, Michaelson Jenet, Pelton B.,
9-Priola, Van Winkle, Will.
9+House Committees Senate Committees
10+Judiciary Judiciary
11+A BILL FOR AN ACT
1012 C
11-ONCERNING PROTECTING THE PRIVACY OF AN INDIVIDUAL 'S BIOMETRIC
12-DATA
13-.
14-Be it enacted by the General Assembly of the State of Colorado:
15-SECTION 1. Legislative declaration. (1) The general assembly
16-finds that:
17-(a) Businesses increasingly use biometric identifiers to attempt to
18-verify customer identities, streamline transactions, control access to secure
19-areas, and maximize revenues;
20-(b) Biometric identifiers are unlike other unique identifiers that are
21-NOTE: This bill has been prepared for the signatures of the appropriate legislative
22-officers and the Governor. To determine whether the Governor has signed the bill
23-or taken other action on it, please consult the legislative status sheet, the legislative
24-history, or the Session Laws.
25-________
26-Capital letters or bold & italic numbers indicate new material added to existing law; dashes
27-through words or numbers indicate deletions from existing law and such material is not part of
28-the act. used to verify identity or to access finances or other sensitive information
29-because, unlike social security numbers, for example, biometric identifiers
30-cannot be changed; they are unique to an individual, and once an
31-individual's biometric identifiers are compromised, the individual has no
32-recourse, is at heightened risk for identity theft, and may no longer feel safe
33-participating in biometric-facilitated transactions;
34-(c) The public has grown wary of the use of biometric identifiers
35-due to recent data breaches that have exposed many individuals' biometric
36-identifiers, leaving those individuals vulnerable to harm; and
37-(d) Biometric identifiers can be collected without an individual's
38-knowledge, applied instantaneously to identify the individual in
39-circumstances where the individual has an expectation of privacy and
40-anonymity, and used to identify and track the individual's movements,
41-activities, and associations.
42-(2) The general assembly further finds that:
43-(a) One increasingly prevalent biometric collection and matching
44-technology, facial recognition technology, has been shown to have higher
45-rates of misidentification and misclassification when it is used on faces of
46-color, of women, of children, of the elderly, and of transgender and
47-nonbinary persons; and
48-(b) This misidentification and misclassification has led to
49-documented cases of businesses refusing admission or service to individuals
50-because facial recognition systems incorrectly "matched" the individuals to
51-photos of suspected shoplifters or other individuals who had been barred
52-from the premises.
53-(3) While increasing protections for individuals' biometric
54-identifiers is of the utmost importance, critical privacy protections must be
55-balanced with the use of biometric data to support public safety as outlined
56-in state and federal statutes. The "Colorado Privacy Act", part 13 of article
57-1 of title 6, Colorado Revised Statutes, includes a variety of exceptions to
58-the requirements established in this act, including permitted uses of
59-biometric data for public safety needs, and all of the exceptions that apply
60-to the entirety of the "Colorado Privacy Act" apply to the protections
61-established for biometric data and biometric identifiers in this act.
62-PAGE 2-HOUSE BILL 24-1130 (4) Therefore, the general assembly declares that the public welfare,
63-security, and safety will be served by regulating the collection, use,
64-safeguarding, handling, storage, retention, and destruction of biometric
65-identifiers.
66-SECTION 2. In Colorado Revised Statutes, add 6-1-1314 as
67-follows:
68-6-1-1314. Biometric data and biometric identifiers - controllers
69-- duties and requirements - written policy - prohibited acts - right to
70-correct biometric identifiers - right to access biometric identifiers -
71-remedies and civil actions - definitions. (1) A
72-S USED IN THIS SECTION,
73-UNLESS THE CONTEXT OTHERWISE REQUIRES :
13+ONCERNING PROTECTING THE PRIVACY OF AN INDIVIDUAL 'S101
14+BIOMETRIC DATA.102
15+Bill Summary
16+(Note: This summary applies to this bill as introduced and does
17+not reflect any amendments that may be subsequently adopted. If this bill
18+passes third reading in the house of introduction, a bill summary that
19+applies to the reengrossed version of this bill will be available at
20+http://leg.colorado.gov
21+.)
22+The bill amends the "Colorado Privacy Act" to add protections for
23+an individual's biometric data by requiring a person that, alone or jointly
24+with others, determines the purposes for and means of processing
25+biometric data (controller) to adopt a written policy that:
26+! Establishes a retention schedule for biometric identifiers;
27+! Includes a protocol for responding to a breach of security
28+SENATE
29+3rd Reading Unamended
30+April 19, 2024
31+SENATE
32+Amended 2nd Reading
33+April 18, 2024
34+HOUSE
35+Amended 3rd Reading
36+February 20, 2024
37+HOUSE
38+Amended 2nd Reading
39+February 16, 2024
40+HOUSE SPONSORSHIP
41+Daugherty and Lynch, Amabile, Bacon, Bird, Boesenecker, Brown, deGruy Kennedy,
42+Duran, Hamrick, Herod, Jodeh, Kipp, Lieder, Lindsay, Mabrey, Marshall, Marvin,
43+McCluskie, Parenti, Rutinel, Sirota, Titone, Valdez, Weinberg, Weissman, Young
44+SENATE SPONSORSHIP
45+Lundeen and Hansen, Baisley, Bridges, Buckner, Cutter, Gardner, Ginal, Gonzales,
46+Hinrichsen, Michaelson Jenet, Pelton B., Priola, Van Winkle, Will
47+Shading denotes HOUSE amendment. Double underlining denotes SENATE amendment.
48+Capital letters or bold & italic numbers indicate new material to be added to existing law.
49+Dashes through the words or numbers indicate deletions from existing law. of biometric data; and
50+! Includes guidelines that require the permanent destruction
51+of a biometric identifier by the earliest of certain dates.
52+The bill also:
53+! Prohibits a controller from collecting a biometric identifier
54+unless the controller first satisfies certain disclosure and
55+consent requirements;
56+! Specifies certain prohibited acts and requirements for
57+controllers that collect and use biometric data;
58+! Requires a controller to allow a consumer to access and
59+update a biometric identifier;
60+! Restricts an employer's permissible reasons for obtaining
61+an employee's consent for the collection of biometric
62+identifiers; and
63+! Authorizes the attorney general to promulgate rules to
64+implement the bill.
65+Be it enacted by the General Assembly of the State of Colorado:1
66+SECTION 1. Legislative declaration. (1) The general assembly2
67+finds that:3
68+(a) Businesses increasingly use biometric identifiers to attempt to4
69+verify customer identities, streamline transactions, control access to5
70+secure areas, and maximize revenues;6
71+(b) Biometric identifiers are unlike other unique identifiers that7
72+are used to verify identity or to access finances or other sensitive8
73+information because, unlike social security numbers, for example,9
74+biometric identifiers cannot be changed; they are unique to an individual,10
75+and once an individual's biometric identifiers are compromised, the11
76+individual has no recourse, is at heightened risk for identity theft, and12
77+may no longer feel safe participating in biometric-facilitated transactions;13
78+(c) The public has grown wary of the use of biometric identifiers14
79+due to recent data breaches that have exposed many individuals' biometric15
80+identifiers, leaving those individuals vulnerable to harm; and16
81+1130-2- (d) Biometric identifiers can be collected without an individual's1
82+knowledge, applied instantaneously to identify the individual in2
83+circumstances where the individual has an expectation of privacy and3
84+anonymity, and used to identify and track the individual's movements,4
85+activities, and associations.5
86+(2) The general assembly further finds that:6
87+(a) One increasingly prevalent biometric collection and matching7
88+technology, facial recognition technology, has been shown to have higher8
89+rates of misidentification and misclassification when it is used on faces9
90+of color, of women, of children, of the elderly, and of transgender and10
91+nonbinary persons; and11
92+(b) This misidentification and misclassification has led to12
93+documented cases of businesses refusing admission or service to13
94+individuals because facial recognition systems incorrectly "matched" the14
95+individuals to photos of suspected shoplifters or other individuals who15
96+had been barred from the premises.16
97+(3) While increasing protections for individuals' biometric17
98+identifiers is of the utmost importance, critical privacy protections must18
99+be balanced with the use of biometric data to support public safety as19
100+outlined in state and federal statutes. The "Colorado Privacy Act", part 1320
101+of article 1 of title 6, includes a variety of exceptions to the requirements21
102+established in this act, including permitted uses of biometric data for22
103+public safety needs, and all of the exceptions that apply to the entirety of23
104+the "Colorado Privacy Act" apply to the protections established for24
105+biometric data and biometric identifiers in this act.25
106+(4) Therefore, the general assembly declares that the public26
107+welfare, security, and safety will be served by regulating the collection,27
108+1130
109+-3- use, safeguarding, handling, storage, retention, and destruction of1
110+biometric identifiers.2
111+SECTION 2. In Colorado Revised Statutes, add 6-1-1314 as3
112+follows:4
113+6-1-1314. Biometric data and biometric identifiers -5
114+controllers - duties and requirements - written policy - prohibited6
115+acts - right to correct biometric identifiers - right to access biometric7
116+identifiers - remedies and civil actions - definitions. (1) A
117+S USED IN8
118+THIS SECTION, UNLESS THE CONTEXT OTHERWISE REQUIRES :9
74119 (a) "C
75-OLLECT", "COLLECTION", OR "COLLECTING" MEANS TO ACCESS,
76-ASSEMBLE, BUY, RENT, GATHER, PROCURE, RECEIVE, CAPTURE, OR
77-OTHERWISE OBTAIN ANY BIOMETRIC IDENTIFIER OR BIOMETRIC DATA
78-PERTAINING TO A CONSUMER BY ANY MEANS
79-, ONLINE OR OFFLINE,
80-INCLUDING:
120+OLLECT", "COLLECTION", OR "COLLECTING" MEANS TO10
121+ACCESS, ASSEMBLE, BUY, RENT, GATHER, PROCURE, RECEIVE,
122+CAPTURE, OR11
123+OTHERWISE OBTAIN ANY BIOMETRIC IDENTIFIER OR BIOMETRIC DATA12
124+PERTAINING TO A CONSUMER BY ANY MEANS , ONLINE OR OFFLINE,13
125+INCLUDING:14
81126 (I) A
82-CTIVELY OR PASSIVELY RECEIVING A BIOMETRIC IDENTIFIER OR
83-BIOMETRIC DATA FROM THE CONSUMER OR FROM A THIRD PARTY
84-; AND
85-(II) OBTAINING BIOMETRIC DATA BY OBSERVING THE CONSUMER 'S
86-BEHAVIOR
87-.
127+CTIVELY OR PASSIVELY RECEIVING
128+A BIOMETRIC IDENTIFIER15
129+OR BIOMETRIC DATA FROM THE CONSUMER OR FROM A THIRD PARTY ; AND16
130+(II) O
131+BTAINING BIOMETRIC DATA BY OBSERVING THE CONSUMER 'S17
132+BEHAVIOR.18
88133 (b) "E
89-MPLOYEE" MEANS AN INDIVIDUAL WHO IS EMPLOYED
90-FULL
91--TIME, PART-TIME, OR ON-CALL OR WHO IS HIRED AS A CONTRACTOR ,
92-SUBCONTRACTOR, INTERN, OR FELLOW.
134+MPLOYEE" MEANS AN INDIVIDUAL WHO IS EMPLOYED19
135+FULL-TIME, PART-TIME, OR ON-CALL OR WHO IS HIRED AS A CONTRACTOR,20
136+SUBCONTRACTOR, INTERN, OR FELLOW.21
93137 (c) "L
94-EGALLY AUTHORIZED REPRESENTATIVE " MEANS A PARENT OR
95-LEGAL GUARDIAN OF A MINOR OR A LEGAL GUARDIAN OF AN ADULT
96-.
138+EGALLY AUTHORIZED REPRESENTATIVE " MEANS A PARENT
139+22
140+OR LEGAL GUARDIAN OF A MINOR OR A LEGAL GUARDIAN OF AN ADULT .23
97141 (2) Written policy required. (a) A
98- CONTROLLER THAT CONTROLS
99-OR PROCESSES ONE OR MORE BIOMETRIC IDENTIFIERS SHALL ADOPT A
100-WRITTEN POLICY THAT
101-:
142+ CONTROLLER
143+THAT CONTROLS24
144+OR PROCESSES ONE OR MORE BIOMETRIC IDENTIFIERS SHALL ADOPT A25
145+WRITTEN POLICY THAT:26
102146 (I) E
103-STABLISHES A RETENTION SCHEDULE FOR BIOMETRIC
104-IDENTIFIERS AND BIOMETRIC DATA
105-;
106-PAGE 3-HOUSE BILL 24-1130 (II) INCLUDES A PROTOCOL FOR RESPONDING TO A DATA SECURITY
107-INCIDENT THAT MAY COMPROMISE THE SECURITY OF BIOMETRIC IDENTIFIERS
108-OR BIOMETRIC DATA
109-, INCLUDING A PROCESS FOR NOTIFYING A CONSUMER
110-WHEN THE SECURITY OF THE CONSUMER
111-'S BIOMETRIC IDENTIFIER OR
112-BIOMETRIC DATA HAS BEEN BREACHED
113-, PURSUANT TO SECTION 6-1-716; AND
114-(III) INCLUDES GUIDELINES THAT REQUIRE THE DELETION OF A
115-BIOMETRIC IDENTIFIER ON OR BEFORE THE EARLIEST OF THE FOLLOWING
116-DATES
117-:
147+STABLISHES A RETENTION SCHEDULE FOR BIOMETRIC27
148+1130
149+-4- IDENTIFIERS AND BIOMETRIC DATA;1
150+(II) I
151+NCLUDES A PROTOCOL FOR RESPONDING TO A DATA SECURITY
152+2
153+INCIDENT THAT MAY COMPROMISE THE SECURITY OF BIOMETRIC3
154+IDENTIFIERS OR BIOMETRIC DATA, INCLUDING A PROCESS FOR NOTIFYING4
155+A CONSUMER WHEN THE SECURITY OF THE CONSUMER 'S BIOMETRIC5
156+IDENTIFIER OR BIOMETRIC DATA HAS BEEN BREACHED , PURSUANT TO6
157+SECTION 6-1-716; AND7
158+(III) I
159+NCLUDES GUIDELINES THAT REQUIRE THE DELETION OF A
160+8
161+BIOMETRIC IDENTIFIER ON OR BEFORE THE EARLIEST OF THE FOLLOWING9
162+DATES:10
118163 (A) T
119-HE DATE UPON WHICH THE INITIAL PURPOSE FOR COLLECTING
120-THE BIOMETRIC IDENTIFIER HAS BEEN SATISFIED
121-;
164+HE DATE UPON WHICH THE INITIAL PURPOSE FOR COLLECTING11
165+THE BIOMETRIC IDENTIFIER HAS BEEN SATISFIED;12
122166 (B) T
123-WENTY-FOUR MONTHS AFTER THE CONSUMER LAST INTERACTED
124-WITH THE CONTROLLER
125-; OR
126-(C) THE EARLIEST REASONABLY FEASIBLE DATE , WHICH DATE MUST
127-BE NO MORE THAN FORTY
128--FIVE DAYS AFTER A CONTROLLER DETERMINES
129-THAT STORAGE OF THE BIOMETRIC IDENTIFIER IS NO LONGER NECESSARY
130-,
131-ADEQUATE, OR RELEVANT TO THE EXPRESS PROCESSING PURPOSE IDENTIFIED
132-BY A REVIEW CONDUCTED BY THE CONTROLLER AT LEAST ONCE ANNUALLY
133-.
134-T
135-HE CONTROLLER MAY EXTEND THE FORTY -FIVE-DAY PERIOD DESCRIBED IN
136-THIS SUBSECTION
137- (2)(a)(III)(C) BY UP TO FORTY-FIVE ADDITIONAL DAYS IF
138-SUCH AN EXTENSION IS REASONABLY NECESSARY
139-, TAKING INTO ACCOUNT
140-THE COMPLEXITY AND NUMBER OF BIOMETRIC IDENTIFIERS REQUIRED TO BE
141-DELETED
142-.
143-(b) A
144- CONTROLLER SHALL MAKE ITS POLICY ADOPTED PURSUANT TO
145-SUBSECTION
146- (2)(a) OF THIS SECTION AVAILABLE TO THE PUBLIC ; EXCEPT
147-THAT A CONTROLLER IS NOT REQUIRED TO MAKE AVAILABLE TO THE PUBLIC
148-:
167+WENTY-FOUR MONTHS AFTER THE CONSUMER LAST
168+13
169+INTERACTED WITH THE CONTROLLER ; OR14
170+(C) T
171+HE EARLIEST REASONABLY FEASIBLE DATE , WHICH DATE
172+15
173+MUST BE NO MORE THAN FORTY -FIVE DAYS AFTER A CONTROLLER16
174+DETERMINES THAT STORAGE OF THE BIOMETRIC IDENTIFIER IS NO LONGER17
175+NECESSARY, ADEQUATE, OR RELEVANT TO THE EXPRESS PROCESSING18
176+PURPOSE IDENTIFIED BY A REVIEW CONDUCTED BY THE CONTROLLER AT19
177+LEAST ONCE ANNUALLY . THE CONTROLLER MAY EXTEND THE20
178+FORTY-FIVE-DAY PERIOD DESCRIBED IN THIS SUBSECTION (2)(a)(III)(C) BY21
179+UP TO FORTY-FIVE ADDITIONAL DAYS IF SUCH AN EXTENSION IS22
180+REASONABLY NECESSARY , TAKING INTO ACCOUNT THE COMPLEXITY AND23
181+NUMBER OF BIOMETRIC IDENTIFIERS REQUIRED TO BE DELETED .24
182+(b) A CONTROLLER SHALL MAKE ITS POLICY ADOPTED PURSUANT25
183+TO SUBSECTION (2)(a) OF THIS SECTION AVAILABLE TO THE PUBLIC ;26
184+EXCEPT THAT A CONTROLLER IS NOT REQUIRED TO MAKE AVAILABLE TO27
185+1130
186+-5- THE PUBLIC:1
149187 (I) A
150- WRITTEN POLICY THAT APPLIES ONLY TO CURRENT EMPLOYEES
151-OF THE CONTROLLER
152-;
188+ WRITTEN POLICY THAT APPLIES ONLY TO CURRENT
189+2
190+EMPLOYEES OF THE CONTROLLER ;3
153191 (II) A
154192 WRITTEN POLICY THAT IS USED SOLELY BY EMPLOYEES AND
155-AGENTS OF THE CONTROLLER FOR THE OPERATION OF THE CONTROLLER
156-; OR
157-(III) THE INTERNAL PROTOCOL FOR RESPONDING TO A DATA
158-SECURITY INCIDENT THAT MAY COMP ROMISE THE SECURITY OF BIOMETRIC
159-IDENTIFIERS OR BIOMETRIC DATA
160-.
161-PAGE 4-HOUSE BILL 24-1130 (3) Processors - security breach protocols. A PROCESSOR OF
162-BIOMETRIC IDENTIFIERS OR BIOMETRIC DATA MUST HAVE A PROTOCOL FOR
163-RESPONDING TO A DATA SECURITY INCIDENT THAT MAY COMPROMISE THE
164-SECURITY OF BIOMETRIC IDENTIFIERS OR BIOMETRIC DATA
165-, INCLUDING A
166-PROCESS FOR NOTIFYING THE CONTROLLER WHEN THE SECURITY OF A
167-CONSUMER
168-'S BIOMETRIC IDENTIFIER OR BIOMETRIC DATA HAS BEEN
169-BREACHED
170-, PURSUANT TO SECTION 6-1-716.
171-(4) Collection and retention of biometric identifiers -
193+4
194+AGENTS OF THE CONTROLLER FOR THE OPERATION OF THE CONTROLLER ;5
195+OR6
196+(III) T
197+HE INTERNAL PROTOCOL FOR RESPONDING TO A DATA
198+7
199+SECURITY INCIDENT THAT MAY COMP ROMISE THE SECURITY OF BIOMETRIC8
200+IDENTIFIERS OR BIOMETRIC DATA.9
201+(3) Processors - security breach protocols. A
202+ PROCESSOR OF
203+10
204+BIOMETRIC IDENTIFIERS OR BIOMETRIC DATA MUST HAVE A PROTOCOL FOR11
205+RESPONDING TO A DATA SECURITY INCIDENT THAT MAY COMPROMISE THE12
206+SECURITY OF BIOMETRIC IDENTIFIERS OR BIOMETRIC DATA , INCLUDING A13
207+PROCESS FOR NOTIFYING THE CONTROLLER WHEN THE SECURITY OF A14
208+CONSUMER'S BIOMETRIC IDENTIFIER OR BIOMETRIC DATA HAS BEEN15
209+BREACHED, PURSUANT TO SECTION 6-1-716.16
210+(4) Collection and retention of biometric identifiers -17
172211 requirements - prohibited acts. (a) A
173- CONTROLLER SHALL NOT COLLECT
174-OR PROCESS A BIOMETRIC IDENTIFI ER OF A CONSUMER UNLESS THE
175-CONTROLLER FIRST
176-:
212+ CONTROLLER SHALL NOT COLLECT18
213+OR PROCESS A BIOMETRIC IDENTIFI ER OF A CONSUMER UNLESS THE19
214+CONTROLLER FIRST:20
177215 (I) S
178-ATISFIES ALL DUTIES REQUIRED BY SECTION 6-1-1308;
216+ATISFIES ALL DUTIES REQUIRED BY SECTION 6-1-1308;21
179217 (II) I
180-NFORMS THE CONSUMER OR THE CONSUMER 'S LEGALLY
181-AUTHORIZED REPRESENTATIVE IN A CLEAR
182-, REASONABLY ACCESSIBLE, AND
183-UNDERSTANDABLE M ANNER THAT A BIOMETRIC IDENTIFIER IS BEING
184-COLLECTED
185-;
218+NFORMS THE CONSUMER OR THE CONSUMER 'S LEGALLY22
219+AUTHORIZED REPRESENTATIVE IN A CLEAR , REASONABLY ACCESSIBLE,
220+23
221+AND UNDERSTANDABLE MANNER THAT A BIOMETRIC IDENTIFIER IS BEING24
222+COLLECTED;25
186223 (III) I
187-NFORMS THE CONSUMER OR THE CONSUMER 'S LEGALLY
188-AUTHORIZED REPRESENTATIVE IN A CLEAR
189-, REASONABLY ACCESSIBLE, AND
190-UNDERSTANDABLE MANNER OF THE SPECIFIC PURPOSE FOR WHICH A
191-BIOMETRIC IDENTIFIER IS BEING COLLECTED AND THE LENGTH OF TIME THAT
192-THE CONTROLLER WILL RETAIN THE BIOMETRIC IDENTIFIER
193-; AND
194-(IV) INFORMS THE CONSUMER OR THE CONSUMER 'S LEGALLY
195-AUTHORIZED REPRESENTATIVE IN A CLEAR
196-, REASONABLY ACCESSIBLE, AND
197-UNDERSTANDABLE MANNER IF THE BIOMETRIC IDENTIFIER WILL BE
198-DISCLOSED
199-, REDISCLOSED, OR OTHERWISE DISSEMINATED TO A PROCESSOR
200-AND THE SPECIFIC PURPOSE FOR WHICH THE BIOMETRIC IDENTIFIER IS BEING
201-SHARED WITH A PROCESSOR
202-.
203-(b) A
204- CONTROLLER THAT PROCESSES A CONSUMER 'S BIOMETRIC
205-IDENTIFIER SHALL NOT
206-:
224+NFORMS THE CONSUMER OR THE CONSUMER 'S LEGALLY26
225+AUTHORIZED REPRESENTATIVE IN A CLEAR , REASONABLY ACCESSIBLE,
226+27
227+1130
228+-6- AND UNDERSTANDABLE MANNER OF THE SPECIFIC PURPOSE FOR WHICH A1
229+BIOMETRIC IDENTIFIER IS BEING COLLECTED AND THE LENGTH OF TIME2
230+THAT THE CONTROLLER WILL RETAIN THE BIOMETRIC IDENTIFIER ; AND3
231+(IV) I
232+NFORMS THE CONSUMER OR THE CONSUMER 'S LEGALLY4
233+AUTHORIZED REPRESENTATIVE IN A CLEAR , REASONABLY ACCESSIBLE ,
234+5
235+AND UNDERSTANDABLE MANNER IF THE BIOMETRIC IDENTIFIER WILL BE6
236+DISCLOSED, REDISCLOSED, OR OTHERWISE DISSEMINATED TO A PROCESSOR7
237+AND THE SPECIFIC PURPOSE FOR WHICH THE BIOMETRIC IDENTIFIER IS8
238+BEING SHARED WITH A PROCESSOR .9
239+(b) A CONTROLLER THAT PROCESSES A CONSUMER'S BIOMETRIC10
240+IDENTIFIER SHALL NOT:11
207241 (I) S
208-ELL, LEASE, OR TRADE THE BIOMETRIC IDENTIFIER WITH ANY
209-ENTITY
210-; OR
211-(II) DISCLOSE, REDISCLOSE, OR OTHERWISE DISSEMINATE THE
212-PAGE 5-HOUSE BILL 24-1130 BIOMETRIC IDENTIFIER UNLESS:
242+ELL, LEASE, OR TRADE THE BIOMETRIC IDENTIFIER WITH ANY12
243+ENTITY; OR
244+13
245+(II) DISCLOSE, REDISCLOSE, OR OTHERWISE DISSEMINATE THE14
246+BIOMETRIC IDENTIFIER UNLESS:15
213247 (A) T
214-HE CONSUMER OR THE CONSUMER 'S LEGALLY AUTHORIZED
215-REPRESENTATIVE CONSENTS TO THE DISCLOSURE
216-, REDISCLOSURE, OR OTHER
217-DISSEMINATION
218-;
248+HE CONSUMER OR THE CONSUMER 'S LEGALLY AUTHORIZED16
249+REPRESENTATIVE CONSENTS TO THE DISCLOSURE , REDISCLOSURE, OR17
250+OTHER DISSEMINATION;18
219251 (B) T
220-HE DISCLOSURE, REDISCLOSURE, OR OTHER DISSEMINATION IS
221-REQUESTED OR AUTHORIZED BY THE CONSUMER OR THE CONSUMER
222-'S
223-LEGALLY AUTHORIZED REPRESENTATIVE FOR THE PURPOSE OF COMPLETING
224-A FINANCIAL TRANSACTION
225-;
252+HE DISCLOSURE, REDISCLOSURE, OR OTHER DISSEMINATION19
253+IS REQUESTED OR AUTHORIZED BY THE CONSUMER OR THE CONSUMER 'S20
254+LEGALLY AUTHORIZED REPRESENTATIVE FOR THE PURPOSE OF21
255+COMPLETING A FINANCIAL TRANSACTION ;22
226256 (C) T
227-HE DISCLOSURE, REDISCLOSURE, OR OTHER DISSEMINATION IS
228-TO A PROCESSOR AND IS NECESSARY FOR THE PURPOSE FOR WHICH THE
229-BIOMETRIC IDENTIFIER WAS COLLECTED AND TO WHICH THE CONSUMER OR
230-THE CONSUMER
231-'S LEGALLY AUTHORIZED REPRESENTATIVE CONSENTED ; OR
232-(D) THE DISCLOSURE, REDISCLOSURE, OR OTHER DISSEMINATION IS
233-REQUIRED BY STATE OR FEDERAL LAW
234-.
235-(c) A
236- CONTROLLER SHALL NOT:
257+HE DISCLOSURE, REDISCLOSURE, OR OTHER DISSEMINATION23
258+IS TO A PROCESSOR AND IS NECESSARY FOR THE PURPOSE FOR WHICH THE24
259+BIOMETRIC IDENTIFIER WAS COLLECTED AND TO WHICH THE CONSUMER OR25
260+THE CONSUMER'S LEGALLY AUTHORIZED REPRESENTATIVE CONSENTED ; OR26
261+(D) T
262+HE DISCLOSURE, REDISCLOSURE, OR OTHER DISSEMINATION
263+27
264+1130
265+-7- IS REQUIRED BY STATE OR FEDERAL LAW .1
266+(c) A CONTROLLER SHALL NOT:2
237267 (I) R
238-EFUSE TO PROVIDE A GOOD OR SERVICE TO A CONSUMER , BASED
239-ON THE CONSUMER
240-'S REFUSAL TO CONSENT TO THE CONTROLLER 'S
241-COLLECTION
242-, USE, DISCLOSURE, TRANSFER, SALE, RETENTION, OR
243-PROCESSING OF A BIOMETRIC IDENTIFIER UNLESS THE COLLECTION
244-, USE,
245-DISCLOSURE, TRANSFER, SALE, RETENTION, OR PROCESSING OF THE
246-BIOMETRIC IDENTIFIER IS NECESSARY TO PROVIDE THE GOOD OR SERVICE
247-;
268+EFUSE TO PROVIDE A GOOD OR SERVICE TO A
269+CONSUMER,3
270+BASED ON THE CONSUMER'S REFUSAL TO CONSENT TO THE CONTROLLER'S4
271+COLLECTION, USE, DISCLOSURE, TRANSFER, SALE, RETENTION, OR5
272+PROCESSING OF A BIOMETRIC IDENTIFIER UNLESS THE COLLECTION, USE,6
273+DISCLOSURE, TRANSFER, SALE, RETENTION, OR PROCESSING OF THE7
274+BIOMETRIC IDENTIFIER IS NECESSARY TO PROVIDE THE GOOD OR SERVICE ;8
275+ 9
248276 (II) C
249-HARGE A DIFFERENT PRICE OR RATE FOR A GOOD OR SERVICE OR
250-PROVIDE A DIFFERENT LEVEL OF QUALITY OF A GOOD OR SERVICE TO ANY
251-CONSUMER WHO EXERCISES THE CONSUMER
252-'S RIGHTS UNDER THIS PART 13;
253-OR
254-(III) PURCHASE A BIOMETRIC IDENTIFIER UNLESS THE CONTROLLER
255-PAYS THE CONSUMER FOR THE COLLECTION OF THE CONSUMER
256-'S BIOMETRIC
257-IDENTIFIER
258-, THE PURCHASE IS UNRELATED TO THE PROVISION OF A PRODUCT
259-OR SERVICE TO THE CONSUMER
260-, AND THE CONTROLLER HAS OBTAINED
261-CONSENT AS DESCRIBED IN SUBSECTION
262- (4)(a) OF THIS SECTION.
277+HARGE A DIFFERENT PRICE OR RATE FOR A GOOD OR SERVICE10
278+OR PROVIDE A DIFFERENT LEVEL OF QUALITY OF A GOOD OR SERVICE TO11
279+ANY CONSUMER WHO EXERCISES THE CONSUMER 'S RIGHTS UNDER THIS12PART 13; OR13
280+(III) PURCHASE A BIOMETRIC IDENTIFIER UNLESS THE CONTROLLER14
281+PAYS THE CONSUMER FOR THE COLLECTION OF THE CONSUMER'S15
282+BIOMETRIC IDENTIFIER, THE PURCHASE IS UNRELATED TO THE PROVISION16
283+OF A PRODUCT OR SERVICE TO THE CONSUMER, AND THE CONTROLLER HAS17
284+ OBTAINED CONSENT AS DESCRIBED IN SUBSECTION (4)(a) OF THIS18
285+SECTION.19
263286 (d) A
264287 CONTROLLER OR PROCESSOR SHALL STORE , TRANSMIT, AND
265-PAGE 6-HOUSE BILL 24-1130 PROTECT FROM DISCLOSURE ALL BIOMETRIC IDENTIFIERS USING THE
266-STANDARD OF CARE WITHIN THE CONTROLLER
267-'S INDUSTRY AND IN
268-ACCORDANCE WITH SECTIONS
269-6-1-1305 (4) AND 6-1-1308 (5).
288+20
289+PROTECT FROM DISCLOSURE ALL BIOMETRIC IDENTIFIERS USING THE21
290+STANDARD OF CARE WITHIN THE CONTROLLER 'S INDUSTRY AND IN22
291+ACCORDANCE WITH SECTIONS 6-1-1305 (4) AND 6-1-1308 (5).23
270292 (e) A
271293 CONTROLLER SHALL OBTAIN CONSENT FROM A CONSUMER OR
272-FROM THE CONSUMER
273-'S LEGALLY AUTHORIZED REPRESENTATIVE BEFORE
274-COLLECTING THE CONSUMER
275-'S BIOMETRIC DATA, AS REQUIRED BY SECTION
276-6-1-1308 (7).
277-(5) Right to access biometric data - applicability - definition.
294+24
295+FROM THE CONSUMER'S LEGALLY AUTHORIZED REPRESENTATIVE BEFORE25
296+COLLECTING THE CONSUMER'S BIOMETRIC DATA, AS REQUIRED BY SECTION26
297+6-1-1308
298+ (7).
299+27
300+1130
301+-8- (5) Right to access biometric data - applicability - definition.1
278302 (a) E
279303 XCEPT AS DESCRIBED IN SUBSECTION (5)(b) OF THIS SECTION, AT THE
280-REQUEST OF A CONSUMER OR A CONSUMER
281-'S LEGALLY AUTHORIZED
282-REPRESENTATIVE
283-, A CONTROLLER THAT COLLECTS THE CONSUMER 'S
284-BIOMETRIC DATA SHALL DISCLOSE TO THE CONSUMER
285-, FREE OF CHARGE, THE
286-CATEGORY OR DESCRIPTION OF THE CONSUMER
287-'S BIOMETRIC DATA AND THE
288-FOLLOWING INFORMATION
289-:
304+2
305+REQUEST OF A CONSUMER OR A CONSUMER 'S LEGALLY AUTHORIZED3
306+REPRESENTATIVE, A CONTROLLER THAT COLLECTS THE CONSUMER 'S4
307+BIOMETRIC DATA SHALL DISCLOSE TO THE CONSUMER , FREE OF CHARGE,5
308+THE CATEGORY OR DESCRIPTION OF THE CONSUMER 'S BIOMETRIC DATA6
309+AND THE FOLLOWING INFORMATION :7
290310 (I) T
291311 HE SOURCE FROM WHICH THE CONTROLLER COLLECTED THE
292-BIOMETRIC DATA
293-;
312+8
313+BIOMETRIC DATA;9
294314 (II) T
295315 HE PURPOSE FOR WHICH THE CONTROLLER COLLECTED OR
296-PROCESSED THE BIOMETRIC DATA AND ANY ASSOCIATED PERSONAL DATA
297-;
316+10
317+PROCESSED THE BIOMETRIC DATA AND ANY ASSOCIATED PERSONAL DATA ;11
298318 (III) T
299319 HE IDENTITY OF ANY THIRD PARTY WITH WHICH THE
300-CONTROLLER DISCLOSED OR DISCLOSES THE BIOMETRIC DATA AND THE
301-PURPOSES FOR DISCLOSING
302-; AND
303-(IV) THE CATEGORY OR A DESCRIPTION OF THE SPECIFIC BIOMETRIC
304-DATA THAT THE CONTROLLER DISCLOSES TO THIRD PARTIES
305-.
320+12
321+CONTROLLER DISCLOSED OR DISCLOSES THE BIOMETRIC DATA AND THE13
322+PURPOSES FOR DISCLOSING; AND14
323+(IV) T
324+HE CATEGORY OR A DESCRIPTION OF THE SPECIFIC
325+15
326+BIOMETRIC DATA THAT THE CONTROLLER DISCLOSES TO THIRD PARTIES .16
306327 (b) T
307-HE REQUIREMENTS OF SUBSECTION (5)(a) OF THIS SECTION
308-APPLY ONLY TO
309-:
328+HE REQUIREMENTS OF SUBSECTION (5)(a) OF THIS SECTION17
329+APPLY ONLY TO:18
310330 (I) A
311- SOLE PROPRIETORSHIP, A PARTNERSHIP, A LIMITED LIABILITY
312-COMPANY
313-, A CORPORATION, AN ASSOCIATION, OR ANOTHER LEGAL ENTITY
314-THAT
315-:
331+ SOLE PROPRIETORSHIP, A PARTNERSHIP, A LIMITED LIABILITY19
332+COMPANY, A CORPORATION, AN ASSOCIATION, OR ANOTHER LEGAL ENTITY20
333+THAT:21
316334 (A) C
317-ONDUCTS BUSINESS IN COLORADO OR PRODUCES OR DELIVERS
318-COMMERCIAL PRODUCTS OR SERVICES THAT ARE MARKETED TO
319-COLORADO
320-RESIDENTS
321-;
322-PAGE 7-HOUSE BILL 24-1130 (B) COLLECTS BIOMETRIC DATA OR HAS BIOMETRIC DATA
323-COLLECTED ON ITS BEHALF
324-; AND
325-(C) EITHER COLLECTS OR PROCESSES THE PERSONAL DATA OF ONE
326-HUNDRED THOUSAND INDIVIDUALS OR MORE DURING A CALENDAR YEAR OR
327-COLLECTS AND PROCESSES THE PERSONAL DATA OF TWENTY
328--FIVE THOUSAND
329-INDIVIDUALS OR MORE AND DERIVES REVENUE FROM
330-, OR RECEIVES A
331-DISCOUNT ON THE PRICE OF GOODS OR SERVICES FROM
332-, THE SALE OF
333-PERSONAL DATA
334-;
335+ONDUCTS BUSINESS IN COLORADO OR PRODUCES OR22
336+DELIVERS COMMERCIAL PRODUCTS OR SERVICES THAT ARE MARKETED TO23
337+C
338+OLORADO RESIDENTS;24
339+(B) C
340+OLLECTS BIOMETRIC DATA
341+ OR HAS BIOMETRIC DATA25
342+COLLECTED ON ITS BEHALF; AND26
343+(C) E
344+ITHER COLLECTS OR PROCESSES THE PERSONAL DATA OF ONE27
345+1130
346+-9- HUNDRED THOUSAND INDIVIDUALS OR MORE DURING A CALENDAR YEAR1
347+OR COLLECTS AND PROCESSES THE PERSONAL DATA OF TWENTY -FIVE2
348+THOUSAND INDIVIDUALS OR MORE AND DERIVES REVENUE FROM , OR3
349+RECEIVES A DISCOUNT ON THE PRICE OF GOODS OR SERVICES FROM , THE4
350+SALE OF PERSONAL DATA;5
335351 (II) A
336- CONTROLLER THAT CONTROLS OR IS CONTROLLED BY ANOTHER
337-CONTROLLER AND THAT SHARES COMMON BRANDING WITH THE OTHER
338-CONTROLLER
339-. AS USED IN THIS SUBSECTION (5)(b)(II), "COMMON BRANDING"
340-MEANS A SHARED NAME, SERVICE MARK, OR TRADEMARK THAT A CONSUMER
341-WOULD REASONABLY UNDERSTAND TO INDICATE THAT TWO OR MORE
342-ENTITIES ARE COMMONLY OWNED
343-.
352+ CONTROLLER THAT CONTROLS OR IS CONTROLLED BY6
353+ANOTHER CONTROLLER AND THAT SHARES COMMON BRANDING WITH THE7
354+OTHER CONTROLLER. AS USED IN THIS SUBSECTION (5)(b)(II), "COMMON
355+8
356+BRANDING" MEANS A SHARED NAME , SERVICE MARK, OR TRADEMARK9
357+THAT A CONSUMER WOULD REASONABLY UNDERSTAND TO INDICATE THAT10
358+TWO OR MORE ENTITIES ARE COMMONLY OWNED .11
359+ 12
344360 (III) A
345- JOINT VENTURE OR PARTNERSHIP CONSISTING OF NO MORE
346-THAN TWO BUSINESSES THAT SHARE CONSUMERS
347-' PERSONAL DATA WITH
348-EACH OTHER
349-.
350-(6) Use of consent by employers. (a) A
351-N EMPLOYER MAY REQUIRE
352-AS A CONDITION OF EMPLOYMENT THAT AN EMPLOYEE OR A PROSPECTIVE
353-EMPLOYEE CONSENT TO ALLOWING THE EMPLOYER TO COLLECT AND
354-PROCESS THE EMPLOYEE
355-'S OR THE PROSPECTIVE EMPLOYEE 'S BIOMETRIC
356-IDENTIFIER ONLY TO
357-:
358-(I) P
359-ERMIT ACCESS TO SECURE PHYSICAL LOCATIONS AND SECURE
360-ELECTRONIC HARDWARE AND SOFTWARE APPLICATIONS
361-; EXCEPT THAT AN
362-EMPLOYER SHALL NOT OBTAIN THE EMPLOYEE
363-'S OR PROSPECTIVE
364-EMPLOYEE
365-'S CONSENT TO RETAIN BIOMETRIC DATA THAT IS USED FOR
366-CURRENT EMPLOYEE LOCATION TRACKING OR THE TRACKING OF HOW MUCH
367-TIME THE EMPLOYEE SPENDS USING A HARDWARE OR SOFTWARE
368-APPLICATION
369-;
370-(II) R
371-ECORD THE COMMENCEMENT AND CONCLUSION OF THE
372-EMPLOYEE
373-'S FULL WORK DAY, INCLUDING MEAL BREAKS AND REST BREAKS
374-IN EXCESS OF THIRTY MINUTES
375-;
361+ JOINT VENTURE OR PARTNERSHIP CONSISTING OF NO MORE13
362+THAN TWO BUSINESSES THAT SHARE CONSUMERS ' PERSONAL DATA WITH14
363+EACH OTHER.15
364+(6) Use of consent by employers.
365+(a) AN EMPLOYER MAY16
366+REQUIRE AS A CONDITION OF EMPLOYMENT THAT AN EMPLOYEE OR A17
367+PROSPECTIVE EMPLOYEE CONSENT TO ALLOWING THE EMPLOYER TO18
368+COLLECT AND PROCESS THE EMPLOYEE'S OR THE PROSPECTIVE EMPLOYEE'S19
369+BIOMETRIC IDENTIFIER ONLY TO:20
370+(I) PERMIT ACCESS TO SECURE PHYSICAL LOCATIONS AND SECURE21
371+ELECTRONIC HARDWARE AND SOFTWARE APPLICATIONS ; EXCEPT THAT AN22
372+EMPLOYER SHALL NOT OBTAIN THE EMPLOYEE 'S OR PROSPECTIVE23
373+EMPLOYEE'S CONSENT TO RETAIN BIOMETRIC DATA THAT IS USED FOR24
374+CURRENT EMPLOYEE LOCATION TRACKING OR THE TRACKING OF HOW25
375+MUCH TIME THE EMPLOYEE SPENDS USING A HARDWARE OR SOFTWARE26
376+APPLICATION; 27
377+1130
378+-10- (II) RECORD THE COMMENCEMENT AND CONCLUSION OF THE1
379+EMPLOYEE'S FULL WORK DAY, INCLUDING MEAL BREAKS AND REST BREAKS2
380+IN EXCESS OF THIRTY MINUTES;3
376381 (III) I
377382 MPROVE OR MONITOR WORKPLACE SAFETY OR SECURITY OR
378-PAGE 8-HOUSE BILL 24-1130 ENSURE THE SAFETY OR SECURITY OF EMPLOYEES ; OR
379-(IV) IMPROVE OR MONITOR THE SAFETY OR SECURITY OF THE PUBLIC
380-IN THE EVENT OF AN EMERGENCY OR CRISIS SITUATION
381-.
383+4
384+ENSURE THE SAFETY OR SECURITY OF EMPLOYEES ; OR5
385+(IV) I
386+MPROVE OR MONITOR THE SAFETY OR SECURITY OF THE
387+6
388+PUBLIC IN THE EVENT OF AN EMERGENCY OR CRISIS SITUATION .7
382389 (b) A
383390 N EMPLOYER AND ITS PROCESSOR MAY COLLECT AND PROCESS
384-AN EMPLOYEE
385-'S OR PROSPECTIVE EMPLOYEE'S BIOMETRIC IDENTIFIER FOR
386-USES OTHER THAN THOSE DESCRIBED IN SUBSECTION
387- (6)(a) OF THIS SECTION
388-ONLY WITH THE EMPLOYEE
389-'S OR PROSPECTIVE EMPLOYEE'S CONSENT. AN
390-EMPLOYER MAY NOT REQUIRE THAT AN EMPLOYEE OR PROSPECTIVE
391-EMPLOYEE CONSENT TO SUCH COLLECTION OR PROCESSING AS A CONDITION
392-OF EMPLOYMENT OR RETALIATE AGAINST AN EMPLOYEE OR PROSPECTIVE
393-EMPLOYEE WHO DOES NOT CONSENT TO SUCH COLLECTION OR PROCESSING
394-.
395-(c) S
396-O LONG AS CONSENT THAT IS OBTAINED FOR COLLECTION AND
397-PROCESSING AS DESCRIBED IN THIS SECTION SATISFIES THE DEFINITION OF
398-CONSENT PROVIDED IN SECTION
399-6-1-1303 (5), CONSENT IS CONSIDERED TO
400-BE FREELY GIVEN AND VALID FOR THE PURPOSES DESCRIBED IN SUBSECTION
401-(6)(a) OF THIS SECTION.
391+8
392+AN EMPLOYEE'S OR PROSPECTIVE EMPLOYEE'S BIOMETRIC IDENTIFIER FOR9
393+USES OTHER THAN THOSE DESCRIBED IN SUBSECTION (6)(a) OF THIS10
394+SECTION ONLY WITH THE EMPLOYEE 'S OR PROSPECTIVE EMPLOYEE'S11
395+CONSENT. AN EMPLOYER MAY NOT REQUIRE THAT AN EMPLOYEE OR12
396+PROSPECTIVE EMPLOYEE CONSENT TO SUCH COLLECTION OR PROCESSING13
397+AS A CONDITION OF EMPLOYMENT OR RETALIATE AGAINST AN EMPLOYEE14
398+OR PROSPECTIVE EMPLOYEE WHO DOES NOT CONSENT TO SUCH15
399+COLLECTION OR PROCESSING.16
400+(c) SO LONG AS CONSENT THAT IS OBTAINED FOR COLLECTION AND17
401+PROCESSING AS DESCRIBED IN THIS SECTION SATISFIES THE DEFINITION18
402+OF CONSENT PROVIDED IN SECTION 6-1-1303 (5), CONSENT IS CONSIDERED19
403+TO BE FREELY GIVEN AND VALID FOR THE PURPOSES DESCRIBED IN20
404+SUBSECTION (6)(a) OF THIS SECTION.21
402405 (d) N
403406 OTHING IN THIS SECTION RESTRICTS AN EMPLOYER OR ITS
404-PROCESSOR
405-'S ABILITY TO COLLECT AND PROCESS AN EMPLOYEE 'S OR
406-PROSPECTIVE EMPLOYEE
407-'S BIOMETRIC IDENTIFIER FOR USES ALIGNED WITH
408-THE REASONABLE EXPECTATIONS OF
409-:
407+22
408+PROCESSOR'S ABILITY TO COLLECT AND PROCESS AN EMPLOYEE 'S OR23
409+PROSPECTIVE EMPLOYEE'S BIOMETRIC IDENTIFIER FOR USES ALIGNED WITH24
410+THE REASONABLE EXPECTATIONS OF :25
410411 (I) A
411412 N EMPLOYEE BASED ON THE EMPLOYEE 'S JOB DESCRIPTION OR
412-ROLE
413-; OR
414-(II) A PROSPECTIVE EMPLOYEE BASED ON A REASONABLE
415-BACKGROUND CHECK
416-, APPLICATION, OR IDENTIFICATION REQUIREMENTS IN
417-ACCORDANCE WITH THIS SECTION
418-.
413+26
414+ROLE; OR27
415+1130
416+-11- (II) A PROSPECTIVE EMPLOYEE BASED ON A REASONABLE1
417+BACKGROUND CHECK , APPLICATION, OR IDENTIFICATION REQUIREMENTS2
418+IN ACCORDANCE WITH THIS SECTION.3
419419 (7) Rules. T
420-HE DEPARTMENT OF LAW MAY PROMULGATE RULES FOR
421-THE IMPLEMENTATION OF THIS SECTION
422-, INCLUDING RULES PROMULGATED
423-IN CONSULTATION WITH THE OFFICE OF INFORMATION TECHNOLOGY AND THE
424-DEPARTMENT OF REGULATORY AGENCIES ESTABLISHING APPROPRIATE
425-SECURITY STANDARDS FOR BIOMETRIC IDENTIFIERS AND BIOMETRIC DATA
426-THAT ARE MORE STRINGENT THAN THE REQUIREMENTS DESCRIBED IN THIS
427-SECTION
428-.
429-PAGE 9-HOUSE BILL 24-1130 SECTION 3. In Colorado Revised Statutes, 6-1-1303, add (2.2)
430-and (2.4) as follows:
431-6-1-1303. Definitions. As used in this part 13, unless the context
432-otherwise requires:
433-(2.2) (a) "B
434-IOMETRIC DATA" MEANS ONE OR MORE BIOMETRIC
435-IDENTIFIERS THAT ARE USED OR INTENDED TO BE USED
436-, SINGLY OR IN
437-COMBINATION WITH EACH OTHER OR WITH OTHER PERSONAL DATA
438-, FOR
439-IDENTIFICATION PURPOSES
440-.
441-(b) "B
442-IOMETRIC DATA" DOES NOT INCLUDE THE FOLLOWING UNLESS
443-THE BIOMETRIC DATA IS USED FOR IDENTIFICATION PURPOSES
444-:
445-(I) A
446- DIGITAL OR PHYSICAL PHOTOGRAPH;
447-(II) A
448-N AUDIO OR VOICE RECORDING; OR
449-(III) ANY DATA GENERATED FROM A DIGITAL OR PHYSICAL
450-PHOTOGRAPH OR AN AUDIO OR VIDEO RECORDING
451-.
420+HE DEPARTMENT OF LAW MAY PROMULGATE RULES4
421+FOR THE IMPLEMENTATION OF THIS SECTION , INCLUDING RULES5
422+PROMULGATED IN CONSULTATION WITH THE OFFICE OF INFORMATION6
423+TECHNOLOGY AND THE DEPARTMENT OF REGULATORY AGENCIES7
424+ESTABLISHING APPROPRIATE SECURITY STANDARDS FOR
425+BIOMETRIC8
426+IDENTIFIERS AND BIOMETRIC DATA THAT ARE MORE STRINGENT THAN THE9
427+REQUIREMENTS DESCRIBED IN THIS SECTION .10
428+SECTION 3. In Colorado Revised Statutes, 6-1-1303, add (2.2)11
429+and (2.4) as follows:12
430+6-1-1303. Definitions. As used in this part 13, unless the context13
431+otherwise requires:14
432+(2.2) (a) "BIOMETRIC DATA" MEANS ONE OR MORE BIOMETRIC15
433+IDENTIFIERS THAT ARE USED OR INTENDED TO BE USED , SINGLY OR IN16
434+COMBINATION WITH EACH OTHER OR WITH OTHER PERSONAL DATA , FOR17
435+IDENTIFICATION PURPOSES.18
436+(b) "BIOMETRIC DATA" DOES NOT INCLUDE THE FOLLOWING19
437+UNLESS THE BIOMETRIC DATA IS USED FOR IDENTIFICATION PURPOSES :20
438+(I) A DIGITAL OR PHYSICAL PHOTOGRAPH;21
439+(II) AN AUDIO OR VOICE RECORDING; OR22
440+(III) ANY DATA GENERATED FROM A DIGITAL OR PHYSICAL23
441+PHOTOGRAPH OR AN AUDIO OR VIDEO RECORDING .24
452442 (2.4) "B
453-IOMETRIC IDENTIFIER" MEANS DATA GENERATED BY THE
454-TECHNOLOGICAL PROCESSING
455-, MEASUREMENT , OR ANALYSIS OF A
456-CONSUMER
457-'S BIOLOGICAL, PHYSICAL, OR BEHAVIORAL CHARACTERISTICS ,
458-WHICH DATA CAN BE PROCESSED FOR THE PURPOSE OF UNIQUELY
459-IDENTIFYING AN INDIVIDUAL
460-. "BIOMETRIC IDENTIFIER" INCLUDES:
443+IOMETRIC IDENTIFIER" MEANS DATA GENERATED BY THE25
444+TECHNOLOGICAL PROCESSING , MEASUREMENT, OR ANALYSIS OF A26
445+CONSUMER'S BIOLOGICAL, PHYSICAL, OR BEHAVIORAL CHARACTERISTICS,27
446+1130
447+-12- WHICH DATA CAN BE PROCESSED FOR THE PURPOSE OF UNIQUELY1
448+IDENTIFYING AN INDIVIDUAL. "BIOMETRIC IDENTIFIER" INCLUDES:2
461449 (a) A
462- FINGERPRINT;
450+ FINGERPRINT;3
463451 (b) A
464- VOICEPRINT;
452+ VOICEPRINT;4
465453 (c) A
466- SCAN OR RECORD OF AN EYE RETINA OR IRIS;
454+ SCAN OR RECORD OF AN EYE RETINA OR IRIS;5
467455 (d) A
468456 FACIAL MAP, FACIAL GEOMETRY, OR FACIAL TEMPLATE; OR
469-(e) OTHER UNIQUE BIOLOGICAL , PHYSICAL, OR BEHAVIORAL
470-PATTERNS OR CHARACTERISTICS
471-.
472-SECTION 4. In Colorado Revised Statutes, 6-1-1304, amend (1)
473-as follows:
474-PAGE 10-HOUSE BILL 24-1130 6-1-1304. Applicability of part. (1) Except as specified in
475-subsection (2) of this section, this part 13 applies to a controller that:
476-(a) (I) Conducts business in Colorado or produces or delivers
477-commercial products or services that are intentionally targeted to residents
478-of Colorado; and
479-(b)
480- (II) Satisfies one or both of the following thresholds:
481-(I) (A) Controls or processes the personal data of one hundred
482-thousand consumers or more during a calendar year; or
483-(II) (B) Derives revenue or receives a discount on the price of goods
484-or services from the sale of personal data and processes or controls the
485-personal data of twenty-five thousand consumers or more;
486-OR
487-(b) CONTROLS OR PROCESSES ANY AMOUNT OF BIOMETRIC
488-IDENTIFIERS OR BIOMETRIC DATA REGARDLESS OF THE AMOUNT OF
489-BIOMETRIC IDENTIFIERS OR BIOMETR IC DATA CONTROLLED OR PROCESSED
490-ANNUALLY
491-; EXCEPT THAT A CONTROLLER THAT MEETS THE QUALIFICATIONS
492-OF THIS SUBSECTION
493- (1)(b) BUT DOES NOT MEET THE QUALIFICATIONS OF
494-SUBSECTION
495- (1)(a) OF THIS SECTION SHALL COMPLY WITH THIS PART 13 ONLY
496-FOR THE PURPOSES OF A BIOMETRIC IDENTIFIER OR BIOMETRIC DATA THAT
497-THE CONTROLLER COLLECTS AND PROCESSES
498-.
499-SECTION 5. Act subject to petition - effective date -
500-applicability. (1) This act takes effect July 1, 2025; except that, if a
501-referendum petition is filed pursuant to section 1 (3) of article V of the state
502-constitution against this act or an item, section, or part of this act within the
503-ninety-day period after final adjournment of the general assembly, then the
504-act, item, section, or part will not take effect unless approved by the people
505-at the general election to be held in November 2024 and, in such case, will
506-take effect July 1, 2025, or on the date of the official declaration of the vote
507-thereon by the governor, whichever is later.
508-(2) This act applies to the collection, retention, processing, and use
509-PAGE 11-HOUSE BILL 24-1130 of biometric identifiers and biometric data on and after the applicable
510-effective date of this act.
511-____________________________ ____________________________
512-Julie McCluskie Steve Fenberg
513-SPEAKER OF THE HOUSE PRESIDENT OF
514-OF REPRESENTATIVES THE SENATE
515-____________________________ ____________________________
516-Robin Jones Cindi L. Markwell
517-CHIEF CLERK OF THE HOUSE SECRETARY OF
518-OF REPRESENTATIVES THE SENATE
519- APPROVED________________________________________
520- (Date and Time)
521- _________________________________________
522- Jared S. Polis
523- GOVERNOR OF THE STATE OF COLORADO
524-PAGE 12-HOUSE BILL 24-1130
457+6
458+(e) O
459+THER UNIQUE BIOLOGICAL , PHYSICAL, OR BEHAVIORAL
460+7
461+PATTERNS OR CHARACTERISTICS .8
462+SECTION 4. In Colorado Revised Statutes, 6-1-1304, amend (1);9
463+and add (6) as follows:10
464+6-1-1304. Applicability of part. (1) Except as specified in11
465+subsection (2) of this section, this part 13 applies to a controller that:12
466+(a) (I) Conducts business in Colorado or produces or delivers13
467+commercial products or services that are intentionally targeted to14
468+residents of Colorado; and15
469+(b) (II) Satisfies one or both of the following thresholds:16
470+(I) (A) Controls or processes the personal data of one hundred17
471+thousand consumers or more during a calendar year; or18
472+(II) (B) Derives revenue or receives a discount on the price of19
473+goods or services from the sale of personal data and processes or controls20
474+the personal data of twenty-five thousand consumers or more;
475+OR21
476+(b) CONTROLS OR PROCESSES ANY AMOUNT OF BIOMETRIC22
477+IDENTIFIERS OR BIOMETRIC DATA REGARDLESS OF THE AMOUNT OF23
478+BIOMETRIC IDENTIFIERS OR BIOMETRIC DATA CONTROLLED OR PROCESSED24
479+ANNUALLY; EXCEPT THAT A CONTROLLER THAT MEETS THE25
480+QUALIFICATIONS OF THIS SUBSECTION (1)(b) BUT DOES NOT MEET THE26
481+QUALIFICATIONS OF SUBSECTION (1)(a) OF THIS SECTION SHALL COMPLY27
482+1130
483+-13- WITH THIS PART 13 ONLY FOR THE PURPOSES OF A BIOMETRIC IDENTIFIER1
484+OR BIOMETRIC DATA THAT THE CONTROLLER COLLECTS AND PROCESSES .2
485+ 3
486+SECTION 5. Act subject to petition - effective date -4
487+applicability. (1) This act takes effect July 1, 2025; except that, if a5
488+referendum petition is filed pursuant to section 1 (3) of article V of the6
489+state constitution against this act or an item, section, or part of this act7
490+within the ninety-day period after final adjournment of the general8
491+assembly, then the act, item, section, or part will not take effect unless9
492+approved by the people at the general election to be held in November10
493+2024 and, in such case, will take effect July 1, 2025, or on the date of the11
494+official declaration of the vote thereon by the governor, whichever is12
495+later.13
496+(2) This act applies to the collection, retention, processing, and14
497+use of biometric identifiers and biometric data on and after the applicable15
498+effective date of this act.16
499+1130
500+-14-