This summer, Colorado employers will be subject to additional regulations around the collection and storage of biometric identifiers and biometric data. On July 1, 2025, the Biometric Amendment to the Colorado Privacy Act will take effect.[1] While largely targeted at the collection and retention of biometric data from consumers generally, the Biometric Amendment also provides new regulations for Colorado employers. These regulations apply to both for-profit and non-profit organizations of any size, even those without any “consumer-facing” business.[2]
But wait— what is a biometric identifier? A biometric identifier refers to the raw “data generated by the technological processing, measurement, or analysis of . . . biological, physical, or behavioral characteristics”, including an individual’s fingerprint, voiceprint, retina scan, and facial geometry. While this data may be used for identification purposes, it need not be. Biometric data, on the other hand, is a narrower category defined as “one or more biometric identifiers that are used or intended to be used for identification purposes, either alone or in combination with personal data.” The distinction is important because employers have certain requirements, depending on the type of information collected. In practice, however, biometric identifiers almost always qualify as biometric data as such information is usually collected for identification purposes.
The first new requirement is that employers must now obtain consent from employees[3] and prospective employees before collecting, processing, or storing biometric identifiers. The consent must be specific, informed, and unambiguous. An employee who opts out of biometric identifier collection cannot be terminated or retaliated against for such election. However, there are exceptions where an employer may condition employment on the usage of biometric identifiers. The exceptions are: 1) to monitor or improve workplace safety; 2) to monitor or improve public safety during emergencies; 3) to record an employee’s work day periods; and 4) to permit access to secure physical locations or secure hardware and software applications.[4] Additionally, the Biometric Amendment preserves an employer’s right to use biometric data within reasonable job-related expectations (i.e. a security guard) and when processing a job application for a background check, identify verification, or similar procedure.
In addition to the consent requirement, employers must also draft and internally distribute a written policy regarding the collection and retention of employees’ biometric identifiers and data. The policy must include a retention schedule, a plan for responding to a security breach, and guidelines for the deletion of biometric identifiers and data. In addition, companies may also need to draft and publish a public-facing privacy notice to disclose consumer biometric collection practices when applicable.
Colorado employers should develop a comprehensive biometric compliance strategy well in advance of the July 1, 2025 deadline. Such companies would be wise to evaluate their current business practices to determine what technologies (including artificial intelligence applications) currently collect or retain biometric data or identifiers. Employers should also design a process through which current and prospective employees may consent to – or opt out of – biometric identifier collection. Finally, companies must establish and implement a written policy outlining the procedures for storage, retention, and security of any biometric identifies and data in their possession.
As with any new regulation, early preparation is key. Building a robust compliance regime in advance will help employers avoid regulatory challenges down the road. As always, our attorneys at Milgrom, Daskam, & Ellis are here to help.
1 See C.R.S. § 6-1-1314.
2 Certain financial institutions, higher education institutions, and government entities are exempt.
3 An employee means an individual who is employed full-time or part time, and also includes contractors, subcontractors, interns, and fellows.
4 Note that this exception does not apply to the use of biometric data for location tracking or tracking of time spent using a hardware or software application.
ABOUT THE AUTHOR
PARTNER
Lindsey is a litigation partner and mom to her one-and-a-half-year-old daughter. Lindsey is proud to work at Milgrom & Daskam, where being a parent and an attorney is celebrated and encouraged. Milgrom & Daskam works to support its working parents by fostering dialogue and understanding.
More Articles
Share Post: Artificial Intelligence (AI) is already changing business and healthcare in profound ways: Candidates are being screened by AI during the interview process; behavioral
It is simple to sign a lease and stuff it away to (hopefully) never be seen again. It is decidedly less simple to make sure the document protects your business’ interest (and where you are signing a personal guaranty, as is often the case, your personal interests too).
Policyholders pay good money for their insurance. But when a loss occurs or someone sues you, insurance coverage is not automatic. People who make insurance claims face several potential pitfalls that may prevent them from getting what they paid for.
If you’d like more information about who we are and what we do, please reach out to set up a free consultation.
© 2024 Milgrom Law, PC | DBA Milgrom Daskam & Ellis.
