Colorado HB 1130: The nation’s first-of-its-kind hybrid biometrics law
By David J. Oberly, Biometric Privacy & Data Privacy Attorney
On May 31, 2024, Colorado Governor Jared Polis signed into law HB 1130, an amendment to the Colorado Privacy Act (CPA) that directly regulates the use of biometric technologies in the Centennial State, while also adding an entirely new layer of complexity to the already fragmented patchwork of laws and regulations governing biometrics in the U.S.
HB 1130 is a noteworthy development in the biometrics space. First, it not only sets forth a number of traditional compliance obligations similar to the Illinois Biometric Information Privacy Act (BIPA), but also additional, unique requirements and restrictions that have—until now—been historically confined to broader consumer privacy statutes. This will require many companies to satisfy a detailed set of new obligations pertaining to the use of biometrics.
In addition, HB 1130’s broad reach will ensnare many organizations that operate or otherwise conduct business in Colorado—but which are outside the scope of CPA compliance—significantly enhancing their legal risk and liability exposure.
Companies that develop, supply, or use biometric technologies are advised to take proactive steps to determine whether they fall under the scope of HB 1130 and, if so, develop a concrete plan for the completion of all modifications to organizational compliance programs needed to achieve compliance ahead of July 2025, when HB 1130 will take effect.
Key aspects of HB 1130
Sweeping scope and low applicability thresholds
Under HB 1130, controllers (a defined term in the CPA meaning a person or entity that, alone or jointly with others, determines the purposes for, and means of, processing personal data) that process any amount of biometric data are subject to compliance with Colorado’s first-of-its-kind hybrid biometrics law—even if they do not meet the thresholds for compliance with the CPA. Thus, all companies that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to Colorado residents are subject to compliance with HB 1130 as it relates to the collection and processing of biometric data. In addition, HB 1130 also sets forth express obligations on biometric data processors.
Moreover, unlike the vast majority of consumer privacy statutes enacted to date (including the CPA)—which provide an across-the-board exemption for the personal data of employees and job applicants—employee/job applicant biometric data is not exempted from HB 1130, bringing employers squarely within the scope of compliance if they employ even a single Colorado resident.
Expansive definitions for covered biometric identifiers/data
HB 1130 applies to “biometric identifiers” and “biometric data.” Biometric identifier is defined as “data generated by the technological processing, measurement, or analysis of a consumer’s biological, physical, or behavioral characteristics, which can be processed for the purpose of uniquely identifying an individual.” Biometric data is defined as “one or more biometric identifiers that are used or intended to be used, singly or in combination with each other or with any other personal data, for identification purposes.”
Together, the scope of covered data under HB 1130 is much broader as compared to BIPA, Texas’s Capture or Use of Biometric Identifiers Act (CUBI), and similar biometrics laws currently in effect. This aspect of HB 1130 not only increases the extent of legal risk and liability exposure that companies will face, but will also create significant complexities and challenges in ascertaining whether organizational biometric data processing activities fall under HB 1130’s ambit.
Importantly, the combination of HB 1130’s broad applicability and its expansive definitions of biometric identifiers/data will subject controllers to compliance, even where only a negligible amount of biometric data is processed, and no actual biometric identification or authentication is performed.
For example, a small online eyewear retailer that offers a virtual try-on (VTO) tool on its website—allowing visitors to “try before they buy” and see how sunglass frames look on their face before making a purchase—would fall under the sweeping scope of HB 1130. Although VTO tools do not identify or authenticate individuals’ identities, this use case nonetheless triggers compliance because it involves data generated by the technological measurement and analysis of visitors’ faces—a biological characteristic—which can be processed for the purpose of uniquely identifying an individual.
Similarly, a five-employee warehouse facility that uses increasingly-popular warehouse automation technology, such as a voice picking solution—a hands-free system that utilizes an intelligent voice agent and speech recognition software to direct fulfilment workers through their tasks—would also fall under HB 1130’s ambit because of the speech recognition component of this technology. Here, the tool’s analysis of employee voices—another type of biological characteristic—is enough on its own to trigger compliance with HB 1130, even if the software only interprets employees’ spoken responses (but stops short of identifying or verifying that employee’s identity).
Significant potential civil penalties and disgorgement
HB 1130 provides for the imposition of staggering civil penalties of up to $20,000 per violation. In addition, disgorgement, restitution, reimbursement of attorney’s fees, and injunctive relief can also be imposed for HB 1130 non-compliance.
While HB 1130 does not contain a private right of action, the law’s high civil penalties alone poses the threat of potentially wreaking havoc on companies’ bottom lines, especially for those organizations that process a high volume of biometric data.
Moreover, the equable remedy of disgorgement—i.e., the forced deletion and destruction of not only improperly collected personal data, but all algorithms and associated artificial intelligence (AI) models and tools created or improved with the aid of such data—poses a particularly outsized threat to biometric technology developers and suppliers, the vast majority of which rely heavily on advanced algorithms, such as facial prediction models.
BIPA-like obligations
In terms of its core compliance requirements, HB 1130 includes several obligations that are common across current biometrics laws, including the following:
- biometrics-specific privacy policies;
- data retention and destruction protocols;
- pre-collection individualized notice;
- pre-collection consent;
- disclosure obligations and limitations;
- a transactional prohibition on selling, leasing, or trading biometric data; and
- data security.
Importantly, however, HB 1130 goes beyond BIPA, CUBI, and the like by adding further obligations to these compliance components that are unique to the Colorado law.
For example, under HB 1130 organizational privacy policies must include not only data retention and destruction guidelines and schedules, but also organizational security incident protocols specific to biometric data.
HB 1130 also contains unique timing triggers for when biometric data must be deleted; namely, on “the earliest reasonable feasible date, which date must be no more than 45 days after a controller determines that storage of the biometric identifier is no longer necessary, adequate, or relevant to the express processing purpose identified by a review conducted by the controller at least once annually.” This aspect of HB 1130 adds a significant degree of complexity to the already-challenging task of navigating and satisfying divergent time limitations on the retention of biometric data under the current patchwork of biometrics laws. Not only that, but this obligation will also require companies to conduct periodic reviews of biometric data, and the deletion of any data determined to be no longer necessary, adequate, or relevant to the express processing purposes for which it was originally collected.
Hybrid obligations
The most notable aspect of HB 1130 is its inclusion of a number of compliance obligations that, until now, have traditionally been confined to broader consumer privacy statutes like the CPA and its California counterpart, the California Consumer Privacy Act (CCPA).
Here, HB 1130 first requires that controllers satisfy the full range of duties that are imposed on controllers under the CPA, including:
- Additional, specific information regarding data processing activities must be included in privacy policies.
- Purpose Specification. The express purpose for which biometric data is collected and processed must be described in detail in both external disclosures to consumers—including privacy policies and written notices/consents—as well as in any internal documentation required by the CPA.
- Data Minimization. Biometric data processing must be limited to the minimum amount that is necessary, adequate, or relevant for the express purposes for which such data is collected and used.
- Secondary Use. Consent must be obtained from consumers before processing biometric data for any purpose that is not reasonably necessary or compatible with the express purposes for which the data was originally collected.
- Sensitive Data. Consent must be obtained from consumers before processing biometric data (classified as a type of sensitive data under the CPA).
- Care (Security). Reasonable and appropriate safeguards must be maintained to protect and secure biometric data from unauthorized access, disclosure, or acquisition.
Controllers must comply with HB 1130’s “right of access” afforded to consumers, which mandates that controllers provide additional, separate disclosures upon the request of a consumer regarding a number of aspects of the controller’s biometric data processing activities—specifically as it relates to that particular consumer. This will require many companies not subject to compliance with consumer rights obligations under existing state consumer privacy statutes—particularly smaller biometric technology vendors—to implement consumer rights compliance and management solutions, which in almost all instances will be a time- and resource-intensive endeavor.
Finally—separate from the incident response disclosures discussed above—the law explicitly requires controllers to implement incident response plans and programs tailored to potential biometric data compromise events, and which must also satisfy Colorado’s data breach notification statute.
Processor obligations
Processors, like controllers, must implement security incident response plans and programs specific to biometric data.
Also like controllers, processors are subject to the CPA’s security requirement with respect to biometric data, which includes (among other things) working with controllers to establish a clear allocation of responsibilities between the two for implementing effective measures to safeguard biometric data.
Employer obligations
As indicated above, HB 1130 imposes explicit requirements and restrictions on employers in connection with the collection and use of employee/job applicant biometric data.
Aside from four very narrow exemptions, employers must obtain employee or job applicant consent prior to the collection and processing of their biometric data, and must honor all refusals to provide consent for such biometric practices. In practice, this will require employers to maintain at least one alternative non-biometric solution that accomplishes the same objectives as the employer’s biometric system.
Analysis & Takeaways
Significant compliance burdens in aligning compliance programs with unique legal obligations
HB 1130 marks the first “hybrid” biometrics legislation to be enacted in the U.S. With that said, it will almost certainly not be the last.
Notably, these hybrid laws not only create significant legal risk and liability exposure, but also impose significant compliance costs due to the range of modifications and additions that companies will need to make to compliance programs in order to align their practices with the obligations imposed by this new type of biometrics regulation.
Such is the case with HB 1130, which will require wholesale changes to compliance programs to align with the law’s unique requirements pertaining to consumer rights, periodic biometric data evaluations, special data retention/destruction requirements, and incident response plans, among others.
Broader ripple effect: Enactment of additional, copycat hybrid biometrics laws
In 2024, lawmakers have continued to show an intensified interest in imposing strict requirements and restrictions over biometrics with hybrid legislation similar to HB 1130. Moving forward, the addition of HB 1130 to the legal landscape may accelerate the timeframe for the enactment of additional, copycat hybrid regulation in other states.
Future hybrid laws will almost certainly come with their own nuances and unique compliance components, which will significantly increase compliance burdens for those companies that develop, supply, and use biometrics. And it goes without saying that as more regulation targeting biometrics are enacted in other jurisdictions, companies will see a precipitous rise in the scope of legal risk and liability exposure faced in connection with biometrics.
Practical compliance tips and strategies
Due to the complexity of HB 1130 and the heavy compliance burden in meeting the requirements of the new Colorado law, businesses should get an early start on working toward compliance with HB 1130 in advance of next July.
Businesses that develop, supply, or operate biometric technologies can consider the following high-level action plan for adapting current practices for compliance with HB 1130. In addition, following the action steps outlined below will also provide the added benefit of helping to prepare for copycat laws that may follow closely on the heels of Colorado’s first-of-its-kind hybrid biometrics regulation.
- Complete a Biometric System Inventory. Identify and document all organizational biometric systems that are currently developed, deployed, or otherwise in operation at this time.
- Evaluate HB 1130 Applicability. For each identified system, conduct a threshold applicability and impact analysis to determine whether the system is subject to compliance with HB 1130 and, if so, how operations may be impacted. Companies must be cognizant of the fact that with HB 1130’s lower applicability thresholds, many organizations not subject to compliance with the CPA may still nonetheless fall within HB 1130’s ambit, and be required to comply with Colorado’s new biometrics law.
- Conduct a Compliance Gap Analysis. For each in-scope system, evaluate the level of alignment between the organization’s current compliance practices and the specific obligations imposed under HB 1130 to identify any gaps that will need to be remediated to achieve compliance.
- Develop a Compliance Action Plan. Based on the results of the gap analysis, formulate a concrete roadmap and action plan for executing all modifications and enhancements to organizational compliance programs necessary to address identified compliance gaps ahead of HB 1130’s July 1, 2025 effective date.
Involve experienced outside biometrics counsel early in the process
HB 1130 will require a broad range of companies large and small that operate in the biometrics sector (and beyond) to adapt their business practices and processes to align with the new requirements and restrictions set forth in HB 1130. Companies should expect to expend substantial time and resources—and to incur significant costs—in executing necessary adjustments and enhancements to existing compliance programs to come into compliance with Colorado’s hybrid biometrics regulatory regime.
To manage and limit these costs, companies should seek to involve experienced outside biometrics counsel early in the process. For existing biometrics systems, outside counsel can provide key guidance and insight to streamline the compliance program evaluation and modification process. And for new biometrics systems, counsel can assist in bringing legal compliance issues to the forefront so that they are adequately considered and addressed during all phases of the development/acquisition process and up through the time of system rollout or launch—and, ideally, thereafter throughout the duration of the system lifecycle.
About the author
David J. Oberly is an attorney in the Washington, DC office of Baker Donelson, where he leads the firm’s Biometrics team. Recognized as “one of the nation’s foremost thought leaders in the biometrics space” by LexisNexis, David’s practice focuses on providing strategic guidance to technology-focused companies across all industries on the full range of legal, regulatory, and risk management issues that arise at the intersection of biometrics, AI, and other advanced technologies, business, and the law. David’s practice also includes litigating bet-the-company BIPA class action disputes. In addition, David is also the author of LexisNexis’s Biometric Data Privacy Compliance & Best Practices, a full-length treatise providing a comprehensive compendium of biometrics law and compliance/litigation strategies. David can be reached at doberly@bakerdonelson.com. You can also follow David on X/Twitter at @DavidJOberly.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.
Article Topics
biometric data | biometric identifiers | biometrics | Colorado | data privacy | data protection | David Oberly | lawsuits | legislation
Comments