FB pixel

Colorado’s consumer privacy law gets expanded biometric protections in draft rules

Change will require compliance from any company that collects biometrics
Colorado’s consumer privacy law gets expanded biometric protections in draft rules
 

The Colorado Attorney General’s Office has filed a set of proposed draft amendments to the  2021 Colorado Privacy Act (CPA), which would broaden requirements for any business that collects and uses biometric information or children’s personal data.

Signed earlier this year by Governor Jared Polis, House Bill 1130 changes the CPA to require entities that collect biometric data or identifiers to provide notice to consumers explaining what biometric data is being collected, for what purpose, how long it will be kept, and whether it will be shared.

Significantly, Colorado’s legal definition of biometric data covers facial scans, fingerprints, voiceprints and retina scans – but not photos or audio recordings. Even so, there are those who believe it covers too much and will put many businesses at risk.

The amendment says the required notice “must be clear” (and clearly labeled), “concrete and definitive,” with no ambiguous language. HB 1130 also requires a controller or processor of biometric data to adopt a publicly available written policy that establishes a retention schedule for biometrics and describes a protocol for responding to a data security incident that may compromise biometric identifiers.

Select exceptions cover employee data used for activities like access control and timekeeping.

Amendments reach beyond scope of CPA to implicate smaller businesses

The move has prompted businesses to appeal to state privacy regulators for a more precise definition of biometric information, and to narrow how they implement the new protections to allow uses of data related to harassment and fraud prevention. Their complaint is that the new rules could choke small businesses and stifle innovation. The CPA only applies to companies that collect information from at least 100,000 state residents. But the amendments cover businesses that control or process any amount of biometric information.

In a recent analysis of HB 1130 for Biometric Update, Baker Donelson attorney David J. Oberly argues that the amendment’s “broad reach will ensnare many organizations that operate or otherwise conduct business in Colorado – but which are outside the scope of CPA compliance – significantly enhancing their legal risk and liability exposure.”

“Companies that develop, supply, or use biometric technologies are advised to take proactive steps to determine whether they fall under the scope of HB 1130 and, if so, develop a concrete plan for the completion of all modifications to organizational compliance programs needed to achieve compliance ahead of July 2025, when HB 1130 will take effect.”

Regardless, even with its new rules, Colorado’s privacy law lacks the legal teeth of its cousin in Illinois, the Biometric Information Protection Act (BIPA), in that it does not include a private right of action that would enable citizens to sue companies that violate their rights.

Minors bill could open doors for age assurance vendors

Accompanying HB 1130 is SB 041, which amends the CPA to add expanded protections for personal information about minors under the age of eighteen. A requirement that data controllers “use reasonable care to avoid any heightened risk of harm to minors” could have implications for the age assurance sector.

Related Posts

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News

 

Mitek unveils multilayered GenAI fraud detection to stop PAD, injection attacks

Mitek Systems has launched what it calls the first multilayered solution to the growing challenge posed by generative AI for…

 

Authsignal teams with Mattr on terminal to bind palm biometrics with mDLs

New Zealand-based Authsignal has announced the launch of a new palm biometrics terminal, developed in collaboration with Mattr and Qualcomm,…

 

UK grapples with border biometrics expansion and delays

The UK Home Office has provided key updates on its electric border management initiatives during a Justice and Home Affairs…

 

FBI looking at biometric matching algorithms for NGI, issues RFI

The U.S. Federal Bureau of Investigation’s (FBI) Criminal Justice Information Services (CJIS) in Clarksburg, West Virginia issued a Request for…

 

Bhutan charts a digital future with blockchain, bitcoin, and national digital ID

The Kingdom of Bhutan is leveraging digital assets and strategic investments to propel its national development agenda, integrating blockchain technology…

 

Digital ID can help Sri Lanka expand tax base: Deloitte

Sri Lanka seems to be caught in a chicken-and-egg situation regarding its development of digital ID as its ministry sets…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Viewed This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events