Summary:
Les modifications de la Colorado Privacy Act, qui entreront en vigueur en juillet 2025, imposent de nouvelles obligations concernant la collecte et le traitement des données biométriques des résidents du Colorado. Tous les contrôleurs doivent obtenir le consentement préalable pour collecter ces données et informer clairement les consommateurs de leur utilisation. Les droits des consommateurs sont renforcés, jouant un rôle clé dans la transparence et la sécurité, y compris des protections spécifiques pour les employés.
Original Link:
Original Article:
Amendments to the Colorado Privacy Act, effective July 2025, resemble Illinois’ biometrics law with some significant differences.
Last May, Colorado Governor Jared Polis signed into law amendments to the Colorado Privacy Act (CPA) that impose new obligations governing the collection, processing, retention, and disclosure of Coloradans’ biometrics. The amendments become effective July 1, 2025, applying to all companies that act as “controllers” and process any amount of biometric information from Colorado residents, regardless of CPA jurisdictional thresholds. All companies doing business in Colorado must determine if they collect or process biometric identifiers or data, and if so, implement necessary policies, notices, and obtain consents for compliance.
The CPA classifies biometrics as “identifiers” (biometric measurements like face geometry and fingerprints) and “data” (these identifiers used for identification). While the CPA generally does not apply in employment contexts, recent amendments extend protections to Colorado employees. The amendments empower the attorney general to issue rules governing biometrics under the CPA.
### Definitions of Biometrics
The amendments distinguish between “biometric identifiers” and “biometric data.” Identifiers can include fingerprints, voiceprints, eye scans, and more, while data are those identifiers used for identification purposes. Certain types of data, including digital or physical photographs or audio recordings, are excluded unless used for identification.
### Controllers’ Obligations
The amendments impose requirements on controllers processing biometric identifiers or data. Controllers must obtain prior consent for collecting biometric data, provide clear consumer notices regarding collection purposes and retention periods, and may not process identifiers without following these guidelines. Controllers cannot sell or disclose biometric identifiers unless consented to by the consumer or legally required.
#### Rights of Consumers
Consumers have rights regarding access to their biometric data, including information about its use and third-party disclosures. Some controllers must respond to such requests.
### Security Requirements
Controllers and processors are responsible for safeguarding biometric identifiers and data, implementing security protocols for breaches.
### Employee Protections
The amendments apply to biometric identifiers collected from employees, requiring compliance regardless of biometric data quantity. Employers must obtain consent for specific biometric processes linked to secure access and workplace safety but cannot penalize employees for refusing non-essential data collection.
In summary, the forthcoming CPA amendments introduce substantial changes affecting businesses processing biometric data in Colorado, focusing on consent, transparency, and security for both consumers and employees.