Beyond Fingerprints: Navigating the Biometric Amendment to the Colorado Privacy Act

Quick Hits

• Starting July 1, 2025, the Biometric Data Privacy Amendment to the Colorado Privacy Act will impose new obligations on entities collecting biometric data from individuals in Colorado, including employees and job applicants.
• The amendment introduces a consent paradigm limiting when employers can require biometric data, allowing mandatory consent only for specific purposes like secure access and workplace safety.
• Employers must comply with a strict data-deletion schedule and maintain a written incident-response protocol for biometric data, with enforcement by the Colorado attorney general and district attorneys.

Although the underlying Colorado Privacy Act expressly excludes employees and job applicants from the definition of “consumer,” the amendment overrides that exclusion in part by imposing employer-facing duties any time an employer collects or uses employees’ or applicants’ biometric identifiers. As a result, companies that have historically viewed Colorado’s privacy law as a purely business-to-consumer (B2C) concern must now evaluate, document, and potentially redesign workplace practices that rely on fingerprints, facial geometry, iris scans, voiceprints, or any other unique biological characteristic used to identify a specific individual.

The centerpiece of the amendment is a new consent paradigm that sharply limits the circumstances in which an employer may condition employment—or continued employment—on an employee’s agreement to provide a biometric identifier. Mandatory consent is permissible only when the biometric identifier is collected and used for one of four narrowly defined workplace purposes: (1) granting access to secure physical areas or secure electronic hardware, software, or systems; (2) recording the start and end of the workday, including meal and rest breaks that exceed thirty minutes; (3) improving or monitoring workplace safety or security, or protecting the safety or security of employees; and (4) improving or monitoring public safety or security during an emergency or crisis.

If an employer’s use case falls outside these four categories—for example, tracking an employee’s physical location throughout the day, measuring productivity through keystroke dynamics, or gauging time spent inside a specific software application—the employer must offer a genuine choice. The employee may not be denied employment, disciplined, or otherwise retaliated against for withholding consent.

Two statutory carve-outs eliminate the consent requirement altogether, yet they present substantial compliance risk because they overlap and arguably conflict with other state and federal laws. The amendment waives consent when the employee “reasonably should expect” biometric collection based on the employee’s job description—for example, a security guard whose duties inherently involve biometric gate controls. It waives consent for job applicants when collection is “based on reasonable background check, application, or identification requirements,” such as fingerprints for a criminal background screen.

Employers may want to approach both exceptions with caution. In the applicant context, the federal Fair Credit Reporting Act (FCRA) already mandates written authorization before initiating any background check, including fingerprint-based checks, so reliance on the amendment’s consent waiver would invite a direct conflict with FCRA disclosure and authorization requirements. Similarly, other state biometric or privacy statutes—including the Illinois Biometric Information Privacy Act (BIPA), the California Privacy Rights Act (CPRA) as applied to employee data, the Texas Capture or Use of Biometric Identifier law (CUBI), and Washington’s biometric statute—either provide no comparable waiver or impose more stringent notice and consent mandates.

(The CPRA is an amendment to the California Consumer Protection Act (CCPA). While structured more like the European Union’s General Data Protection Regulation than BIPA, the CPRA does require employers to provide notice and obtain the consent (or “opt-in”) of employees before collecting or using their biometric templates, if they intend to sell that information. The CPRA also requires employers to provide employees notice of their rights to “opt out” of their collection practices and give employees two means of opting out: generally, by email, cell phone, or website contact.)

Accordingly, Colorado employers with multistate operations may not want to treat the amendment’s two consent waivers as safe harbors. Instead, employers may want to adopt a uniform, nationwide approach that honors the highest common denominator across jurisdictions.

Beyond consent, the amendment imposes a strict data-deletion schedule that requires covered entities to permanently destroy biometric data at the earliest of three possible trigger points: (a) once the original purpose for collection has been fulfilled; (b) twenty-four months after the employee’s or applicant’s last interaction with the employer; or (c) within forty-five days after the employer determines that continued retention is no longer necessary, adequate, or relevant to the collection purpose. Although subsections (a) and (c) appear to overlap—both hinge on satisfaction of the collection purpose—employers may want to treat each prong as an independent obligation and document retention decisions accordingly.

The amendment also requires covered entities to maintain and implement a written incident-response protocol tailored to biometric data. At a minimum, the protocol should incorporate Colorado’s existing breach-notification statute—which, unlike many states, already applies to biometric data. Prompt notification to affected individuals and, when thresholds are met, to the Colorado attorney general, must occur in accordance with statutory timelines whenever there is “reasonable belief” that a security incident has compromised biometric identifiers. See C.R.S. § 6-1-716.

Finally, while the amendment does not provide a private right of action, exclusive enforcement by the Colorado attorney general and district attorneys should not lull employers into complacency. Key operational steps between now and July 1, 2025, include:

• inventorying systems and devices that capture biometric identifiers of Colorado employees or applicants;
• verifying that each use fits within the four categories that allow mandatory consent and providing for voluntary consent for all other uses;
• drafting or revising a biometric privacy policy and consent form that describes collection purposes, retention schedules, destruction methods, notice provisions, and incident-response obligations;
• evaluating whether vendor agreements that require downstream compliance with the amendment’s retention, deletion, and incident-response obligations are needed; and
• training human resources, security, and IT personnel on the new statutory framework.

Ogletree Deakins’ Cybersecurity and Privacy Practice Group will continue to monitor developments and will publish updates on the Colorado, Cybersecurity and Privacy, and Multistate Compliance blogs as additional information becomes available.

Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts