The act amends the "Colorado Privacy Act" to add protections for individuals' biometric data by requiring a person that controls or processes one or more biometric identifiers (controller) to adopt a written policy that:
Establishes a retention schedule for biometric identifiers and biometric data;
Includes a protocol for responding to a data security incident that may compromise the security of biometric identifiers or biometric data; and
Includes guidelines that require the deletion of a biometric identifier on or before certain dates.
With certain exceptions, a controller must make its written policy available to the public.
The act also:
Prohibits a controller from collecting a biometric identifier unless the controller first satisfies certain disclosure and consent requirements;
Specifies certain prohibited acts and requirements for controllers that process biometric identifiers and biometric data;
Requires a controller to disclose to a consumer certain information concerning the collection and use of the consumer's biometric identifier;
Restricts an employer's permissible reasons for obtaining an employee's consent for the collection of biometric identifiers; and
Authorizes the attorney general to promulgate rules to implement the act.
APPROVED by Governor May 31, 2024
EFFECTIVE July 1, 2025(Note: This summary applies to this bill as enacted.)

Statutes affected:
Preamended PA1 (02/16/2024): 6-1-1304
Preamended PA2 (04/16/2024): 6-1-1304
Introduced (01/29/2024): 6-1-1304
Engrossed (02/16/2024): 6-1-1304
Reengrossed (02/19/2024): 6-1-1304
Revised (04/18/2024): 6-1-1304
Rerevised (04/19/2024): 6-1-1304
Final Act (05/24/2024): 6-1-1304
Signed Act (05/31/2024): 6-1-1304