The Colorado Attorney General’s Office recently approved amendments to the Colorado Privacy Act Rules (Rules) to clarify upcoming changes to the Colorado Privacy Act (CPA), which create new obligations for entities that process biometric data or the data of minors. The amendments also establish a process for the Colorado Attorney General’s issuance of opinion letters and interpretative guidance regarding the effects of the CPA. Companies subject to the CPA should review their practices regarding the collection of biometric data and/or minors’ data in preparation for these upcoming new requirements under the CPA, as further discussed below.
New Requirements for Processing Biometric Identifiers and Data, Including in the Employment Context
House Bill 24-1130 (House Bill), which goes into effect July 1, 2025, expanded the CPA to create new obligations for entities that collect biometric data. Under the bill, a controller that controls or processes a biometric identifier must adopt a written policy regarding its collection and retention of the data and must provide notice to consumers of its collection of biometric data. Subject to limited exceptions, a controller must make its written policy available to the public. Several of these requirements appear to mirror principles from the Illinois Biometric Information Privacy Act (BIPA), although the CPA (unlike BIPA) does not provide a private right of action for violations of these requirements.
The amendments to the Rules provide clarification on the content, format, and provision of the newly-required written biometric data policy and biometric identifier notice. For instance, both a biometric data policy and a biometric identifier notice must be accessible to consumers on all devices through which consumers normally interact with a controller. The amended Rules clarify that a biometric identifier notice may be a separate notice or included within a general privacy notice, although it must be clearly labeled if included within a general privacy notice.
Notably, the House Bill also applies in the employment context: it limits the circumstances in which an employer can condition employment on an employee’s consent to the collection of biometric data, such as to permit access to secure physical locations or to improve workplace safety. “Employee” is defined to include contractors, subcontractors, interns, or fellows, as well as workers classified as employees. The amendments require that employers refresh this consent when processing additional categories of biometric data or when processing biometric data for a use to which the employee has not consented. This is a significant development in the CPA, which has not previously extended to employees.
New Obligations for Processing of Minors’ Data That Extend to Cover Individuals Under 18
Senate Bill 24-041 (Senate Bill), which goes into effect October 1, 2025, establishes enhanced protections for the data of minors, such as requiring a controller to limit its collection and processing of personal data of minors, use reasonable care to avoid any heightened risk of harm to minors caused by its service or product, and conduct data protection assessments for services or products that present a heightened risk to minors. This is significant as the Senate Bill extends enhanced protections for minors to individuals under 18, similar to efforts across multiple states to pass legislation for privacy measures to cover children and teens under 18.
The amendments to the Rules build on these protections and clarify the meaning of “minor” under the CPA. Among other requirements, controllers must obtain consent of a consumer the controller actually knows is a minor or willfully disregards is a minor before processing that consumer’s personal data or using a design feature to significantly increase that consumer’s use of an online service or product. The amendments also detail the specific requirements of data protection assessments that are required in connection with the processing of minors’ data.
Opinion Letters and Interpretative Guidance
Moreover, the amendments to the Rules establish the process of the Attorney General’s discretionary issuance of opinion letters and interpretative guidance, which was created to assist companies with compliance with the CPA and provide information to the general public regarding their rights.
The amendments detail the process by which an entity may request an opinion letter from the Attorney General regarding the application of the CPA to that entity’s proposed activities. The Attorney General may also issue statements providing interpretative guidance, including where a request for an opinion letter does not meet the requirements set out in the amendments or where the Attorney General believes that such information will assist an individual, organization, or the general public.
Next Steps
In light of the legislative changes to the CPA and the amendments to the Rules, companies may need to take additional steps to ensure that their handling of biometric data and the data of minors is compliant with the CPA, such as adopting written biometric data policies and biometric identifier notices. Companies should also be mindful of any policies and procedures they may have concerning the collection and processing of minors’ data and update their consent and data protection assessment procedures, as appropriate. These developments are a reminder that while additional states continue to propose and pass comprehensive consumer privacy laws, states, like Colorado, that already have such laws are also continuing to expand them.
/Passle/5832ca6d3d94760e8057a1b6/SearchServiceImages/2025-01-15-13-52-16-004-6787bd90ab56ae4f199abd4a.jpg)