This summer, Colorado employers will be subject to additional regulations around the collection and storage of biometric identifiers and biometric data. On July 1, 2025, the Biometric Amendment to the Colorado Privacy Act will take effect.[1] While largely targeted at the collection and retention of biometric data from consumers generally, the Biometric Amendment also provides new regulations for Colorado employers. These regulations apply to both for-profit and non-profit organizations of any size, even those without any “consumer-facing” business.[2]
But wait— what is a biometric identifier? A biometric identifier refers to the raw “data generated by the technological processing, measurement, or analysis of . . . biological, physical, or behavioral characteristics”, including an individual’s fingerprint, voiceprint, retina scan, and facial geometry. While this data may be used for identification purposes, it need not be. Biometric data, on the other hand, is a narrower category defined as “one or more biometric identifiers that are used or intended to be used for identification purposes, either alone or in combination with personal data.” The distinction is important because employers have certain requirements, depending on the type of information collected. In practice, however, biometric identifiers almost always qualify as biometric data as such information is usually collected for identification purposes.
The first new requirement is that employers must now obtain consent from employees[3] and prospective employees before collecting, processing, or storing biometric identifiers. The consent must be specific, informed, and unambiguous. An employee who opts out of biometric identifier collection cannot be terminated or retaliated against for such election. However, there are exceptions where an employer may condition employment on the usage of biometric identifiers. The exceptions are: 1) to monitor or improve workplace safety; 2) to monitor or improve public safety during emergencies; 3) to record an employee’s work day periods; and 4) to permit access to secure physical locations or secure hardware and software applications.[4] Additionally, the Biometric Amendment preserves an employer’s right to use biometric data within reasonable job-related expectations (i.e. a security guard) and when processing a job application for a background check, identify verification, or similar procedure.
In addition to the consent requirement, employers must also draft and internally distribute a written policy regarding the collection and retention of employees’ biometric identifiers and data. The policy must include a retention schedule, a plan for responding to a security breach, and guidelines for the deletion of biometric identifiers and data. In addition, companies may also need to draft and publish a public-facing privacy notice to disclose consumer biometric collection practices when applicable.
Colorado employers should develop a comprehensive biometric compliance strategy well in advance of the July 1, 2025 deadline. Such companies would be wise to evaluate their current business practices to determine what technologies (including artificial intelligence applications) currently collect or retain biometric data or identifiers. Employers should also design a process through which current and prospective employees may consent to – or opt out of – biometric identifier collection. Finally, companies must establish and implement a written policy outlining the procedures for storage, retention, and security of any biometric identifies and data in their possession.
As with any new regulation, early preparation is key. Building a robust compliance regime in advance will help employers avoid regulatory challenges down the road. As always, our attorneys at Milgrom, Daskam, & Ellis are here to help.
1 See C.R.S. § 6-1-1314.
2 Certain financial institutions, higher education institutions, and government entities are exempt.
3 An employee means an individual who is employed full-time or part time, and also includes contractors, subcontractors, interns, and fellows.
4 Note that this exception does not apply to the use of biometric data for location tracking or tracking of time spent using a hardware or software application.
ABOUT THE AUTHOR
Lindsey is a litigation partner and mom to her one-and-a-half-year-old daughter. Lindsey is proud to work at Milgrom & Daskam, where being a parent and an attorney is celebrated and encouraged. Milgrom & Daskam works to support its working parents by fostering dialogue and understanding.
More Articles
The first returns have arrived in the battle between copyright holders and technology companies over whether AI training on artist data, or the use of AI to simulate artist styles constitute copyright infringement, and they are not encouraging for those who like their art human.
We’ve previously written about Qualified Small Business Stock (QSBS) and the potential tax benefits that come with it if you structure your entity appropriately. The One Big Beautiful Bill Act (OBBBA), which was signed into law on July 4, 2025, expands the tax exemption available for QSBS and now further incentivizes business owners to structure their qualifying companies in a manner that will take advantage of the new rules.
When it comes to owning stock, most people think about the ups and downs of share prices – not the paperwork behind their ownership. However, how your stock is recorded can have real implications. In today’s digitized world, the distinction between certificated and uncertificated stock is more relevant than ever, especially for startups, private companies, and investors managing equity in various forms.
If you’d like more information about who we are and what we do, please reach out to set up a free consultation.
