The bill amends the Colorado Privacy Act to add protections for
an individual's biometric data by requiring a person that, alone or jointly with others, determines the purposes for and means of processing biometric data (controller) to adopt a written policy that:
•
Establishes a retention schedule for biometric identifiers;
•
Includes a protocol for responding to a breach of security of biometric data; and
•
Includes guidelines that require the permanent destruction of a biometric identifier by the earliest of certain dates.
The bill also: •
Prohibits a controller from collecting a biometric identifier unless the controller first satisfies certain disclosure and consent requirements;
•
Specifies certain prohibited acts and requirements for controllers that collect and use biometric data;
•
Requires a controller to allow a consumer to access and update a biometric identifier;
•
Restricts an employer's permissible reasons for obtaining an employee's consent for the collection of biometric identifiers; and
•
Authorizes the attorney general to promulgate rules to implement the bill.
