Colorado’s attorney general’s office recently updated the Colorado Privacy Act (CPA) rules to introduce new obligations related to biometric data, employee biometrics, children’s privacy, and interpretive guidance for 2025.
Key Changes With New Rules
Three key changes will impact Colorado’s data privacy.
1. New Notice and Consent Requirements for Biometric Privacy
Starting July 1, 2025, organizations collecting biometric data—such as fingerprints, voiceprints, retina or iris scans, etc.—must comply with strict notice and consent obligations if the data is used for unique identification purposes.
Data Controllers (defined under the CPA as individuals or entities determining the purposes and means of processing personal data) must notify individuals before collecting biometric identifiers. This notice must include:
- Details on Data Collection: What biometric data is being collected?
- Purpose: Why the data is being collected.
- Retention Period: How long the data will be stored.
- Sharing Practices: Whether and how the data will be shared.
The notice can be a standalone document or part of a broader privacy policy but must be clearly labeled, easily accessible, and require affirmative, informed consent.
Additionally, for the first time, Colorado employers must obtain written or electronic consent from employees before collecting their biometric data. Employers must obtain new consent if the data is to be used for a new purpose or involves additional types of biometric identifiers. One thing to note is that the law excludes digital or physical photographs and audio or voice recordings from being classified as biometric data—unless biometric identifiers derived from them are used for identification purposes.
2. Protecting Children’s Privacy
Starting October 1, 2025, organizations providing online services, products, or features to consumers who are known or reasonably suspected to be minors must obtain consent from a parent or guardian before processing a minor’s personal data, conduct data protection assessments for any features intended to significantly increase minors’ usage of the product or service, and minimize data retention periods and refrain from using system designs that exploit or manipulate minors’ engagement.
3. Requesting Opinion Letters and Interpretive Guidance
Businesses will soon be able to seek opinion letters and interpretive guidance from the Attorney General to clarify their compliance obligations under the CPA.
These letters could serve as a valuable resource to businesses and employers. Notably, this defense may extend to entities that did not directly request the letter at the discretion of the Attorney General. This represents a shift from previous practices, where such letters only benefited the requesting organizations. Additionally, requesting an opinion letter will not compromise the confidentiality of submitted data protection assessments or waive any legal privilege or work product protection.
What To Do Next
The Department of Law still needs the Colorado Attorney General to sign the final rules. Once that happens, the rules will officially be adopted and take effect 30 days after publication. In the meantime, there are a few steps businesses can take to meet compliance.
- Audit data collection and identify whether systems comply with the new notice and consent rules.
- Update privacy notices by ensuring a clear, broad, accessible section addressing biometric identifiers.
- Train all employees about this new law and review all internal processes and procedures.
- Consider opinion letters from the Attorney General’s office if there is any uncertainty about compliance.
- Begin preparing now! The new rules will take effect as early as July 2025, and early preparation steps will ensure smooth compliance.