Colorado Biometric Privacy Laws: Collection, Consent & Penalties (2026)

Colorado stands out among U.S. states for having two overlapping layers of biometric privacy protection. The Colorado Privacy Act (CPA) has treated biometric data as sensitive data since 2023, requiring affirmative consent before processing. Then in 2024, the legislature passed HB24-1130, creating a dedicated biometric privacy statute (C.R.S. § 6-1-1314) that took effect on July 1, 2025.

This dual framework gives Colorado one of the strongest biometric privacy regimes in the country. If your organization collects fingerprints, facial scans, voiceprints, or other biometric identifiers from Colorado residents, you need to comply with both the CPA's sensitive data rules and HB24-1130's biometric-specific requirements.

For a broader look at Colorado's privacy framework, see the parent guide: [Colorado Data Privacy Laws](/us-laws/data-privacy-laws/colorado-data-privacy-laws).

What HB24-1130 Covers

Governor Jared Polis signed HB24-1130 on May 31, 2024. The bill passed with broad bipartisan support from 34 House members and 13 Senators. It amends the CPA by adding Section 6-1-1314, which focuses exclusively on biometric identifiers and biometric data.

The law defines a biometric identifier as data generated by the technological processing, measurement, or analysis of a consumer's biological, physical, or behavioral characteristics that can be processed to uniquely identify an individual. Specific examples include:

• Fingerprints
• Voiceprints
• Retina or iris scans
• Facial maps, facial geometry, or facial templates
• Other unique biological, physical, or behavioral patterns or characteristics

Biometric data is defined as one or more biometric identifiers that are used or intended to be used, singly or in combination with other personal data, to identify an individual. The law explicitly excludes photographs, audio or video recordings, and data derived from them, unless that data is used for identification purposes.

One notable feature of HB24-1130 is its scope. The CPA generally applies only to entities processing data of 100,000 or more Colorado residents, or 25,000 or more residents if the entity earns revenue from data sales. HB24-1130 removes those numerical thresholds for biometric data, meaning any controller processing biometric identifiers from Colorado residents must comply regardless of volume.

Consent and Disclosure Requirements

HB24-1130 prohibits a controller from collecting a biometric identifier unless it first provides notice and obtains consent from the consumer. The notice must include:

• The specific purpose for collecting the biometric identifier
• The retention period for the biometric data
• Whether the controller will disclose the biometric identifier to any third party

This consent must be affirmative, freely given, specific, informed, and unambiguous. Broad terms-of-service acceptance does not qualify. The controller cannot bury consent in fine print or use deceptive design patterns to obtain it.

Controllers also face restrictions on what they can do with biometric identifiers once collected. They cannot sell, lease, trade, or disclose biometric identifiers to third parties unless the consumer consents, the disclosure fulfills the original collection purpose, the data completes a financial transaction the consumer requested, or the law requires disclosure.

Purchasing biometric identifiers from another party is also restricted. A controller cannot purchase biometric data unless it pays the consumer, obtains consent, and the purchase is unrelated to providing the controller's products or services.

Written Policy Requirements

Any controller that controls or processes biometric identifiers must adopt a written policy covering:

• Retention schedule: How long biometric identifiers and biometric data will be stored
• Security incident protocol: Steps for responding to a data breach that may compromise biometric information
• Deletion guidelines: When and how biometric identifiers will be permanently destroyed

Controllers must make this written policy publicly available. There are limited exceptions: policies that apply only to current employees or that contain internal incident response protocols do not need to be published.

These written policies are not optional. They must be in place before the controller begins collecting biometric identifiers. The Colorado Attorney General has rulemaking authority to set additional standards for what these policies must contain.

Retention and Destruction Timelines

HB24-1130 sets clear deadlines for destroying biometric identifiers. Controllers must permanently destroy a biometric identifier by the earliest of three dates:

1. Purpose satisfied: The date when the initial purpose for collecting the biometric identifier has been fulfilled
2. 24 months of inactivity: Twenty-four months after the consumer last interacted with the controller
3. Earliest feasible date: No more than 45 days after a controller determines through an annual review that storing the biometric identifier is no longer necessary or relevant to the stated processing purpose

If the volume or complexity of biometric data makes the 45-day window impractical, the controller may extend it by up to 45 additional days. That means the absolute maximum extension is 90 days from the date the controller determines the data is no longer needed.

Controllers must conduct annual reviews to identify biometric identifiers eligible for deletion. This is not a suggestion. The statute requires it as part of the written policy.

Employer-Specific Protections

HB24-1130 contains some of the strongest employer-specific biometric protections in the country. The law draws a sharp line between what employers can and cannot require.

Permitted uses as a condition of employment:

An employer may require biometric consent as a condition of employment only for these limited purposes:

• Accessing a secure facility or secure hardware (excluding location tracking or monitoring application usage time)
• Recording the start and end times of the workday
• Improving workplace safety or security
• Protecting public safety during emergencies

Prohibited employer conduct:

For any biometric use outside those four categories, an employer cannot require an employee or prospective employee to consent as a condition of employment. Employers also cannot retaliate against any employee or job applicant who refuses to provide biometric consent.

The law broadly defines "employee" to include full-time, part-time, on-call workers, contractors, interns, and fellows. This is significant because the CPA's general provisions historically excluded employment-context personal data. HB24-1130 carves into that exemption to bring biometric protections into the workplace.

If an employer collects fingerprints for a time clock, that falls within the permitted uses. If the same employer wants to use facial recognition to track how long employees spend in certain areas of the building, that requires separate, voluntary consent and cannot be a condition of continued employment.

How HB24-1130 Interacts With the CPA

The Colorado Privacy Act and HB24-1130 work as layered protections, not alternatives. Here is how the two laws interact:

CPA baseline (effective July 1, 2023): Biometric data used to identify an individual qualifies as sensitive data under C.R.S. § 6-1-1303(24). Controllers must obtain affirmative consent before processing any sensitive data. Consumers have the right to access, correct, delete, and port their biometric data. Data protection assessments are required before processing sensitive data.

HB24-1130 additions (effective July 1, 2025): On top of the CPA baseline, controllers processing biometric identifiers must adopt written policies, follow specific retention and destruction schedules, meet heightened disclosure requirements before collection, comply with restrictions on selling or trading biometric data, and follow employer-specific consent rules.

A controller that processes biometric data in Colorado must comply with both sets of requirements simultaneously. The CPA provides the broad sensitive-data framework, and HB24-1130 adds biometric-specific detail.

Consumer Rights for Biometric Data

Colorado residents have several rights over their biometric information under the combined CPA and HB24-1130 framework:

• Right to know: Consumers can ask whether a controller collects their biometric data and what categories are collected
• Right to access: Consumers can request a copy of their biometric data
• Right to correct: Consumers can ask a controller to fix inaccurate biometric information
• Right to delete: Consumers can request deletion of their biometric identifiers
• Right to data portability: Consumers can download and transfer their biometric data in a portable format
• Right to opt out: Consumers can opt out of the sale of their biometric data or its use for targeted advertising

Controllers must respond to consumer rights requests and cannot discriminate against consumers who exercise these rights.

Penalties and Enforcement

HB24-1130 does not create a private right of action. Individual consumers cannot file lawsuits for violations of Colorado's biometric privacy laws. Enforcement authority rests exclusively with the Colorado Attorney General and district attorneys.

Violations of the CPA, including the biometric provisions, are treated as deceptive trade practices under C.R.S. § 6-1-112. Penalties include:

• Up to $20,000 per violation for standard violations
• Up to $50,000 per violation when the victim is 60 years of age or older
• Up to $500,000 for a related series of violations
• No statutory cap on aggregate penalties for unrelated violations

An important enforcement change took effect on January 1, 2025: the 60-day cure period that previously gave businesses a chance to fix violations before facing penalties is no longer required. The Attorney General and district attorneys now have discretion to pursue enforcement actions immediately.

The AG also has rulemaking authority under HB24-1130 to issue rules implementing the biometric provisions. The Colorado Department of Law adopted amendments to the CPA Rules (4 CCR 904-3) in December 2024, with biometric-related rules taking effect alongside HB24-1130 on July 1, 2025. These rules require biometric notices to be "concrete and definitive," clearly labeled within privacy policies, and provided before collection or material processing changes.

How Colorado Compares to Illinois BIPA

Colorado's biometric privacy law is often compared to the Illinois Biometric Information Privacy Act (BIPA), the most aggressive biometric privacy statute in the country. The key differences:

Feature	Colorado (HB24-1130 + CPA)	Illinois (BIPA)
Private right of action	No	Yes
Statutory damages	None (AG penalties only)	$1,000-$5,000 per violation
Consent required	Yes	Yes
Written policy required	Yes	Yes
Employer restrictions	Detailed, with specific permitted uses	General consent requirement
Retention timeline	24 months or purpose satisfied	3 years or purpose satisfied
Scope threshold	None for biometrics	None

The lack of a private right of action is the most significant difference. Illinois BIPA has generated hundreds of class-action lawsuits. Colorado's enforcement-only model means the AG decides which cases to pursue.

However, Colorado's employer-specific protections are more detailed than Illinois BIPA's. The explicit list of permitted employment uses and the anti-retaliation provision give Colorado employees clearer protections in the workplace.

More Colorado Laws

• Colorado Recording Laws
• Colorado Recording Laws
• Colorado Data Privacy Laws
• Colorado Lemon Laws
• Colorado Recording Laws
• Colorado Recording Laws
• Colorado Whistleblower Laws
• Colorado Recording Laws

This article is for informational purposes only and does not constitute legal advice. Biometric privacy laws and enforcement interpretations change over time. Consult a licensed attorney in Colorado for advice about your specific situation. Last reviewed: March 2026.