Joseph J. Lazzarotti of JacksonLewis writes:
When Colorado enacted the Colorado Privacy Act (CPA), it included “biometric data that may be processed for the purpose of uniquely identifying an individual.” However, the CPA as originally drafted did not cover the personal data of individuals acting in a commercial or employment context. Last week, Colorado amended the CPA to broaden the protections for biometric data when Gov. Jared Polis signed HB-1130 into law.
Application of the CPA Biometric Amendment. Importantly, HB-1130 alters the scope of the CPA’s application.
Recall that under the CPA, a controller is subject to the CPA if it:
(i) determines the purposes and means of processing personal data, (ii) conducts business in Colorado or produces or delivers commercial products or services intentionally targeted to residents of the state, and (iii) either: (a) controls or processes the personal data of more than 100,000 Colorado residents per year or (b) derives revenue from selling the personal data of more than 25,000 Colorado residents.
HB-1130 adds that a controller can be subject to the CPA without meeting the requirements above, provided that it would be subject to the CPA solely to the extent that it controls or processes any amount of biometric identifiers or biometric data.
Read more at Workplace Privacy, Data Management & Security Report.
of Covington and Burling also write about the amendment in their post, Colorado Privacy Act Amended To Include Biometric Data Provisions,