House OKs biometric data regulations, even as business concerns remain

Colorado state Reps. Mike Lynch and Lindsey Daugherty explain HB 1130, their bill on biometric identifiers to the Colorado House in February.

Colorado House members unanimously passed a bill Tuesday that would ban companies from selling biometric data and restrict their collection of the information, but they did so without addressing business leaders’ concerns over how it would apply to employee data.

House Bill 1130, sponsored by Democratic Rep. Lindsey Daugherty of Arvada and Republican Rep. Mike Lynch of Wellington extends the reach of the Colorado Privacy Act, which went into effect on July 1. That law made Colorado one of just a handful of states to give consumers more control over their personal data by allowing them to see data that companies such as retailers may have on them, correct data, demand that such data be deleted and opt out of companies selling such data.

The new bill applies specifically to biometric identifiers such as retinal scans, fingerprints and voice recordings as more companies and employers collect such data and use it for purposes from identity verification to access to physical areas or computer programs. It prohibits sale of such data, gives consumers the same access to this data that they have to personal information through the Colorado Privacy Act and requires businesses to delete biometric identifiers within one year of collection or sooner if consumers request.

Issues for employers

Most business groups agree with the general premise of HB 1130, particularly after Daugherty and Lynch amended the bill to ensure it aligns with the Colorado Privacy Act. But several have concerns that the same limitations on holding and deleting consumer data apply to employee data, which they argued should be treated differently because it is used internally as a security measure rather than as a marketable commodity.

For example, Andrew Kingman of the State Privacy & Security Coalition,noted that stored biometric identifiers could be a key to internal investigations of theft, misconduct or even of data breaches. The way HB 1130 currently is written, an employee who is under investigation could require that their employer delete their data that is central to that investigation, he said.

“Our stores must retain the ability to keep their customers and their team members safe,” added Chris Howes, president of the Colorado Retail Council, which represents large retail chains.

Lack of changes to biometric bill

Daugherty emphasized that the bill does not stop employers from collecting biometric identifiers but does ensure that they maintain the security and privacy of that data. While she and Lynch sought to assuage concerns about duplicative rules by amending the bill to create alignment with the Colorado Privacy Act, neither directly addressed the concerns about employee biometric data in closing comments during a Wednesday House Judiciary Committee hearing or during discussion on the House floor Friday or Tuesday.

“We think this data deserves more protections than other types of data and simply should not be sold,” Daugherty told the House on Friday.

However, the sponsors also did not make any moves to add private rights of action to the bill for company violations of the proposed law, despite two members of the judiciary committee inquiring about such potential additions.

Rep. Stephen Woodrow, D-Denver, said during the committee hearing that two of America’s largest technology firms were forced to pay Illinois a combined $750 million for violation of a similar law in that state and said it seemed like that state’s residents were benefitting from such a clause. He and Rep. Leslie Herod, D-Denver, asked both proponents of the bill and the Colorado Attorney General’s office if HB 1130 would have greater enforceability if individuals could file lawsuits to enforce it.

Private right of action?

A representative for the AG’s office said the bill already proposes giving it broad investigative powers, as well as authority for injunctive relief and monetary penalties against companies that might violate it.

And Anaya Robinson, senior policy strategist for the ACLU of Colorado, said that while a private right of action “isn’t something that we wouldn’t be interested in talking about in the future,” the state already has good enforcement mechanisms in the Colorado Privacy Act that will apply here too.

“I think a lot of it has to do with the political feasibility in a state like Colorado,” Robinson said of the lack of private right of action proposed in the bill. “We want to make sure that this type of data is protected at the highest level as quickly as possible.”

HB 1130 is part of a group of bills this year seeking to bolster the Colorado Privacy Act, including another measure, HB 1058, that adds protections to neural data and that already has passed the House. Further measures are expected to be introduced this year dealing with children’s data and with data related to artificial intelligence.

HB 1130 will head next to the Senate, where it will be assigned to a committee in the coming days.