New Colorado privacy laws to impact “broad swath” of companies

The west side of the Colorado Capitol, as seen in May 2023

Companies that collect biometric or biological data on customers and certain employees must put new guidelines in place around that data, thanks to a pair of laws from the 2024 legislative session that expand the Colorado Privacy Act and take effect today.

House Bill 1058 applies to biological or neural data collected specifically from customers and has provisions that go into place immediately. The bipartisan law will affect companies ranging from those that produce health-focused digital equipment tracking users’ steps and vitals to the small but growing field of firms making gear that monitors neural data.

HB 1130, which becomes law today but contains provisions that won’t be enforced until July 1, impacts employers and product developers that collect biometric data and biometric identifiers such as fingerprints, retinal scans and voice imprints. While this similarly bipartisan law too is consumer-focused, it also impacts human-resources data, especially for firms that require biometric identifiers to access sensitive computer programs or areas within their facilities.

While the CPA, which went into effect in 2023, applied to companies collecting personal data from at least 100,000 consumers or selling the data of 25,000 or more people, HB 1130 applies to any companies that control and process any amount of biometric data. HB 1058, meanwhile, maintains the same collection and processing minimums as the CPA but expands the protections of that law — including the abilities for customers to see the data collected on them, request changes and request companies to delete it — specifically to a new realm of data.

Companies may not know they are regulated by new laws

Because more companies are using tools like artificial intelligence that incorporate biometric identifiers, the new laws are likely to apply to a larger swath of employers than might think they must comply with them, said Zoe Argento, a shareholder with the Littler law firm who focuses on workplace privacy and information security.

For example, customer-service companies may record calls with software that identifies voices of employees for evaluation purposes, and those firms are therefore collecting biometric data, Argento said. So are companies that use facial-recognition tools to track distracted driving by workers.

Keystroke-logging technology used by some employers to track remote workers is unlikely to obtain the biological, physical or behavioral characteristics that can be processed for the purpose of uniquely identifying an individual and therefore wouldn’t be impacted by the new law, Argento added. Webcams used to monitor remote employees also could collect biometric data — but only if coupled with artificial-intelligence facial-recognition technology and not if used without that technology to periodically check that the employee is working.

“It’s a broad swath of companies that may not even know they are collecting biometric data,” Argento said in an interview.

Zoe Argento is a shareholder at Littler.

What employers must do

To comply with the new laws, companies must take several steps, she suggested.

First, the laws requires that employers and companies collecting such data put into place a plan that sets out a retention schedule for the data they collect, a plan for responding to data-security breaches and guidelines on how to delete data upon request.

For the collection of biological and neural data, affected companies must get opt-in consent from customers before they collect and process the data if the data can individually identify a person. That suggests that companies should think hard about whether they want to collect data with individual identifiers and go through the new steps needed to do so or would prefer to forego that practice and collect only data that can’t be used to identify someone individually.

 “I think the takeaway for companies is to look very closely at what they’re collecting and the purposes for which they’re using it,” Argento said. “Getting consent is a big hurdle.”

Some exemptions to new privacy laws

Firms dealing with HB 1130 requirements can mandate collection of some biometric data as a condition of employment when required for safety and security, for access to secure physical locations and sensitive software and for clocking in and out, she said. But employees must agree to this by July 1.

Employees, however, must consent separately to use of their biometric data for performance evaluation, Argento said. And HB 1130 bars employers in these cases from retaliating against workers who refuse to give their consent, she noted.

So, if employers plan to use software that identifies their voices on calls for purposes of performance monitoring, the workers must agree — or else employers can’t use the tools, Argento said. If that were to happen, employers must consider the implications of using such tools only on consenting workers and not on others, she said.

Precautions for companies to take

In addition to meeting technical requirements of the new law, companies collecting and using newly regulated data should be providing heightened controls for customers around this information and using a risk-based approach to determine appropriate safeguards. This is most effective when companies don’t cordon off data privacy as a single vertical unit but integrate it into each department that considers privacy in their operations rather than relegating it to a “final check” before a product is brought to market, said Andrew Kingman, an attorney who’s worked with the State Privacy & Security Coalition.

“Organizations that embed data privacy into each business unit and consider the types and uses of data needed to offer a new product or service before or during product design and marketing are going to be the organizations that are in the best position to comply with the Colorado Privacy Act,” Kingman said.

Only the Colorado Attorney General’s office and district attorneys can enforce the law if they receive complaints from consumers or workers that it is being broken, as bill authors did not include any private rights of action. The AG’s office said as the CPA went into place in July 2023 that its goal was to educate employers first who may be running afoul of the law inadvertently before seeking penalties.

Privacy laws impacting business atmosphere?

The authors of the two bills emphasized that their main goal was to give consumers control over their most personal data at a time when such data is too often sold without their permission or stolen by identity thieves. But they also emphasized that they wanted to do so in ways that don’t stifle the innovation offered by companies collecting this data, particularly as more people use products like smart watches and more companies bolster security via retinal scans and other more tamper-proof tools.

“Big technology companies are making remarkable progress with technology that uses biological and neural data, but without proper privacy protections in our state law, this data can be used and sold without consent,” said Rep. Cathy Kipp, the Fort Collins Democrat who co-sponsored HB 1058, in a news release. “Our first-in-the-nation law protects Coloradans from these invasions of privacy while continuing to encourage technological advancements.”

But technology leaders across the country will be watching to see just how the new laws are implemented, particularly as the state begins rulemaking on new artificial-intelligence regulations as well, Kingman said. Bill sponsors and the AG’s office have worked very well with business leaders to be responsive to their concerns, but compliance with the new laws still will drive increased compliance costs for companies doing business or considering doing business in Colorado.

“In that way, I don’t want to characterize Colorado as ‘unfriendly’ to business, but I do think it’s fair to say that compliance costs are likely to be higher in the state than they are for most other states’ privacy statutes,” he added.