It has been a busy year for data privacy legislation in North America, and biometric data was a major feature. Illinois made waves a few years ago with BIPA, which requires informed consent to process biometric data and a 3-year cap on retention, along with an expensive private right of action. This past year, Colorado amended its privacy law by enacting a copy-cat version of BIPA with more stringent compliance requirements.

Colorado's biometric updates

Notably, the Colorado amendment ropes in all companies using biometrics for employment purposes, regardless of whether that company meets the processing threshold; this means that for purposes of governing employment biometrics, a company has to fully comply with the CPA even if it otherwise does not for other types of personal data. Additional requirements include:

• Updates to the external privacy policy, describing retention periods for biometric data
• Obtain informed, affirmative consent for processing of biometric data
• Maintain an internal policy describing the retention, deletion, and security of biometric data

While data privacy impact assessments have been required for sensitive category data, which includes biometric data, since 2023, the new biometric requirements make this an even more pressing item on companies' privacy compliance checklist. Companies covered by the law will also need to be more vigilant with respect to processors that collect data on their behalf and ensure that they do not unknowingly become controllers of biometric data without the proper compliance measures in place.

Colorado residents also now have enhanced access rights with respect to biometric data, including the right to receive information on:

• The controller's source of the consumer's biometric data
• The purpose for which biometric data (and any associated data) was collected or processed
• The identity of any third party to whom the controller discloses biometric data, along with the purpose for the disclosure
• The category or a description of the specific biometric data that the controller discloses to third parties

Other biometric updates

Texas also enacted a BIPA-like biometrics law this year (effective January 2026) that, while less stringent than Colorado, is more likely subject to enforcement given the Texas Attorney General's appetite for enforcement on other privacy issues. While California hasn’t turned to biometrics directly, it did recently update its privacy regulations to strengthen risk assessment requirements, which are required for sensitive data processing; these requirements include notifying the regulator of completing risk assessments starting in 2027, but there is a look-back date to 2026. Having visible biometric processing activities without notifying the regulator of a sensitive processing risk assessment will be an implicit admission of non-compliance. Canada is also turning its attention to biometric data, with the federal privacy enforcement group putting out biometric risk assessment guidelines this year and the Quebec regulators making it nearly impossible, from a risk calculation perspective, to process biometric information collected within the province. 

Action items

• Thoroughly investigate whether you're doing any biometric processing. If so, do the other steps below.
• Ensure you can provide Coloradans with the necessary data subject rights.
• Create internal policies governing biometric data, or integrate those controls into existing policies, as required by law.
• Conduct a privacy impact assessment for the processing.