The bill prohibits a legal entity that targets products or services to people in Colorado (covered entity) from collecting, storing, or using biometric identifiers of a Colorado consumer unless it:
- Provides the consumer with information about what biometric identifiers are collected;
- Obtains the consent of the consumer to the collection, storage, or use of the biometric identifiers; and
- Informs the consumer that the consumer can revoke consent at any time and how to do so.
If a consumer revokes consent to collect, store, or use biometric identifiers, the covered entity is required to cease collection within 30 days and to delete or destroy any biometric identifiers it has stored. A violation of the bill's requirements is an unfair or deceptive trade practice.
A governmental entity is prohibited from acquiring, possessing, or using biometric identifiers or a biometric surveillance system unless authorized by statute. A governmental entity is prohibited from selling, releasing, or publicly disclosing biometric identifiers or information from a biometric surveillance system in its possession and from buying or otherwise receiving such information from a third party, unless:
- The sale, disclosure, or receipt of the information is necessary to comply with a court order or rule or with state or federal law; or
- The person who is the subject of the information consents in writing.
An individual can bring a private right of action against a governmental entity that violates the bill's requirements. Upon a finding of a violation, a court can award actual damages, punitive or exemplary damages, reasonable attorney fees and costs, and other relief.
"Biometric identifier" is defined to include a retina or iris scan, a voice print, a face print, a fingerprint or palm print, or any other unique identifying information based on an individual's immutable characteristics.
(Note: This summary applies to this bill as introduced.)