Navigating the Colorado Privacy Act Amendments: Biometrics and Child Data

The Colorado Privacy Act (CPA) is emerging as a model for state-level privacy regulation. Recent amendments focus on biometric information and children’s privacy, which when combined with Colorado’s AI Act (more on this in later posts), arguably put Colorado ahead of California in the race to shame the feds on privacy law. This issue-spotting guide will help you understand the amendments and the steps businesses subject to the CPA must take to comply.

Biometrics: Enhanced Protections for Unique Identifiers

Under HB-1130, biometric data—such as fingerprints, facial recognition data, and retinal scans—are categorized as sensitive personal information under the CPA, when those pieces of information are or can be used to identify an individual. Starting July 1, 2025, businesses will need to implement additional safeguards when collecting or processing this type of data, particularly ensuring explicit consumer consent.

The qualifier in HB-1130 that a biometric needs to be capable of identifying a person is important; photographs, by themselves, are not biometric information. However, given  Harvard students’ recent hacking of Meta glasses to identify people from just a passing glance, the CPA may soon become broader than intended.

Key requirements:

• Consent must be explicit: Businesses must obtain clear, specific, affirmative consent before collecting or selling biometric data. This differs from Illinois’ BIPA, under which selling biometrics is illegal even with consumer consent.

• Limited use: Businesses are restricted in how they can use biometric data. It should only be used for specific, legitimate purposes with non-discriminatory effect.

• Data Protection Assessments (DPAs): Before processing biometric data, businesses are required to conduct Data Protection Assessments (DPAs). Think of a DPA as an internal CYA measure; if something goes wrong and you’re asked to explain yourself, your DPA is where you start.

Steps to take:

1. Update consent mechanisms: Ensure you have an explicit consent process in place before collecting biometric data. I follow GDPR’s model here- no blanket consents, no general checkboxes, plain language, description of use.

2. Conduct DPAs: Perform DPAs when introducing new technologies that utilize biometrics OR when expanding existing processes or uses.

3. Revisit data storage practices: Ensure that biometric data is encrypted and securely stored. Consider retention policies to delete biometric data as soon as it is no longer needed​​​.

Children’s Privacy: Stronger Protections for Minors

SB-041 sets higher standards for handling data concerning minors (under 18) and children (under 13), similar to the protections under the Children’s Online Privacy Protection Act (COPPA) but adding further clarity and responsibilities for online businesses.

As of October 1, 2025, online businesses will need to meet stringent requirements when collecting, storing, and using children's personal data:

• Parental consent: For any data collection involving minors, businesses must obtain consent from minors (under 18), including verifiable parental consent (as defined under COPPA) for children. This cannot be a passive consent process—parents must take an active role in approving data collection.

• Restrictions on data processing: Without consent, a business cannot collect child information for sale, target advertising, or profiling.

• Geolocation: Use of geolocation is restricted to the specific purpose and time for which it is necessary, with notification required the entire time.

• Design. The amendment prohibits use of any system or design feature to significantly increase, sustain, or extend a minor’s use of the system. In other words, every social media app and game ever. I expect the regulations on this one will be fun to read.

What businesses should do:

1. Verify parental consent: Implement parental verification systems that confirm the identity and consent of parents or guardians before collecting any data from children.

2. Review profiling practices: If your business uses AI or data analytics to target children, ensure you have mechanisms to turn off profiling for children’s accounts unless express parental consent is provided.

3. Update privacy policies: Clearly outline how children’s data is processed, and ensure your privacy policies reflect the parental rights and consent requirements​​.

4. Data Protection Assessment. As with biometrics, before collecting or using any child data, document the purpose, categories of data collected, uses of the data, and how the risks to minors are addressed under your process. 

The new CPA amendments raise the bar for businesses collecting or processing child or biometric data in Colorado. Privacy Policies, process reviews, and Data Protection Assessments take time and real thought; email codevilla@skandslegal.com for help and war stories about COPPA compliance.