Skip to Content
Client Payment

Events In the News

Expanded Regulation of Biometric Data

on Monday, 22 December 2025 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

As we approach the start of the 2026 legislative session, one topic we will be closely monitoring is proposed legislation for the protection of biometric information.  As many states, including Nebraska, have adopted comprehensive data privacy laws, more prescriptive laws pertaining to the collection, use, and protection of biometric information may follow.  In fact, this is the framework that Colorado applied to modify its comprehensive data privacy law.

Colorado amended its comprehensive data privacy law, the Colorado Privacy Act (“CPA”), to expand protections surrounding biometric data, which took effect July 1, 2025.  Under the CPA, biometric data is a biometric identifier that is used alone or in combination with other personal data to identify an individual.  Biometric identifiers are data generated by the processing of an individual’s biological, physical, or behavioral characteristics, such as, a fingerprint, voiceprint, a scan or record of an eye retina or iris, a facial map, or other biological characteristics.

 As amended, the biometric requirements of the CPA apply to any business that conducts business in Colorado and processes biometric data of a Colorado resident. Controllers that process biometric data have a number of prescriptive requirements under the law, including:

  • Establishing a written policy that outlines the retention schedule for biometric data and identifiers, where biometric identifiers must be deleted upon the earliest of (1) the date upon which the initial purpose for collection has been satisfied, (2) 24 months after collection, or (3) the earliest reasonably feasible date, which is no more than 45 days after determination that retention is no longer needed after an annual review.
  • Providing clear notice to consumers that biometric identifiers are being collected, the purpose of collection, and the length of time that the biometric identifier will be retained.
  • Obtaining consent prior to any disclosure, redisclosure, or dissemination of a biometric identifier.
  • Obtaining consent prior to the collection of the consumer’s biometric data.

Importantly, with some limited exceptions or modifications these biometric requirements even apply to biometric identifiers of employees, where employee data is otherwise exempt from the provisions of the CPA.  We will continue to monitor state legislation surrounding biometric data.

AriAnna C. Goldstein
back

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500

Law Firm Website Design