Can you scan IDs in Colorado?
Yes. Colorado law does not regulate a business’s practice of scanning IDs or retaining information obtained from a scan.
There are some instances in which merchants are required to record information related to identity, such as notarial services. ID scanning can improve the ease and accuracy of record keeping in these scenarios.
Summary of Colorado ID Scanning Laws
In the absence of any Colorado statute governing issues associated with a business’s practice of scanning IDs, a business is likely allowed to scan IDs and to retain information obtained from a scan, subject to applicable privacy laws.
Does Colorado offer affirmative defense for ID scanning?
Yes. See the Colorado Liquor Code Exceptions list below.
Does Colorado offer a digital ID?
Yes. Colorado has a mobile drivers license (mDL) via Apple Wallet.
Specifies how controllers must fulfill duties regarding consumers’ assertion of their rights, transparency, purpose specification, data minimization, avoiding secondary use, care, avoiding unlawful discrimination, and sensitive data. Bill also requires controllers to conduct a data protection assessment for each of their processing activities involving personal data.
- Applies to legal entities that conduct business or produce commercial products or services that are intentionally targeted to Colorado residents and that either:
- Control or process personal data of at least 100,000 consumers per calendar year; or
- Derive revenue from the sale of personal data and control or process the personal data of at least 25,000 consumers; and
- Does not apply to certain specified entities including state and local governments and state institutions of higher education, personal data governed by listed state and federal laws, listed activities, and employment records.
Introduced in House, 01/29/2024.
The bill amends the “Colorado Privacy Act” to add protections for an individual’s biometric data by requiring a person that, alone or jointly with others, determines the purposes for and means of processing biometric data (controller) to adopt a written policy that:
- Establishes a retention schedule for biometric identifiers
- Includes a protocol for responding to a breach of security of biometric data; and
- Includes guidelines that require the permanent destruction of a biometric identifier by the earliest of certain dates.
The bill also:
- Prohibits a controller from collecting a biometric identifier unless the controller first satisfies certain disclosure and consent requirements;
- Specifies certain prohibited acts and requirements for controllers that collect and use biometric data;
- Requires a controller to allow a consumer to access and update a biometric identifier;
- Restricts an employer’s permissible reasons for obtaining an employee’s consent for the collection of biometric identifiers; and
- Authorizes the attorney general to promulgate rules to implement the bill.
Approved by the Governor 05/18/17; effective 08/09/17
A notary public shall maintain a journal in which the notary public chronicles all notarial acts that the notary public performs. The notary public shall retain the journal for ten years after the performance of the last notarial act chronicled in the journal.
A journal may be created on a tangible medium or in an electronic format. if a journal is maintained on a tangible medium, it must be a permanent, bound register with numbered pages. if a journal is maintained in an electronic format, it must be in a permanent, tamper-evident electronic format complying with the rules of the secretary of state.
- An entry in a journal must be made contemporaneously with performance of the notarial act and contain the following information:
- The date and time of the notarial act;
- A description of the record, if any, and type of notarial act;
- The full name and address of each individual for whom the notarial act is performed;
- The signature or electronic signature of each individual for whom the notarial act is performed;
- If identity of the individual is based on personal knowledge, a statement to that effect;
If identity of the individual is based on satisfactory evidence, a brief description of the method of identification and the type of identification credential presented, if any; and the fee, if any, charged by the notary public.
The purpose of these rules is to promote the development and the use of electronic transactions with Colorado public entities, by establishing acceptable technologies for the creation and use of electronic signatures in transactions that require high levels of authentication and security.
These Rules apply to any Colorado public entity transaction where the use of electronic signatures has been expressly authorized by law and where the law mandates that the electronic signatures meet the five-fold criteria set out in CRS 24-71-101(2)
To sell an alcohol beverage to any person under the age of twenty-one years, to a habitual drunkard, or to a visibly intoxicated person, or to permit any alcohol beverage to be sold or dispensed by a person under eighteen years of age, or to permit any such person to participate in the sale or dispensing thereof. If a person who, in fact, is not twenty-one years of age exhibits a fraudulent proof of age, any action relying on such fraudulent proof of age shall not constitute grounds for the revocation or suspension of any license issued under this article or article 46 of this title.
(A) If a licensee or a licensee’s employee has reasonable cause to believe that a person is under twenty-one years of age and is exhibiting fraudulent proof of age in an attempt to obtain any alcohol beverage, the licensee or employee shall be authorized to confiscate such fraudulent proof of age, if possible, and shall, within seventy-two hours after the confiscation, turn it over to a state or local law enforcement agency. The failure to confiscate such fraudulent proof of age or to turn it over to a state or local law enforcement agency within seventy-two hours after the confiscation shall not constitute a criminal offense, notwithstanding section 12-47-903(1) (a).
If a licensee or a licensee’s employee believes that a person is under twenty-one years of age and is exhibiting fraudulent proof of age in an attempt to obtain any alcohol beverage, the licensee or the licensee’s employee or any peace or police officer, acting in good faith and upon probable cause based upon reasonable grounds therefor, may detain and question such person in a reasonable manner for the purpose of ascertaining whether the person is guilty of any unlawful act under this section. Such questioning of a person by a licensee or a licensee’s employee or a peace or police officer does not render the licensee, the licensee’s employee, or a peace or police officer civilly or criminally liable for slander, false arrest, false imprisonment, malicious prosecution, or unlawful detention.
Any licensee or licensee’s employee acting in good faith in accordance with the provisions of subparagraph (II) of this paragraph (a) shall be immune from any liability, civil or criminal; except that a licensee or employee acting willfully or wantonly shall not be immune from liability pursuant to subparagraph (II) of this paragraph (a).
The statutory authority for this regulation includes, but is not limited to, subsections 44-3-103, 44-3-202(1)(b), 44-3-202(2)(a)(I)(A), 44-3-202(a)(I)(R), 44-3-410(2)(a)(IV), and 44-3-901(11) (a), C.R.S. The purpose of this regulation is to define adequate identification criteria for purposes of demonstrating age, and establish the factors of an affirmative defense available to a licensee for an alleged sale to a minor.
Using a biometric identity verification device. For purpose of this regulation, “biometric identity verification device” means a device that instantly verifies the identity and age of a person by an electronic scan of a biometric characteristic of the person, such as a fingerprint, iris, face, or other biometric characteristic, or any combination of these characteristics; references the person’s identity and age against any record of identification described in paragraph (A)(1) of this regulation; and contemporaneously provides the licensee with identity and age verification for the person utilizing the device. Prior to using a biometric identity verification device to verify the identity and age of a person for purposes of this paragraph (A)(2), the licensee shall ensure the device provider has systems in place to: a. Verify the authenticity of any identification records by an electronic authentication process; b. Verify the identity of, and relevant identifying information about, the person through a secondary, electronic authentication process or set of processes utilizing commercially available data, such as a public records query or a knowledge-based authentication quiz; and c. Securely link the authenticated record to biometric characteristics contemporaneously collected from the person and store the authenticated record in a centralized, highly secured, encrypted biometric database.
It shall be an affirmative defense to any administrative action brought against a licensee for alleged sale to a minor if the licensee meets its burden of proof to establish, by a preponderance of the evidence, that: 1. The minor presented fraudulent identification of the type established in paragraph (A) (1) of this regulation, and the licensee possessed an identification book issued within the past two (2) years, which contained a sample of the specific kind of identification presented for compliance purposes, or; 2. The licensee used and relied upon a biometric identity verification device that indicated the minor was twenty-one years of age or older, in accordance with paragraph (A)(2) of this regulation. 3. A licensee asserting the affirmative defense, as described in Paragraph (B)(2) of this regulation, shall be responsible for obtaining, and providing to the Division, all records necessary to establish that a biometric identity verification device was used as age verification for the transaction in question.
Colorado requires dispensary customers to show a federal, state, or tribal ID before entry to the dispensary premises. The Colorado Department of Revenue requires that all dispensaries undergo “MED Training” in order to receive a Responsible Vendor designation, which is focused on preventing sales to minors, as well as acceptable forms of identification (MED Rules M 408 & R 407).
Regarding marijuana delivery, manifests for each cannabis delivery must include name, date of birth, and drivers’ license or ID number. The licensee must verify that these items match the recipient upon delivery (Delivery Transport Manifest Requirements [3-615(G)(5)]).
Colorado is ambiguous when it comes to data retention, but allows for budtenders to record information related to daily maximums and looping.
Additionally, Colorado requires that cameras record budtenders verifying the ID of each customer.