Colorado amends its Privacy Act by adding protection for neural data

On April 17, Colorado Gov. Jared Polis (D) signed into law a bill that will extend privacy rights to individuals’ neural data. Although certain states have enacted privacy laws that include protection of sensitive and biometric data, Colorado’s law is the first that explicitly addresses neural data.

Neurotechnologies and neural data

The Colorado legislation was enacted as a response to advances in neurotechnologies. Neurotechnologies provide insight into, monitor, or affect brain and nervous system activity, including, according to Colorado’s bill, “devices capable of recording, interpreting, or altering the response of an individual’s central or peripheral nervous system to its internal or external environment.” The Colorado bill states that these technologies “raise particularly pressing privacy concerns given their ability to monitor, decode, and manipulate brain activity.”

Neurotechnologies and neuroscience are used primarily in the medical, research, and therapeutic fields, such as brain imaging MRIs. However, the commercial use of neurotechnologies has expanded in recent years. Consumer neurotechnology devices include:

  • Brain-computer interface (BCI) chips and wearable wristbands that interpret and detect electric activity in response to nerve stimulation, which enable individuals to control external devices with their thoughts.
  • Headsets and other wearable devices to help customers find products that best suit them.
  • Technologies that read brain waves to assist with wellness recommendations for personal use.

These devices could collect vast amounts of data generated by activity in the nervous system, such as brain waves, patterns, or signals – information that is regulated in the health care sector for patients but largely unregulated in the consumer context.

Colorado Privacy Act

The Colorado Privacy Act was enacted in 2021 as part of the Colorado Consumer Protection Act. The CPA aims to protect consumers’ personal data, including heightened requirements for personal data that is deemed “sensitive.” For example, the CPA requires businesses to obtain consent from consumers before collecting and processing their sensitive data, and data protection assessments for processing sensitive data.

The new legislation expands the CPA definition of “sensitive data” to include biological data. Biological data is defined as “data generated by the technological processing, measurement, or analysis of an individual’s biological, genetic, biochemical, psychological, or neural properties, compositions, or activities or of an individual’s body or bodily functions[.]” Biological data specifically includes “neural data,” defined as “information that is generated by the measurement of the activity of an individual’s central or peripheral nervous systems and that can be processed by or with the assistance of a device.”

Other states are poised to follow Colorado’s lead. California’s Senate Judiciary Committee approved SB 1223, another bill that would expand consumer data protection to include neural data. Minnesota, a state without a comprehensive state consumer privacy statute, is considering a standalone statute, currently HF 1904, to address neurodata.

Business impact

Businesses that collect, process, or share neural data are now subject to the same privacy requirements and consumer protections that apply to other types of personal information. These rights include granting consumers certain rights regarding their neural data, such as the right to access and deletion. Businesses must also provide consumers with clear and transparent notices about how their neural data is being collected, shared, and used. As part of the CPA, the law will be enforced by the Colorado Attorney General’s office, and businesses in violation may be subject to penalties, fines and other remedial measures.

Businesses covered by the CPA should assess whether they are collecting neural data, incorporate neural data into their data governance policies and procedures, review and potentially update privacy notices, and ensure that they are able to comply with consumer rights related to neural data. Although Colorado is the pioneer, as noted, we expect additional states to adopt similar legislation. Thus, even businesses that are not covered by the CPA should stay abreast of developments in this area.

The Constangy Cybersecurity & Data Privacy Team assists entities of all sizes with their information security and privacy needs – from proactive efforts to comply with applicable regulations or guidance to support with a breach.  We are here to help!  The Constangy Cyber Team is available 24/7.  Contact us at breachresponse@constangy.com or by phone at 877-DTA-BRCH.

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 

Subscribe

* indicates required
Back to Page