Colorado has just become the first state to extend its comprehensive privacy law, the Colorado Privacy Act (“CPA”), to “neural data.” After passing unanimously in the Colorado Senate earlier this spring, bipartisan House Bill 24-1058 “Protect Privacy of Biological Data” was signed into law on April 17, 2024. The new provisions will take effect on August 6, 2024.
In 2021, Colorado enacted the CPA as a comprehensive privacy law to protect the privacy of individuals' data by establishing certain requirements for entities that process personal data. The CPA also describes certain rights that consumers may exercise regarding the processing of their personal data and includes additional protections for sensitive data.1 House Bill 24-1058 represents a legislative response to the proliferation of sophisticated digital health technologies among consumers and the deepening concern of lawmakers and regulators faced with policing a rapidly evolving digital health data landscape using woefully outdated legal authorities. Rep. Cathy Kipp, the bill’s sponsor, expressed a heightened anxiousness about the implications of neurotechnology development for consumer data privacy and security: “While neurotechnology has made significant advancements, especially for people with disabilities, bad actors can also use this data to learn how to change people’s thoughts and behavior.”2
The new law attempts to achieve this balance by delineating two types of information that are protected by the CPA. The bill adds two specific categories of information to the definition of “sensitive data:” “biological data” and “neural data.”
- Biological data is data that provides a characterization of the biological, genetic, biochemical, or physiological properties, compositions, or activities of an individual's body or bodily functions generated by the technological processing, measurement, or analysis of an individual's biological, genetic, biochemical, physiological, or neural properties, compositions, or activities or body or bodily functions, which is used or intended to be used, singly or in combination with other personal data, for identification purposes. One type of biological data is neural data.
- Neural data is information that concerns the activity of an individual's central nervous system or peripheral nervous systems, including the brain and spinal cord, and that can be processed by or with the assistance of a device is generated by the measurement of the activity of an individual's central or peripheral nervous systems and that can be processed by or with the assistance of a device. Unlike biological data as defined in the bill, however, neural data does not need to be used or intended to be used for identification purposes.
As a result of the new law, an affirmative consent from a consumer will be required to process biological data and specifically neural data. Further, such data will be subject to all the other requirements for “sensitive data” under the CPA.
1 The CPA applies to entities that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to Colorado consumers and that control or process the personal data of 100,000 consumers or more during a calendar year or derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 consumers or more. The CPA does not apply to protected health information (“PHI”) that is collected, stored, and processed by a covered entity or business associate subject to HIPAA, or to information “maintained in the same manner as” such PHI. The CPA is enforceable by the Colorado Attorney General and the state’s district attorneys and does not provide a private right of action.
2 https://www.cohousedems.com/news/first-in-the-nation-neural-data-protections-bill-advances
