Colorado amends its Privacy Act by adding protection for neural data
Posted in Cybersecurity, Data Privacy

On April 17, Colorado Gov. Jared Polis (D) signed into law a bill that will extend privacy rights to individuals’ neural data. Although certain states have enacted privacy laws that include protection of sensitive and biometric data, Colorado’s law is the first that explicitly addresses neural data.

Neurotechnologies and neural data

The Colorado legislation was enacted as a response to advances in neurotechnologies. Neurotechnologies provide insight into, monitor, or affect brain and nervous system activity, including, according to Colorado’s bill, “devices capable of recording, interpreting, or altering the response of an individual’s central or peripheral nervous system to its internal or external environment.” The Colorado bill states that these technologies “raise particularly pressing privacy concerns given their ability to monitor, decode, and manipulate brain activity.”

Neurotechnologies and neuroscience are used primarily in the medical, research, and therapeutic fields, such as brain imaging MRIs. However, the commercial use of neurotechnologies has expanded in recent years. Consumer neurotechnology devices include:

  • Brain-computer interface (BCI) chips and wearable wristbands that interpret and detect electric activity in response to nerve stimulation, which enable individuals to control external devices with their thoughts.
  • Headsets and other wearable devices to help customers find products that best suit them.
  • Technologies that read brain waves to assist with wellness recommendations for personal use.

These devices could collect vast amounts of data generated by activity in the nervous system, such as brain waves, patterns, or signals – information that is regulated in the health care sector for patients but largely unregulated in the consumer context.

Colorado Privacy Act

The Colorado Privacy Act was enacted in 2021 as part of the Colorado Consumer Protection Act. The CPA aims to protect consumers’ personal data, including heightened requirements for personal data that is deemed “sensitive.” For example, the CPA requires businesses to obtain consent from consumers before collecting and processing their sensitive data, and data protection assessments for processing sensitive data.

The new legislation expands the CPA definition of “sensitive data” to include biological data. Biological data is defined as “data generated by the technological processing, measurement, or analysis of an individual’s biological, genetic, biochemical, psychological, or neural properties, compositions, or activities or of an individual’s body or bodily functions[.]” Biological data specifically includes “neural data,” defined as “information that is generated by the measurement of the activity of an individual’s central or peripheral nervous systems and that can be processed by or with the assistance of a device.”

Other states are poised to follow Colorado’s lead. California’s Senate Judiciary Committee approved SB 1223, another bill that would expand consumer data protection to include neural data. Minnesota, a state without a comprehensive state consumer privacy statute, is considering a standalone statute, currently HF 1904, to address neurodata.

Business impact

Businesses that collect, process, or share neural data are now subject to the same privacy requirements and consumer protections that apply to other types of personal information. These rights include granting consumers certain rights regarding their neural data, such as the right to access and deletion. Businesses must also provide consumers with clear and transparent notices about how their neural data is being collected, shared, and used. As part of the CPA, the law will be enforced by the Colorado Attorney General’s office, and businesses in violation may be subject to penalties, fines and other remedial measures.

Businesses covered by the CPA should assess whether they are collecting neural data, incorporate neural data into their data governance policies and procedures, review and potentially update privacy notices, and ensure that they are able to comply with consumer rights related to neural data. Although Colorado is the pioneer, as noted, we expect additional states to adopt similar legislation. Thus, even businesses that are not covered by the CPA should stay abreast of developments in this area.

The Constangy Cybersecurity & Data Privacy Team assists entities of all sizes with their information security and privacy needs – from proactive efforts to comply with applicable regulations or guidance to support with a breach.  We are here to help!  The Constangy Cyber Team is available 24/7.  Contact us at breachresponse@constangy.com or by phone at 877-DTA-BRCH.

TAGS: Colorado, Colorado Privacy Act, Consumer Rights, Cyber Team, CyberMonday, Cybersecurity, Data Privacy, Data Security, Neural Data Protection, neurotechnology, Personal Data
Facebook Twitter/X Linkedin Email

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 

Search

Get Updates By Email

Subscribe

Archives

Jump to Page

Constangy, Brooks, Smith & Prophete, LLP Cookie Preference Center

Your Privacy

When using this website, Constangy and certain third parties may collect and use cookies or similar technologies to enhance your experience. These technologies may collect information about your device, activity on our website, and preferences. Some cookies are essential to site functionality, while others help us analyze performance and usage trends to improve our content and features.

Please note that if you return to this website from a different browser or device, you may need to reselect your cookie preferences.

For more information about our privacy practices, including your rights and choices, please see our Privacy Policy. 

Strictly Necessary Cookies

Always Active

Strictly Necessary Cookies are essential for the website to function, and cannot be turned off. We use this type of cookie for purposes such as security, network management, and accessibility. You can set your browser to block or alert you about these cookies, but if you do so, some parts of the site will not work. 

Functionality Cookies

Always Active

Functionality Cookies are used to enhance the functionality and personalization of this website. These cookies support features like embedded content (such as video or audio), keyword search highlighting, and remembering your preferences across pages—for example, your cookie choices or form inputs during submission.

Some of these cookies are managed by third-party service providers whose features are embedded on our site. These cookies do not store personal information and are necessary for certain site features to work properly.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek