Privacy & Information Security Law Blog

On April 17, 2024, Colorado enacted H.B. 1058 which amends the Colorado Privacy Act (“CPA”) and makes Colorado the first state to explicitly extend the protections of a state comprehensive privacy law to neural data.

The Act expands the definition of “sensitive data” in the CPA to include two newly-added defined terms: “biological data” and “neural data”.

• “Sensitive data” in the CPA now includes “biological data”, which is data generated by the technological processing, measurement, or analysis of (1) an individual’s biological, genetic, biochemical, physiological, or neural properties, compositions, or activities or (2) an individual’s body or bodily functions. “Biological data” is data that is “used or intended to be used, singly or in combination with other personal data, for identification purposes.”
• “Biological data” includes “neural data”, which is information that is generated by the measurement of the activity of an individual’s central or peripheral nervous systems and that can be processed by or with the assistance of a device.

The definitions of “biological data” and “neural data” are broad. “Biological data” includes data generated by the technological processing of, among other things, an individual’s physiological properties, body or bodily functions, which potentially includes data generated from an individual’s implants or wearables; however, to be in scope, the data must be “used or intended to be used . . . for identification purposes.”

Conversely, the definition of “neural data” does not require that it be used or intended to be used for identification purposes. Notably, the Colorado legislature declares in the Act that, “because neural data contains distinctive information about the structure and functioning of individual brains and nervous systems, it always contains sensitive information that may link the data to an identified or identifiable individual.”

Applicability

Because the Act is an amendment to the CPA, the CPA’s general applicability requirements  apply to these new provisions.

• The CPA applies to entities that conduct business in Colorado or produce or deliver commercial products or services that are intentionally targeted to Colorado consumers and that control or process the personal data of 100,000 consumers or more during a calendar year or derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of 25,000 consumers or more.
• Under the CPA, “consumer” means an individual who is a Colorado resident acting only in an individual or household context and does not include an individual acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context. 
• Additionally, the CPA, including as amended under the Act, does not apply to protected health information (“PHI”) that is collected, stored, and processed by a covered entity or business associate subject to HIPAA, or to information “maintained in the same manner as” such PHI. 

Controller Obligations

The CPA imposes the following obligations on controllers that process “biological or neural data (which fall under the category of “sensitive data” in the law:  

• obtain consumers’ affirmative opt-in “consent” to process their biological or neural data;
• not process biological or neural data without conducting and documenting a data protection assessment of the controller’s processing of such data; and
• update its privacy notice to reflect whether the controller processes biological or neural data.

Consumer Rights

The rights the CPA provides to Colorado consumers regarding their personal data apply to their biological and neural data. The CPA grants consumers the right to access, correct, and delete their personal data, and the right to opt out of sale, targeted advertising and profiling

Enforcement

The CPA is enforceable by the Colorado AG and the state’s district attorneys, and does not provide a private right of action.

Effective Date

The new provisions will take effect on August 6, 2024.