In April, Colorado amended the Colorado Privacy Act (CPA) to include protections for biological and neural data within its comprehensive privacy law. H.B. 1058 expands the definition of "sensitive data" in the CPA to include "biological data" and "neural data."

• "Sensitive data" in the CPA now includes "biological data," which is data generated by the technological processing, measurement, or analysis of (1) an individual's biological, genetic, biochemical, physiological, or neural properties, compositions, or activities or (2) an individual's body or bodily functions. "Biological data is used or intended to be used, singly or in combination with other personal data, for identification purposes."
• "Biological data" includes "neural data," which measures the activity of an individual's central or peripheral nervous systems with or without a device.

The amendment broadly defines "biological data" and "neural data." "Biological data" includes data generated by the technological processing of, among other things, an individual's physiological properties, body, or bodily functions. Additionally, it potentially contains data generated from an individual's implants or wearables. However, to be in scope, the data must be for identification purposes.

"However, the definition of "neural data" does not require using or intending to use it for identification purposes." The Act states that "because neural data contains distinctive information about the structure and functioning of individual brains and nervous systems, it always contains sensitive information that may link the data to an identified or identifiable individual." Because the Act is an amendment to the CPA, the new provisions apply in accordance with the CPA.

The CPA Imposes Obligations on Controllers That Process This Data

Data controllers must:

• Obtain consumers' affirmative opt-in "consent" to process their biological or neural data.
• Not process biological or neural data without conducting and documenting a data protection assessment of the controller's processing of such data.
• Update their privacy notice to reflect whether the controller processes biological or neural data.

The CPA grants consumers the right to access, correct, and delete their personal data. They can also opt out of sales, targeted advertising, and profiling. Moreover, these rights extend to their biological and neural data. Additionally, the CPA is enforceable by the Colorado AG and the state's district attorneys. It does not provide a private right of action.

The new provisions will take effect on August 6. If you'd like to learn more about complying with the Colorado Privacy Act's new protections for biological and neural data, contact us for a free consultation.

‍