A Privacy Law to Protect Brain Activity? What the Latest Amendment to the Colorado Privacy Act Means

On April 17, 2024, the Colorado legislature passed an amendment to the State’s comprehensive privacy law, the Colorado Privacy Act to provide protections for brain activity data and similar biological data. This is truly a one of a kind development that requires companies that collect this type of data to gain consent prior to the collection of brain activity data, to be transparent about how such data is used, and to provide residents of Colorado with privacy rights with regard to such data. In this article, we will discuss the Colorado Privacy Act, this amendment to the law, as well as the privacy risks inherent with the collection of this type of data. 

What is the Colorado Privacy Act? 

The Colorado Privacy Act is a comprehensive privacy law that went into effect on July 1, 2023, providing rights to residents of the State and requiring businesses to meet privacy compliance requirements. The law applies to businesses that collect the personal data of residents of Colorado and that conduct business in Colorado or deliver commercial products or services that are intentionally targeted towards residents of the State and that: 

1. Control or process the personal data of 100,000 or more Colorado consumers per year; or 
2. Derive revenue or receive a discount on the price of the goods or services from the sale of personal data and process or control the personal data of 25,000 or more Colorado consumers. 

The Colorado Privacy Act aims to protect the privacy of residents of the State by providing them with the following rights: 

1. The right to opt out of targeted advertising; 
2. The right to opt out of sales of personal data; 
3. The right to opt out of the use of personal data for the purpose of profiling; 
4. The right to confirm whether a business is processing their personal data; 
5. The right to access the personal data that the business holds about a consumer in a portable format; 
6. The right to correct the personal data that a business holds about the consumer; and 
7. The right to delete the personal data that a business holds about the consumer. 

The Colorado Privacy Act covers the personal data of residents of the State, which is defined as “any information that is linked or reasonably linkable to an identified or identifiable individual.” As part of the definition of personal data, the law also covers sensitive data, which includes: 

1. Personal data revealing racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status; 
2. Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual; and 
3. Personal data from a known child. 

Since sensitive personal data can reveal intimate details about an individual’s life, companies subject to the Colorado Privacy Act are required to obtain the consent of an individual prior to the collection and use of such data. In addition, companies that process sensitive personal data are required to conduct a data protection impact assessment, which identifies the benefits and risks of the processing of such data. 

Colorado Privacy Act amendment 

In the recently passed amendment, the Colorado Privacy Act was amended to include biological data in its definition of “sensitive data”, providing additional protections to residents of Colorado. The amendment defines “biological data” as “data that is generated by the technological processing, measurement, or analysis of an individual’s biological, genetic, biochemical, physiological, or neural properties, compositions, or activities or of an individual’s body or bodily functions.” This data includes neural data, which is defined as “information that is generated by the measurement of the activity of an individual’s central or peripheral nervous systems and that can be processed by or with the assistance of a device.” 

This amendment was passed due to a variety of concerns about devices and services that collect the neural data of individuals, including: 

1. The fact that neural data contains distinctive information about the structure and functioning of individual brains and nervous systems; 
2. The collection of neural data involves the involuntary disclosure of information as individuals cannot control the data that is collected by certain devices and services through their brains; 
3. Neurotechnologies can collect information that individuals did not even know existed and this data can be adapted in the future to reveal further information; 
4. While neurotechnologies were previously used in laboratories and medical settings, they are increasingly available to individuals outside of these settings; 
5. Neurotechnologies used outside of the medical setting are currently not regulated by privacy laws in the State. 

This new amendment to the privacy law will cover technologies such as Meta’s wristband, which uses a neural interface to control smart glasses and other devices, Meta’s AI system that can decode visual representations and even “hear” what an individual is hearing by studying their brainwaves, and the Neuralink brain implant, which can allow an individual to control devices, such as their phone, through thoughts. While these devices may have seemed like science fiction in the past, they are increasingly being released into markets and collect vast troves of data that is extremely sensitive. This amendment to the Colorado Privacy Act is certainly a step in the right direction to ensure the protection of privacy for individuals. However, more comprehensive privacy laws are needed across the country (or a federal privacy law) to ensure true protections for individuals and their privacy.