2 minute read | May.01.2024
Legislators in Colorado have passed the first law in the United States meant to protect a consumer’s brainwaves. While advances in neurotechnology such as brain-computer interfaces that can translate a person’s thoughts into actions may bring relief to many, including those with physical impairments, they raise privacy concerns.
The law amends the Colorado Privacy Act (CPA), the state’s comprehensive consumer privacy law. The amendments impose new restrictions on processing “biological data,” defined as “data generated by the technological processing, measurement, or analysis of an individual’s biological, genetic, biochemical, physiological, or neural properties, compositions, or activities or of an individual’s body or bodily functions[.]”
The definition also includes “neural data” – “information that is generated by the measurement of the activity of an individual’s central or peripheral nervous systems and that can be processed by or with the assistance of a device.”
The law applies CPA obligations regarding sensitive data to processing biological data, including neural data, that is used or intended to be used for identification purposes. These obligations include:
The law does not apply to biological and neural data that constitutes “protected health information” under HIPAA or certain research data. The law focuses exclusively on consumer data that otherwise sits outside the protections of HIPAA and research.
It is unclear how much protection the new law will provide consumers. The law may not apply if the data is merely captured, but not with the intention or for the use of identifying an individual. This is despite the fact that the preamble to the law states: “Because neural data contains distinctive information about the structure and functioning of individual brains and nervous systems, it always contains sensitive information that may link the data to an identified or identifiable individual.”
Legislators in California and Minnesota also are considering protecting neural data.
The Colorado law is to take effect this fall.
Life sciences and health tech companies subject to the CPA should determine if they collect biological and neural data. If they do, they should build out their CPA compliance program to encompass this new category of sensitive data, including developing required notice and consent documents and data protection assessments.
The Orrick Team is monitoring updates and is available to support your organization’s compliance needs. We can help clients build and enhance their consumer health compliance programs tailored to their company’s needs. Please contact the authors (Thora Johnson and Peter Graham) or another Orrick Team member if you have questions.