Client Alerts & Insights
Colorado Close to First-in-the-Nation Neuro-Privacy Law Designed to Protect Biological and Neural Data
April 2, 2024
The amended version of the bill—which itself amends Colorado’s Privacy Act—now heads for final passage and governor signature.
The Colorado state legislature is close to final passage of the “Act Concerning Protection the Privacy of Individuals’ Biological Data”, which once passed, will become the first-in the-nation state law that is specifically designed to add privacy and security protections around the collection, use, and disclosure biological data and neural data.
US state data protection laws have drastically increased in the last couple of years, with 2023 ushering in 8 new US state data protection laws. More are quickly joining the ranks as well, such as New Jersey and New Hampshire so far in 2024.
See the Data Meets World “US State Privacy Laws” page for up-to-date information on all of the US state data protection laws and summaries of their key requirements. See below for discussion on the specific amendments the new bill makes to the existing Colorado Privacy Act.
Amendments to “Sensitive Data” Definition
The new bill adds “biological data” and “neural data” to the definition of sensitive data under the Colorado Privacy Act. As a reminder, the Colorado Privacy Act generally requires prior, opt-in consent before a business is permitted to collect and process a consumer’s sensitive data.
“Biological data” includes any data that:
- is generated by technological processing, measurement, or analysis;
- of (i) an individual’s biological, genetic, biochemical, physiological, or neural properties, compositions, or (ii) activities or of an individual’s body or bodily functions; and
- which data is used or intended to be used by itself or in combination with other data, for identification purposes.
Biological data is then defined to expressly include another subset of data deemed “neural data”, which is subsequently defined as any data that:
- is generated by the measurement of the activity of an individual’s central or peripheral nervous systems; and
- that can be processed by or with the assistance of a device.
Sensitive data under the Colorado Privacy Act already includes (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).
Conclusion
US state data protection laws are quickly expanding, with a number of state legislatures contemplating broad data protection laws. As those laws become more and more commonplace—with businesses become more familiar with requirements such as robust privacy notices, privacy rights, security requirements—US states are looking to specific subsets of new technologies and identifiable information that may warrant greater protection.
For example, the state of Washington passed the My Health My Data act requiring prior consent for the collection and sharing of consumer health data and the state of Connecticut already amended their data protection law expanding protections for health data and information related to children.
Expect states—even states with broad data protection laws on the books—to investigate expanding greater protection to sensitive categories of data.
As more US states continue to implement new—and amend existing—data protection requirements, the Benesch Data Protection and Privacy team is committed to staying at the forefront of knowledge and experience to assist our clients in compliance efforts. We are available to assist you with any compliance needs.
Luke Schaetzel at lschaetzel@beneschlaw.com or 312.212.4977.
Latest News
Influencer Marketing Under Fire: Gymshark Sued in New Class Action as Plaintiffs Target Undisclosed Paid Endorsements
A growing wave of class actions—like the new suit against Gymshark—targets brands that use influencers without clearly disclosing paid relationships, alleging that “authentic” posts were actually sponsored ads that misled consumers.
DOJ Announces 2026 National Health Care Fraud Takedown: 455 Defendants Charged in $6.5 Billion Enforcement Action
Unprecedented scale and coordination: Department of Justice’s (“DOJ”) 2026 National Health Care Fraud Takedown (the “Takedown”) charged 455 defendants tied to $6.5B in alleged fraud, highlighting a “whole-of-government” and international enforcement approach as it relates to combatting fraud in healthcare.
South Dakota’s Inaugural Anti-SLAPP Statute
South Dakota’s new Uniform Public Expression Protection Act, effective July 1, 2026, gives defendants in SLAPP suits a fast-track procedure for dismissal and fee recovery, expanding protections for free speech and public participation.
Supreme Court Clarifies Judicial Estoppel Standard in Bankruptcy Nondisclosure Cases
The U.S. Supreme Court rejected a rigid rule that often blocked debtors from pursuing claims they failed to disclose in bankruptcy. Courts must now look at the full circumstances before deciding whether an omission was intentional or an honest mistake.