Colorado’s new neuro-privacy law: What does it require, who does it cover, and why does it even exist?

Are you concerned about businesses collecting personal data directly from your brain without consent? No? Well, neurotechnology is still a nascent field. But Colorado is thinking long-term.

The “Centennial State” has just passed an amendment to its privacy law that requires businesses to get consent before processing “neural data.” Here’s a look at why this law passed, who has to comply, and what you’ll have to do in the unlikely event that it applies to your business.

Why has Colorado passed this law?

Protecting the privacy of people’s brainwaves might sound like science fiction. But consumer neurotechnology, while still in its infancy, is close to becoming a reality.

Colorado’s General Assembly passed HB 24 in anticipation of neurotechnology going mainstream – and in recognition of the “exponential growth in the volume and variety of personal data being generated, collected, stored, and analyzed” in general.

Neurotechnologies, states the preamble to HB 24, raise “particularly pressing privacy concerns given their ability to monitor, decode, and manipulate brain activity.” Neural data is “extremely sensitive” and can reveal “intimate information” about a person’s “health, mental states, emotions, and cognitive functioning.”

The bill also suggests that collecting neural data “always involves the involuntary disclosure of information”. Even if a person consents, they are unlikely to fully understand what they are consenting to – and cannot fully control their thoughts.

Who has to comply with Colorado’s new neuro-privacy law?

HB 24 amends the Colorado Privacy Act (CPA). As such, only businesses subject to the CPA have to comply with this new neuro-privacy rule.

As a reminder, you must comply with the CPA if you conduct business in Colorado or produce products or services targeted at Colorado residents, and either:

• Control or process the personal data of 100,000 or more Colorado consumers, or
• Both:
  • Derive any amount of revenue or receive a discount on good or services through the sale of personal data, and
  • Control or process the personal data of 25,000 or more Colorado consumers.

What does Colorado’s new neuro-privacy law require?

HB 24 adds “biological data” and “neural data” to the CPA’s list of types of “sensitive data.”

Here are the new definitions:

• “Biological data” means data generated by the technological processing, measurement, or analysis of an individual’s biological, genetic, biochemical, physiological, or neural properties, compositions, or activities or of an individual’s body or bodily functions, which data is used or intended to be used, singly or in combination with other personal data, for identification purposes. “Biological data” includes neural data.
• “Neural data” means information that is generated by the measurement of the activity of an individual’s central or peripheral nervous systems and that can be processed by or with the assistance of a device.

And here’s a reminder of the other types of “sensitive data” under the CPA:

• Personal data revealing:
  • Racial or ethnic origin
  • Religious beliefs
  • A mental or physical health condition or diagnosis
  • Sex life or sexual orientation
  • Citizenship or citizenship status
• Genetic or biometric data that may be processed for the purpose of uniquely identifying an individual
• Personal data from a known child

As with all types of sensitive data, processing biological data or neural data requires consent.

“Consent” under the CPA means:

“A clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement, such as by a written statement, including by electronic means, or other clear, affirmative action by which the consumer signifies agreement to the processing of personal data.

The following does not constitute consent under the CPA:

• Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information
• Hovering over, muting, pausing, or closing a given piece of content
• Agreement obtained through dark patterns

How many companies will be affected by this law? Likely not many – yet. Meta and Apple have both patented neurotech devices, and Elon Musk’s Neuralink appears to be making substantial progress.

But legislators need to think about how privacy and other rights could be impacted by technology in future, and Colorado might be the first of many states to pass neuro-privacy legislation.

Consent and preference play pivotal roles in Colorado’s new neuro-privacy law by ensuring that individuals retain control over their most intimate data. This law mandates businesses to obtain explicit consent before processing neural data, emphasizing the need for clear, affirmative actions that demonstrate an individual’s informed agreement.

By prioritizing consent, the law safeguards against involuntary data collection and potential misuse of neural information. It also respects personal preferences, allowing individuals to decide how their sensitive neural data is used. This approach not only protects privacy but also supports building trust between consumers and businesses, ensuring ethical use of emerging neurotechnologies.