Colorado protects neural data privacy with new law
Under a new law signed by Colorado Gov. Jared Polis, the state has become the first to offer privacy protections for neural data, data created by the measurement of brain or spinal activity.
The new law, which Polis signed last week, expands the definition of “sensitive data” protected under the Colorado Privacy Act, the state’s 2021 consumer data privacy legislation that went into effect last July. Sensitive data now includes biological data such as neural data, defined as data produced by the brain, spinal cord or an individual’s nerve network that can be processed with the assistance of a device.
The law expands the state’s definition of “sensitive data” to include all biological data, which is “generated by the technological processing, measurement, or analysis of an individual’s biological, genetic, biochemical, physiological, or neural properties, compositions, or activities or of an individual’s body or bodily functions, which data is used or intended to be used, singly or in combination with other personal data, for identification purposes.”
Currently, businesses covered by Colorado’s privacy law must obtain consent before collecting “sensitive data” such as ethnic origin, religion, genetic or biometric data. Now, they must do the same if they wish to collect neural data.
The expansion comes as neural data becomes more accessible through consumer devices, such as electroencephalogram headbands and the implantable computer chips created by Elon Musk’s Neuralink startup, which in January announced it had implanted its first computer chip into a human brain and that it was measuring neuronal activity.
Other states have passed more narrowly focused data privacy laws, including Washington, which last year passed the My Health My Data Act, the first law in the nation to codify into law broad protections for consumer health data not found in the federal Health Information Portability and Accountability Act.
“Neurotechnology is no longer confined to medical or research settings, it’s in devices we use every day,” state Sen. Kevin Priola, one of the bill’s sponsors, said in a news release. “Outside of these settings, neurotechnologies can currently operate without regulation, data protection standards, or equivalent ethical constraints. While neurotechnology has made significant progress in recent years, it’s important we protect users so that their sensitive information isn’t being collected without their control.”
According to the bill text, the law will go into effect 90 days after the legislative session adjourns, which is scheduled for May 8.
