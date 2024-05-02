



Colorado lawmakers have passed the nation's first law aimed at protecting consumers' brainwaves. Advances in neurotechnology, such as brain-computer interfaces that can translate people's thoughts into actions, may bring relief to many people, including people with disabilities, but they also raise privacy concerns.

This legislation amends the Colorado Privacy Act (CPA), the state's comprehensive consumer privacy law. This amendment defines “the biological, genetic, biochemical, physiological, or neurological characteristics, composition, or activity of an individual, or data produced by technical processing, measurement, or analysis of the individual’s body. imposes new restrictions on the processing of “biological data” defined as “biological data”.or body functions[.]”

This definition also includes “neural data,” i.e., “information generated by measurements of the activity of an individual's central or peripheral nervous system and that can be processed by or with the aid of a device.”

This law applies the CPA's obligations regarding sensitive data to the processing of biological data, including neurological data, that is used or intended to be used for identification purposes. These duties include:

We provide additional privacy notice disclosures. Obtain consumer consent before processing such data. We carry out a data protection assessment before starting any data-related processing activities.

This law does not apply to biological or neurological data that constitutes “protected health information” under HIPAA, or to certain research data. This law focuses only on consumer data that is not covered by HIPAA or research protections.

It is unclear how much protection the new law will provide consumers. This law may not apply if the data was simply obtained and was not intended or used to identify an individual. This is despite the fact that the preamble to the law states that “neurological data contains unique information about the structure and functioning of the individual brain and nervous system, Contains sensitive information that may link the person to an identified or identifiable individual.

Lawmakers in California and Minnesota are also considering protecting neural data.

Colorado's law is expected to go into effect this fall.

Life science and health tech companies subject to the CPA must decide whether to collect biological and neurological data. If you do so, you will need to build a CPA compliance program that encompasses this new category of sensitive data, including creating required notice and consent documents and data protection assessments.

The Orrick team monitors updates and can support your organization's compliance needs. We help our clients build and strengthen consumer health compliance programs tailored to the needs of their companies. If you have any questions, please contact the author (Thora Johnson and Peter Graham) or another member of her Orrick team.

