Just five months ago, no state had a statute on the books protecting the privacy of neural data. In just a few weeks, Colorado will.
House Bill 24-1058, titled Protect Privacy of Biological Data, was an early and bipartisan effort of the Colorado General Assembly in its 2024 legislative session. The bill was signed into law by Gov. Jared Polis on April 17, after sailing through both chambers with little dissent. Only three representatives voted against it in the bill’s third reading in the House, and on the Senate side, there wasn’t a single no on the bill’s third reading.
The new law expands the Colorado Privacy Act, broadening the definition of sensitive data to include biological and neural data. While companies still have some time to prepare for the new expansion, time is running short. The law goes into effect on Aug. 7.
To figure out what this new law will mean for companies and consumers, Law Week caught up with Zoe Argento, a shareholder at Littler and co-chair of the firm’s privacy and data security practice group.
“It is a very forward looking bill,” said Argento. “Though I think we’ll see more along these lines, Colorado is being very cutting-edge here in passing this legislation.”
While the legislation is forward-looking, Argento does think it already has practical applications. For neural data, she gave the examples of helmets for drivers that can tell based on neural patterns whether a driver is sleeping or asleep and headgear for video games or virtual reality that could be picking up signals from the brain.
On the addition of the definition of biological data, Argento said it wasn’t 100% clear where the distinction between biometric data and biological data would be.
“The biological information, more broadly, is interesting because there’s not a lot of daylight between that and the biometric data that was already in the Colorado Privacy Act.”
For companies who are collecting these types of data, or plan to collect these types of data in the future, there are two new compliance obligations that covered companies will need to follow.
“The first is the requirement of consent,” said Argento. “So before collecting this biological data, which includes neural data, the company has to obtain consent, and it has to obtain consent in a manner that complies with the definition of consent, which is a fairly high standard. Consent has to be freely given, specific, informed and unambiguous.”
With the high standard, Argento noted that it suggests that it has to be an opt-in, rather than just a pre-checked checkbox or a notice that the company is collecting the information.
The second obligation for companies collecting this data is a data protection assessment.
“Prior to collecting this data, an organization that’s subject to the Colorado Privacy Act has to conduct a data protection assessment, which has to weigh the benefits that flow to the organization collecting this data against potential risk to the rights of the individual,” said Argento.
But not all data collection is created equal in the bill. The new law applies only to data collected from consumers. Argento noted that the law doesn’t apply in an employment context.
“That’s a really important carveout, because there are definitely circumstances in the employment context in which employers might collect this data, and this law would not apply in those circumstances,” said Argento. “And that’s different, for example, than the biometric statute that was just incorporated into the Colorado Privacy Act, because that biometric statute very clearly imposes some obligation on employers.”
Despite the carveout, Argento said that the companies she speaks to aren’t collecting these types of data on employees.
Argento added that many small companies, or even medium-sized companies, wouldn’t be subject to this law.
“The Colorado Privacy Act is unlikely to apply to smaller companies,” said Argento. “It has a high threshold for the number of consumers whose personal data is being processed by the organization in order for the law to apply to that organization.”
What the law doesn’t change is the recourse for violating the law. The enforcement remains the same. Consumers who believe there’s been a violation by a company will not have a private right to action, they will have to report the violation to a district attorney or to the Colorado Attorney General’s Office.