Concerning protecting the privacy of individuals' biological data, and, in connection therewith, protecting the privacy of neural data and expanding the scope of the "Colorado Privacy Act" accordingly | | | | The new law specifically expands the safeguards for sensitive data under the Colorado Privacy Act, or CPA, to cover neural data. Under the CPA, businesses are required to obtain opt-in consent to process their sensitive data, so businesses will now need to obtain opt-in consent to collect and process neural data. Businesses must also perform data protection assessments when collecting and using sensitive data, meaning that activities involving neural data would also trigger the need to document the benefits, risks and mitigating controls in place for neural data. Colorado's law defines "neural data" as "information that is generated by the measurement of the activity of an individual's central or peripheral nervous systems and that can be processed by or with the assistance of a device." Within the CPA's sensitive data categories, neural data is included as a subtype of biological data, which is generally defined as "data generated by the technological processing, measurement, or analysis of an individual's ... neural properties ... which data is used or intended to be used ... for identification purposes." | | |
