Listen to this post

The amendment to the Colorado Privacy Act, expanding the scope of sensitive data, goes into effect today (August 6). The law will now include as sensitive information biological data that is used for identification purposes. Biological data is data generated by the technological processing of, inter alia, an individual’s physiological and biochemical properties, or a consumer’s body or bodily functions.

On a more unusual front, the law now also includes as sensitive information “neural” data. This is information generated by devices that measure brain activity. Or, as worded by the statute, “information . . . generated by the measurement of the activity of an individual’s central or peripheral nervous system and that can be processed by or with the assistance of a device.”

As a reminder, when processing sensitive information under Colorado’s law, companies must adhere to the following requirements:

  • State which categories of sensitive information they collect in their privacy policy
  • Get consent before collecting and processing that information
  • Respect deletion requests
  • Conduct data protection impact assessments which assessments adhere to rules implemented under the Act

Putting it into Practice: This amendment is the first US privacy law to contemplate “neural” information. We may see similar amendments in other laws, as legislators contemplate new and novel information collection measures.