The Colorado state legislature is close to final passage of the “Act Concerning Protection the Privacy of Individuals’ Biological Data”, which once passed, will become the first-in the-nation state law that is specifically designed to add privacy and security protections around the collection, use, and disclosure biological data and neural data.

US state data protection laws have drastically increased in the last couple of years, with 2023 ushering in 8 new US state data protection laws. More are quickly joining the ranks as well, such as New Jersey and New Hampshire so far in 2024.

See the Data Meets World “US State Privacy Laws” page for up-to-date information on all of the US state data protection laws and summaries of their key requirements. See below for discussion on the specific amendments the new bill makes to the existing Colorado Privacy Act.

Amendments to “Sensitive Data” Definition

The new bill adds “biological data” and “neural data” to the definition of sensitive data under the Colorado Privacy Act. As a reminder, the Colorado Privacy Act generally requires prior, opt-in consent before a business is permitted to collect and process a consumer’s sensitive data.

“Biological data” includes any data that:

1. is generated by technological processing, measurement, or analysis;
2. of (i) an individual’s biological, genetic, biochemical, physiological, or neural properties, compositions, or (ii) activities or of an individual’s body or bodily functions; and
3. which data is used or intended to be used by itself or in combination with other data, for identification purposes.

Biological data is then defined to expressly include another subset of data deemed “neural data”, which is subsequently defined as any data that:

1. is generated by the measurement of the activity of an individual's central or peripheral nervous systems; and
2. that can be processed by or with the assistance of a device.

Sensitive data under the Colorado Privacy Act already includes (i) race, ethnicity, or religion; (ii) mental or physical health diagnosis; (iii) sexual orientation; (iv) citizenship or immigration status; (v) genetic or biometric data processed with the purpose of identifying an individual; (vi) the personal information of a child (younger than 13); and (vii) a person’s precise geolocation (within a radius of 1,750 feet).

Conclusion

US state data protection laws are quickly expanding, with a number of state legislatures contemplating broad data protection laws. As those laws become more and more commonplace—with businesses become more familiar with requirements such as robust privacy notices, privacy rights, security requirements—US states are looking to specific subsets of new technologies and identifiable information that may warrant greater protection.

For example, the state of Washington passed the My Health My Data act requiring prior consent for the collection and sharing of consumer health data and the state of Connecticut already amended their data protection law expanding protections for health data and information related to children.

Expect states—even states with broad data protection laws on the books—to investigate expanding greater protection to sensitive categories of data.