Colorado’s General Assembly has been busy on the topic of data privacy. During the 2024 legislative session (which adjourned on May 8), lawmakers amended the Colorado Privacy Act no less than three times.

Here is a quick roundup of the recent changes to Colorado’s data privacy law.

HB 1058: Neural Data

Looking forward to technology that doesn’t yet exist (at least not in any consumer-ready form) but may well be developed in the near future, House Bill 1058 provides additional privacy protections for data related to brain activity and other biological processes.

HB 1058 amends the Colorado privacy act by adding two new definitions: “Biological data” and “neural data.” “Biological data” is data generated by technological processing of a person’s biological properties or activities, when that data is used for identification purposes. It specifically includes “neural data,” which is data generated by measurements of a person’s nervous system, such as brain activity.

Concerned that companies may soon be able to process and use such data on a large scale in the future, lawmakers have categorized biological data (and thus neural data as well) as “sensitive data” under the state’s privacy law. Sensitive data may only be processed with a consumer’s consent and after the business has performed a data protection assessment.

Effective Date of HB 1058: August 7, 2024

HB 1130: Biometric Data

On a similar topic, Colorado also passed strong new rules that apply to all processing of biometric data. Crucially, these rules apply to the data of employees as well as other consumers.

It’s also important to note that the new provisions distinguish between biometric identifiers and biometric data. “Biometric identifiers” are data related to a person’s biological, physical, or behavioral characteristics, if that data can be used to identify that person. “Biometric data” is one or more biometric identifiers that are used for identification purposes. Therefore biometric identifiers is a broader category than biometric data, and yet most of the new rules apply to biometric identifiers. This at least opens up the possibility that data such as photos and voice recordings are considered biometric identifiers, even if they are not used to identify anyone.

The key new requirements are:

• Adopting a written policy for the processing of biometric identifiers, including:
  • A data retention schedule
  • A protocol for responding to security incidents that may compromise biometric identifiers or biometric data
  • Guidelines for automatically deleting biometric identifiers at certain points (e.g., when the initial purpose for collecting the data has been satisfied)
• Informing consumers in clear language that a biometric identifier is being collected, the purposes for the collection, how long it will be retained, whether it will be disclosed to a processor, and for what purpose
• Controllers may not sell biometric identifiers
• Controllers may not disclose biometric identifiers to third parties unless the consumer consents or otherwise directs the controller to disclose the data
• Controllers may not discriminate against consumers for refusing consent, unless the biometric identifier is necessary to provide a good or service
• Controllers may not purchase biometric identifiers unless:
  • The controller pays the consumer for the data
  • The data is unrelated to a product or service requested by the consumer, and
  • The consumer has consented
• Storage of biometric identifiers must meet the controller’s industry’s standard of care
• Controllers that meet the CPA’s threshold requirements must respond to access requests by describing what kinds of biometric data it collected and how it was used and disclosed

Also, employers may condition employment on an employee’s consent to the processing of their biometric identifiers for certain limited purposes, such as providing secure access to a software or physical premises.

Effective Date of HB 1130: July 1, 2025

SB 41: Minors’ Data

Colorado also expanded privacy protections for minors under the age of 18.

Interestingly, the new provisions bypass the CPA’s threshold requirements and apply to any controller that does business in the state and offers an “online service, product, or feature” to a consumer who the controller “actually knows or willfully disregards is a minor.” So there may be some businesses affected by these provisions that, until now, had not had to deal with CPA compliance.

Here is a summary of the biggest changes:

• “Minor” means anyone under 18 years old
• With regard to minors, businesses need prior consent (or consent from a guardian if under 13) for:
  • Targeted advertising
  • Data selling
  • Profiling that produces legal or similarly significant results
  • Secondary uses of personal data
  • Keeping data for longer than is reasonably necessary to provide the online service
  • Using any system design feature meant to increase, sustain, or extend a minor’s use of the online service
• Businesses also shall not collect a minor’s precise geolocation without their consent unless:
  • The geolocation data is reasonably necessary to provide the online service
  • The business only collects and retains the geolocation data for as long as necessary to provide the online service, and
  • The business provides a signal to the minor that it is collecting precise geolocation data for the entire time the collection is taking place
• Businesses that offer direct messaging must offer reasonable safeguards to limit unsolicited messages to minors from adults
• If the online service presents a heightened risk of harm to minors, businesses must perform data protection assessment

Effective Date of SB 41: October 1, 2025

‍