It is important to note that sensitive personal data such as genetic and biometric information is a subset of personal data under California and Virginia law and would, therefore, be covered by all provisions pertaining to personal data.8 For digital health technology companies, laws governing biometric information should be of particular interest as it includes any “physiological, biological, or behavioral characteristics” that can be used to “establish individual identity.”9
Although not as restrictive as California and Virginia laws, Colorado’s data privacy law stands out for specific provisions. For example, it applies to nonprofit entities and shares certain obligations with the European Union’s General Data Protection Regulation (“GDPR”), the world’s most rigid privacy and security law.10, 11 Thus, startups that have undergone the EU’s GDPR compliance are primed to succeed in Colorado. Malek also revealed that companies should keep an eye on New York’s newly proposed privacy act, NYPA, which, if passed, would go beyond California and Virginia privacy laws in protecting personal data.