Explore Legal.io

For Clients
Legal.io company logo
Hire Talent
Find the best fit for any legal role
For Members
Jobs
The best legal jobs, updated daily
Salaries
Benchmark compensation for any legal role
Learn
Learn and grow with our community
Events
Connect with peers at exclusive events
Apps
Tools to streamline legal work
Advertise on Legal.io
Post a job for free
Reach more qualified applicants quickly
Advertise with Us
Reach a targeted audience

For Clients

Hire Talent
Legal.io company logo
Solutions
Find the best fit for any legal role
New Hire
Get highly qualified candidates in days
Popular Roles
Data & Tools
Budget Calculator
Plan and manage your legal budget
Salary Insights
Compensation data for legal roles
Vendor Directory
The ultimate list of legal tech tools

Colorado Leads With Privacy Law on Neural Data

Colorado has classified consumer brain waves as "sensitive data" under the Colorado Privacy Act, setting a precedent for data privacy in neurotechnology.

Colorado Leads With Privacy Law on Neural Data

Brain waves are unique vibrations produced by different parts of the brain. Neurotechnology is a tool designed to understand and visualize this brain activity. It measures the electrical activity that occurs when a neuron fires. This activity can indicate various states such as being awake, asleep, anxious, calm, problem-solving, or depressed. Some neurotechnology tools can even alter these waves, which could potentially change the user’s behavior, or even read and store personal information about a user.

As neurotechnology becomes more widely available, there is a risk that private brain wave data could become as widely circulated as credit card data.

Colorado’s Approach to Neural Data

Colorado has classified consumer brain waves as “sensitive data.” As such, they are subject to the Colorado Privacy Act (CPA). This was enacted into law as HB 24-1058. While Colorado is leading the way in explicitly defining neural data under its data privacy statute, California’s State Senate has also passed a measure to protect neural data. Minnesota is considering a similar bill.

In the bill, “neural data” is defined as “information that is generated by the measurement of the activity of an individual’s central or peripheral nervous systems.” This includes the brain, spinal cord, and all nerves. It can be processed by or with the assistance of a device.

It should be noted that these devices do not include invasive tools like cochlear implants, which are protected under the federal Health Insurance Portability and Accountability Act (HIPAA). Instead, they refer to consumer-grade, noninvasive devices that are readily available through online marketplaces. These devices, such as wellness headbands and wristbands, or gaming headsets, collect neural data but are not subject to medical privacy regulations.

The Implications of the Law on Consumer Data

The collection and potential misuse of consumer neural data may seem like a concept from a science fiction story. However, data privacy attorneys who have researched these tools have expressed concern about the rapid proliferation of technologies that collect neural data. They are also concerned about the lack of laws that effectively regulate them.

At present, noninvasive neurotechnologies make up a small part of the rapidly expanding field of emerging tech. Therefore, the laws that aim to regulate them may overlap in some areas and differ in others. This creates a patchwork of regulations that businesses and lawyers will need to navigate.

Jared Genser, a former DLA Piper Partner, who founded law firm Perseus Strategies and now serves as the General Counsel of the nonprofit NeuroRights Foundation, hopes that these statutes will provide businesses with clear guidelines on how to operate in this new landscape of neurotechnologies. The NeuroRights Foundation has worked closely with the government of Colorado, providing advice and testimony to the State House and Senate.

The Law Is to Protect Sensitive Consumer Data and Not About Neurotech

Genser emphasized that Colorado’s law is not about developing neurotech. It is an amendment to a data protection law and is solely about the collection of data.

The amendment extends the protections awarded to consumers’ sensitive data under the CPA, such as DNA or fingerprints, to include neural data. As with other personal data, consumers will now be able to opt out of the sale and use of their neural data. They will also have the right to access, correct, or delete it, according to the CPA.

“Neural data obtained in a medical context is already protected under HIPAA and state medical privacy laws, but neural data collected by consumer products, even though they use medical-grade brain scanners, have had no protection,” Genser said. “This is because state privacy laws were unintentionally drafted in a way that excluded neural data.”

Indeed, neural data occupies a unique position when it comes to data that originates from the human body. Under traditional privacy terminology, it is not biological, because it measures electrical activity. It is also not biometric, because biometric data refers to an individually identifiable marker that has to be processed outside the body, like an iris scan or a fingerprint.

With neural data now covered by the CPA, many companies will need to update their compliance policies. The CPA applies to entities, including nonprofits, that conduct business or deliver services targeted to Colorado residents. It also applies to entities that process the personal data of more than 100,000 individuals in any calendar year or derive revenue or receive discounts on goods or services in exchange for the sale of personal data of 25,000 or more individuals.

Why Is There a Need for Such a Law?

Historically, laws have struggled to keep pace with technological development. However, in the case of neural data, states are taking the lead in regulating a technology before it becomes as widespread as social media or as popular as connected cars.

Genser explained that as he started researching neurotechnologies, he realized that things that he thought might be science fiction are actually already science. An international human rights lawyer, Genser joined Columbia University neuroscientist Rafael Yuste to create the NeuroRights Foundation, which works to put legal guardrails around neurotechnology.

Over a decade ago, Yuste pioneered research on technology that altered mouse behavior using nerve stimulation. He was startled by the potential impact of this technology on humans. Similar mechanisms are now used in meditation or mood-retraining tools like sens.ai or EMOTIV, among others.

The report released by the foundation identifies 30 tools currently on the market that collect neural data. However, the ability of generative AI to better synthesize brain scans and EEGs that the devices monitor means that these tools are likely to proliferate faster.

Until recently, neural data was confined to hospitals and subject to medical-grade stipulations. It did not require much attention from lawmakers drafting consumer data privacy bills. Sara Pullen Guercio, an attorney with Alston & Bird’s Technology and Privacy Group, said that even within legal circles, there wasn’t much talk about “neuropivacy” or “mental privacy” until 2023.

“In large part, that’s because we didn’t have to hear about it. It was mostly in the medical space,” she said. “And now we have this medical technology that’s been built into consumer goods—wearable headbands and brain-computer interfaces—and I think people are starting to pay attention because their consumers are not just patients anymore.”

The amendment to the Colorado Privacy Act to include neural data as sensitive data is a significant step towards protecting the privacy of individuals in the age of neurotechnology. As these technologies become more prevalent and accessible, it is crucial to have laws and regulations in place that explicitly protect the privacy and rights of individuals. The efforts of Colorado in this regard set a precedent for other states and countries to follow, ensuring that as we advance technologically, we are cognizant of the rights of individuals.

Legal.io Logo
Welcome to Legal.io

Connect with peers, level up skills, and find jobs at the world's best in-house legal departments

More from Legal.io

Legal.io Newsletter - January 6, 2023 Edition #140

Published weekly on Friday, the Legal.io Newsletter covers the latest in legal, talent & tech

Legal.io Newsletter - January 6, 2023 Edition #140
Legal OperationsTechnologyIn-House Counsel
Law Firms Embrace Gen AI Training for Summer Associates

Law firms are integrating AI training into their Summer Associate programs to enhance efficiency in routine tasks and prepare for the future of legal work.

Law FirmsTechnology
You Can Live Without a Big Brand on Your Resumé – Here’s Why

Many people think they need their resumé to be peppered with illustrious, big-name firms in order to stand out. The irony, though, is that simply having worked for a company with an office in every global financial center doesn’t actually make you a better lawyer. Of course, when it comes to moving upwards in your career, it’s not always about how good you are but about how good you can show yourself to be. And a well-known name on your resumé is one way to establish some credibility – after all, a firm that takes you onboard might think 'you can’t be too bad!' But if your career to date hasn’t been a parade of plush offices adorned by paintings of the firm’s 19th-century founders, don’t worry – it’s by no means the only way to stand out. Here’s how to shine regardless of where you’ve worked.

You Can Live Without a Big Brand on Your Resumé – Here’s Why
Law FirmsCareer
ACC Law Department Management Benchmarking Report

Despite the surge, legal counsel costs overall took up a smaller percentage of companies’ expenses, while in-house lawyers’ duties continued to broaden to reflect the business landscape’s current challenges.

ACC Law Department Management Benchmarking Report
CareerHiring
3 Tips For Finding Your Dream Job

Full-time workers spend around 2,000 hours per year on their job – not including commuting and late evenings in the office. If your current position is not doing it for you, it’s natural to start daydreaming about more inspiring things. But how can you get yourself from struggling to get out of bed in the morning to raring to go? Read on for a few ideas!

3 Tips For Finding Your Dream Job
Career
Legal.io Newsletter - December 16, 2022 Edition #137

Published weekly on Friday, the Legal.io Newsletter covers the latest in legal, talent & tech.

Legal.io Newsletter - December 16, 2022 Edition #137
Legal OperationsTechnologyIn-House Counsel
Agilent Technologies Appoints Bret DiMarco as Chief Legal Officer

Agilent Technologies announces the appointment of Bret DiMarco as Senior Vice President and Chief Legal Officer, bringing extensive legal expertise to its leadership team.

Agilent Technologies Appoints Bret DiMarco as Chief Legal Officer
CareerGeneral Counsel
Vice President Harris Announces New U.S. Initiatives on AI Use

With these initiatives, the current administration is voicing its commitment to ensuring that AI innovation does not come at the expense of public rights and safety.

Vice President Harris Announces New U.S. Initiatives on AI Use
TechnologyGovernmentPrivacy
Legal.io Logo
Welcome to Legal.io

Connect with peers, level up your skills, and find jobs at the world's best in-house legal departments