Brain waves are unique vibrations produced by different parts of the brain. Neurotechnology is a tool designed to understand and visualize this brain activity. It measures the electrical activity that occurs when a neuron fires. This activity can indicate various states such as being awake, asleep, anxious, calm, problem-solving, or depressed. Some neurotechnology tools can even alter these waves, which could potentially change the user’s behavior, or even read and store personal information about a user.

As neurotechnology becomes more widely available, there is a risk that private brain wave data could become as widely circulated as credit card data.

Colorado’s Approach to Neural Data

Colorado has classified consumer brain waves as “sensitive data.” As such, they are subject to the Colorado Privacy Act (CPA). This was enacted into law as HB 24-1058. While Colorado is leading the way in explicitly defining neural data under its data privacy statute, California’s State Senate has also passed a measure to protect neural data. Minnesota is considering a similar bill.

In the bill, “neural data” is defined as “information that is generated by the measurement of the activity of an individual’s central or peripheral nervous systems.” This includes the brain, spinal cord, and all nerves. It can be processed by or with the assistance of a device.

It should be noted that these devices do not include invasive tools like cochlear implants, which are protected under the federal Health Insurance Portability and Accountability Act (HIPAA). Instead, they refer to consumer-grade, noninvasive devices that are readily available through online marketplaces. These devices, such as wellness headbands and wristbands, or gaming headsets, collect neural data but are not subject to medical privacy regulations.

The Implications of the Law on Consumer Data

The collection and potential misuse of consumer neural data may seem like a concept from a science fiction story. However, data privacy attorneys who have researched these tools have expressed concern about the rapid proliferation of technologies that collect neural data. They are also concerned about the lack of laws that effectively regulate them.

At present, noninvasive neurotechnologies make up a small part of the rapidly expanding field of emerging tech. Therefore, the laws that aim to regulate them may overlap in some areas and differ in others. This creates a patchwork of regulations that businesses and lawyers will need to navigate.

Jared Genser, a former DLA Piper Partner, who founded law firm Perseus Strategies and now serves as the General Counsel of the nonprofit NeuroRights Foundation, hopes that these statutes will provide businesses with clear guidelines on how to operate in this new landscape of neurotechnologies. The NeuroRights Foundation has worked closely with the government of Colorado, providing advice and testimony to the State House and Senate.

The Law Is to Protect Sensitive Consumer Data and Not About Neurotech

Genser emphasized that Colorado’s law is not about developing neurotech. It is an amendment to a data protection law and is solely about the collection of data.

The amendment extends the protections awarded to consumers’ sensitive data under the CPA, such as DNA or fingerprints, to include neural data. As with other personal data, consumers will now be able to opt out of the sale and use of their neural data. They will also have the right to access, correct, or delete it, according to the CPA.

“Neural data obtained in a medical context is already protected under HIPAA and state medical privacy laws, but neural data collected by consumer products, even though they use medical-grade brain scanners, have had no protection,” Genser said. “This is because state privacy laws were unintentionally drafted in a way that excluded neural data.”

Indeed, neural data occupies a unique position when it comes to data that originates from the human body. Under traditional privacy terminology, it is not biological, because it measures electrical activity. It is also not biometric, because biometric data refers to an individually identifiable marker that has to be processed outside the body, like an iris scan or a fingerprint.

With neural data now covered by the CPA, many companies will need to update their compliance policies. The CPA applies to entities, including nonprofits, that conduct business or deliver services targeted to Colorado residents. It also applies to entities that process the personal data of more than 100,000 individuals in any calendar year or derive revenue or receive discounts on goods or services in exchange for the sale of personal data of 25,000 or more individuals.

Why Is There a Need for Such a Law?

Historically, laws have struggled to keep pace with technological development. However, in the case of neural data, states are taking the lead in regulating a technology before it becomes as widespread as social media or as popular as connected cars.

Genser explained that as he started researching neurotechnologies, he realized that things that he thought might be science fiction are actually already science. An international human rights lawyer, Genser joined Columbia University neuroscientist Rafael Yuste to create the NeuroRights Foundation, which works to put legal guardrails around neurotechnology.

Over a decade ago, Yuste pioneered research on technology that altered mouse behavior using nerve stimulation. He was startled by the potential impact of this technology on humans. Similar mechanisms are now used in meditation or mood-retraining tools like sens.ai or EMOTIV, among others.

The report released by the foundation identifies 30 tools currently on the market that collect neural data. However, the ability of generative AI to better synthesize brain scans and EEGs that the devices monitor means that these tools are likely to proliferate faster.

Until recently, neural data was confined to hospitals and subject to medical-grade stipulations. It did not require much attention from lawmakers drafting consumer data privacy bills. Sara Pullen Guercio, an attorney with Alston & Bird’s Technology and Privacy Group, said that even within legal circles, there wasn’t much talk about “neuropivacy” or “mental privacy” until 2023.

“In large part, that’s because we didn’t have to hear about it. It was mostly in the medical space,” she said. “And now we have this medical technology that’s been built into consumer goods—wearable headbands and brain-computer interfaces—and I think people are starting to pay attention because their consumers are not just patients anymore.”

The amendment to the Colorado Privacy Act to include neural data as sensitive data is a significant step towards protecting the privacy of individuals in the age of neurotechnology. As these technologies become more prevalent and accessible, it is crucial to have laws and regulations in place that explicitly protect the privacy and rights of individuals. The efforts of Colorado in this regard set a precedent for other states and countries to follow, ensuring that as we advance technologically, we are cognizant of the rights of individuals.