California has become the second state after Colorado to extend data privacy protections to brain waves after Gov. Gavin Newsom signed into law SB 1223, amending the CCPA to define neural data as persona-sensitive information, effective immediately.
California I the second state following Colorado to regulate neural data, setting a precedent for broader protections.
The law comes with compliance changes for Big Tech companies operating out of the state, especially for those rolling out neurotech consumer products.
California Gov. Gavin Newsom signed SB 1223 into law, amending the California Consumer Privacy Act (CCPA) to include neural data as personal sensitive information, according to a Law.com report. The bill, authored by State Senator Josh Becker, comes into effect immediately.
This makes California the second state after Colorado to define brain waves as sensitive personal information, following an amendment to the Colorado Privacy Act (CPA), ensuring that consumer neurotechnological data is protected similarly to biometric and health data. Both SB 1223 and the Colorado bill were sponsored by the nonprofit NeuroRights Foundation.
Why this matters:
According to a NeuroRights Foundation report, there are currently 30 consumer-grade tools on the market that collect neural data.
Under this new legislation, companies collecting brainwave data, particularly from devices measuring cognitive or neural activity, must now adhere to stricter privacy protocols.
Neural data, or "brain waves," care defined as "information that is generated by measuring the activity of a consumer's central or peripheral nervous system, and that is not inferred from nonneural information."
Neural data will have the same protections under the CCPA as consumer's genetic data, biometric data, precise geolocation data, and credentials to access financial accounts.
Only neural data collected by non-invasive medical grade neurotechnologies will be subject to this bill.
The CCPA and, by extension, SB 1223 apply to businesses with an annual gross income of $25 million or more, if the business buys, sells, or shares the personal information of at least 100,000 California residents, and if the business derives at least 50% of its annual revenue from selling or sharing California residents' personal information.
Neural data definitions in both California and Colorado are too ambiguous and don’t focus enough on “cognitive” or “mental” privacy, according to Nita Farahany, professor of law and philosophy at Duke Science and Society.
Farahany wrote in a post that SB 1223 should also include protections for data from heart rate, eye-tracking, and even fitness wearables.
Jared Genser, a former DLA Piper partner who now serves as the general counsel of NeuroRights Foundation, said non-neural data is not necessarily as dire and revealing as neural data which is collected by invasive neurotechnologies, so it did not need to be covered by the bill.
"Specifically, neural data in California matches the scientific definition of data that can only be captured by medical-grade neurotechnologies and it excludes non-neural inferential data captured from outside the body, which is much less sensitive," Genser said.
For Silicon Valley, where neurotech development is expanding under companies such as Meta or Apple, this regulation adds a layer of complexity. While the list of companies rolling out neurotechnologies subject to SB 1223 largely consists of "only a handful of the smaller neurotech companies that meet" thresholds of CCPA compliance, this is likely to change in the near future.
According to Genser, the first company to roll out neurotech subject to the CCPA will be Meta, with the launch of its Orion AR glasses, which need to be combined with a neurotechnology wristband. Companies working on brain-computer interfaces, EEG devices, and neurofeedback tools will need to overhaul their data handling and consent practices in response to this new legislation.