On September 29, 2024, California took a significant step forward in data privacy protection by passing a law that extends the California Consumer Privacy Act (CCPA) to cover neural data—brain activity and related information collected by neurotechnology. As large companies and startups alike increasingly invest in consumer neurotech products, from apps that track mental health to devices that record brainwaves, the potential for misuse of neural data has raised alarms.
What the Law Does
The new legislation, SB 1223, classifies neural data as “sensitive personal information,” bringing it under the same level of protection afforded to biometric and genetic data. As a result, California residents now have the right to request, delete, correct, and limit the collection of their brain data. The law mirrors similar protections enacted in Colorado earlier this year, reflecting the growing awareness of the need for privacy protections in the neurotech industry.
Why It Matters
Neural data can reveal more than just a person’s cognitive performance; it can expose deeply personal information, such as emotional and mental health states. Unlike existing protections for sensitive health information under HIPAA, which primarily regulate data collected through medical-grade devices (from organizations subject to HIPAA), this law extends protections to consumer-grade neurotechnology—a rapidly growing sector that has largely escaped regulation until now. By extending privacy rights to cover this data, California is ensuring that companies handling such sensitive information must obtain explicit consent and offer robust opt-out mechanisms, aligning with the growing demands for transparency in the use of emerging technologies.
Criticism and Next Steps
Some experts have criticized the bill for not going far enough, arguing that other forms of cognitive biometric data—such as heart rate or eye-tracking—should also be protected under the same legal framework. However, the bill’s proponents believe this law is a critical first step toward ensuring that advancements in neurotechnology are balanced with stringent data privacy protections.
As neurotechnology continues to evolve, it's clear that legislation must keep pace with innovation. California’s new law sets a precedent, not just for the state but potentially for federal regulation, as privacy advocates continue to push for more comprehensive laws that protect both neural and non-neural cognitive data.
Businesses subject to the CCPA should build or revise consent mechanisms to ensure that users can control their neural data, including options to opt out of its collection, request its deletion, or restrict how it is used or shared with third parties. By taking these steps, companies can proactively mitigate compliance risks and avoid potential regulatory scrutiny as these privacy protections take hold in the evolving landscape of neurotechnology.