Consumers have become accustomed to the prospect of their personal data, such as email addresses, social contacts, browsing history and genetic ancestry, being collected and often resold by the apps and digital services they use.
With the advent of consumer neurotechnology, the data collected is becoming increasingly intimate. A headband acts as a personal meditation coach by monitoring the user's brain activity. Another claims to help treat anxiety and symptoms of depression. Another reads and interprets brain signals as the user scrolls through dating apps, presumably to provide better matches. (“'Listen to your heart' isn't enough,” the producer says on his website.)
The companies behind such technologies have access to recordings of users' brain activity: the electrical signals underlying our thoughts, feelings and intentions.
On Wednesday, Governor Jared Polis of Colorado signed a bill that, for the first time in the United States, seeks to ensure that such data remains truly private. The new law, passed by a vote of 61 to 1 in the Colorado House and 34 to 0 in the Senate, expands the definition of “sensitive data” in the state's current personal privacy law to include biological data and “sensitive data.” neural data” generated by the brain, spinal cord, and network of nerves that transmit messages throughout the body.
“All that we are is in our minds,” said Jared Genser, general counsel and co-founder of the Neurorights Foundation, a science group that supported passage of the bill. “What we think and feel, and the human brain's ability to decode it, could not be more intrusive or personal to us.”
“We're really excited to see a real bill signed into law that will protect people's biological and neurological data,” said Representative Cathy Kipp, Democrat of Colorado, who introduced the bill.
Senator Mark Baisley, Republican of Colorado, who sponsored the bill in the upper chamber, said: “I feel really good that Colorado has led the way in addressing this issue and providing proper protections for people's unique privacy. I am really happy with this signing.”
The law targets brain technologies at the consumer level. Unlike sensitive patient data obtained from medical devices in clinical settings, which is protected by federal health law, data related to consumer neurotechnologies is largely unregulated, Genser said. This loophole means that companies can collect vast amounts of highly sensitive brain data, sometimes over an unknown number of years, and share or sell the information to third parties.
Supporters of the bill have expressed concern that neural data could be used to decode a person's thoughts and feelings or to learn sensitive facts about an individual's mental health or physical condition, such as whether someone has epilepsy .
“We have never seen anything with this power before: to identify, encode people and discriminate people based on their brain waves and other neural information,” said Sean Pauzauskie, a member of the board of directors of the Colorado Medical Society , who first brought the matter to Ms. Kipp's attention. Mr. Pauzauskie was recently hired by the Neurorights Foundation as medical director.
The new law extends to biological and neural data the same protections afforded by the Colorado Privacy Act to fingerprints, facial images and other sensitive biometric data.
Among other protections, consumers have the right to access, delete and correct their data, as well as opt out of the sale or use of their data for targeted advertising. Companies, in turn, face strict regulations on how they handle that data and must disclose the type of data they collect and their plans for it.
“Individuals should be able to control where that information — that personally identifiable and perhaps even personally predictive information — goes,” Baisley said.
Experts say the neurotechnology industry is poised to expand with the involvement of major tech companies such as Meta, Apple and Snapchat.
“It's moving rapidly, but it's on the verge of growing exponentially,” said Nita Farahany, a professor of law and philosophy at Duke.
From 2019 to 2020, investments in neurotech companies increased by around 60% globally and amounted to around $30 billion in 2021, according to a market analysis. The industry gained attention in January, when Elon Musk announced on X that a brain-computer interface made by Neuralink, one of his companies, had been implanted in a person for the first time. Mr Musk has since said the patient had made a full recovery and was now able to control a mouse purely by thought and play online chess.
While strangely dystopian, some brain technologies have led to revolutionary treatments. In 2022, a completely paralyzed man was able to communicate using a computer simply by imagining his eyes moving. And last year, scientists managed to translate the brain activity of a paralyzed woman and broadcast her speech and facial expressions through an avatar on a computer screen.
“The things people can do with this technology are amazing,” Ms. Kipp said. “But we just think there should be guardrails for people who don't want to read their thoughts and use their biological data.”
This is already happening, according to a 100-page report released Wednesday by the Neurorights Foundation. The report analyzed 30 consumer neurotechnology companies to see how their privacy policies and user agreements aligned with international privacy standards. It found that only one company significantly restricted access to a person's neural data, and that nearly two-thirds could, under certain circumstances, share the data with third parties. Two companies have hinted that they have already sold such data.
“The need to protect neural data is not a problem of tomorrow, but of today,” said Genser, one of the authors of the report.
Colorado's new bill won resounding bipartisan support, but faced fierce outside opposition, Baisley said, especially from private universities.
Testifying before a Senate committee, John Seward, research compliance officer at the University of Denver, a private research university, noted that public universities were exempt from the Colorado Privacy Act of 2021. The new law puts the private institutions at a disadvantage, Mr. Seward. witnessed, because they will be limited in their ability to train students who use “the tools of the trade in neural diagnostics and research” solely for research and teaching purposes.
“The playing field is not level,” Mr. Seward testified.
Colorado's bill is the first of its kind to be signed into law in the United States, but Minnesota and California are pushing for similar legislation. On Tuesday, the California Senate Judiciary Committee unanimously passed a bill defining neural data as “sensitive personal information.” Several countries, including Chile, Brazil, Spain, Mexico and Uruguay, have already enshrined the protection of brain data in their constitutions at the state or national level or have taken measures to do so.
“In the long term,” Genser said, “we would like to see global standards developed,” for example by extending existing international human rights treaties to protect neural data.
In the United States, supporters of Colorado's new law hope it will set a precedent for other states and even give momentum to federal legislation. But the law has limitations, experts noted, and may only apply to consumer neurotechnology companies that collect neural data specifically to determine a person's identity, as the new law specifies. Most of these companies collect neural data for other reasons, such as to infer what a person might be thinking or feeling, Ms. Farahany said.
“You won't worry about this Colorado law if you're one of those companies right now, because none of them use them for identification purposes,” he added.
But Genser said the Colorado Privacy Act protects all data that qualifies as personal. Since consumers must provide their name to purchase a product and agree to the company's privacy policies, this use falls under personal data, she said.
“Given that consumer neural data was previously not protected at all under the Colorado Privacy Act,” Genser wrote in an email, “now labeling it as sensitive personal information with protections equivalent to those of biometric data is an important step forward. “
In a parallel Colorado bill, the American Civil Liberties Union and other human rights organizations are pushing for stricter policies regarding the collection, retention, storage and use of all biometric data, for purposes identification or not. If the bill passes, its legal implications would apply to neural data.
Big tech companies played a role in shaping the new law, arguing that it was overly broad and risked harming their ability to collect data not strictly related to brain activity.
TechNet, a policy network representing companies like Apple, Meta, and Open AI, has successfully pushed to include law-focused language on regulating brain data used to identify individuals. But the group failed to remove the language that governs data generated by “an individual's body or bodily functions.”
“We felt this could address a number of things that all of our members do,” said Ruthie Barko, TechNet's executive director for Colorado and the central United States.