California and Colorado Establish Protections for Neural Data
When one hears the term “neural data,” a brain implant comes to mind, alongside concerns about these neurotechnologies being able to read our innermost thoughts. Generally, implantable devices such as these are considered medical devices and are regulated as such. External devices, however, are becoming more commonplace. Devices assisted by artificial intelligence (AI) technologies are adding an extra layer of accuracy when measuring individuals’ interactions with their environments and complexity when that data is combined with non-neural data.
For example, last year, a large technology company announced that it was developing augmented reality glasses and wrist devices which would contain a “neural interface” that would allow control of these devices, although the specific functionality has yet to be revealed. Consumers can also purchase a headband that uses electroencephalogram (EEG) technology to measure electrical activity in the brain during meditation and sleep, which can then provide tailored feedback. While neurotechnologies provide an exciting new frontier for integration into consumer products, privacy advocates warn that the processing of this data is especially intrusive as it can involuntarily reveal information about health, emotions, and general cognitive function.
As often happens with emergent technologies, such as AI, regulators are grappling with how best to avoid privacy harms. Earlier this year, Colorado passed legislation (H.B. 24-1058) to amend the Colorado Privacy Act (CPA), carving out neural data as a specific category of sensitive personal data, the collection and processing of which requires heightened protections and compliance obligations. These amendments took effect on August 7. Last week, California Governor Gavin Newsom signed similar legislation (A.B. 1008 and S.B. 1223) amending the California Consumer Privacy Act (CCPA) to also categorize neural data as sensitive personal data, with those provisions taking effect on January 1, 2025.
So what exactly is “neural data”? The CPA defines “neural data” as “information that is generated by the measurement of the activity of an individual’s central or peripheral nervous systems[1] and that can be processed by or with the assistance of a device.” The CPA also adds the category of “biological data”[2] to its definition of sensitive personal data, likely in an effort to expand the limited definition of biometric data. Notably, “biological data” includes “neural data.” A scenario in which “neural data” would be collected and processed would be when an individual uses an augmented reality headset while gaming. The photoreceptors in the individual’s eyes (the sympathetic nervous system) react to the video game imagery, sending signals to the individual’s brain (the central nervous system), triggering a dilation of the pupils that is interpreted by the headset’s neurotechnology (the device) as excitement, which could be used by the game developer for advertising or product improvement purposes.
Notably, the CCPA limits its definition of “neural data” to “information that is generated by the measurement of the activity of an individual’s central or peripheral nervous systems,” omitting Colorado’s reference to measurement by a device, thereby increasing the scope of what could be considered “neural data.” For example, employees stating they have lost their sense of smell on a COVID-19 symptom survey taken at a worksite could arguably qualify as neural data. Additionally, features like sentiment analysis, which analyzes text or voice data to determine the emotional tone of an individual’s reactions or communications, could also now be categorized as “neural data.”
Companies operating in the neurotechnology space should first determine whether they fall within the scope of any US state comprehensive privacy laws (see here and here), especially the CPA and CCPA, so they can meet the myriad of compliance obligations required under those laws. Entities that fall outside the triggering thresholds of the aforementioned laws should carefully monitor this space for additional regulatory updates.
If you have any questions, please contact our Privacy, Data Protection & Data Security team or the ArentFox Schiff attorney with whom you work.
[1] While not defined within either law, the central nervous system consists of the brain and spinal cord, while the peripheral nervous system is comprised of nerves and similar structures that lie outside of the brain and spinal cord, collecting sensory data from the environment and reporting back to the central nervous system which processes that data and determines whether action needs to be taken.
[2] “Biological data” is defined as “data generated by technical processing, measurement, or analysis of an individual’s biological, genetic, biochemical, physiological, or neural properties, compositions, or activities of an individual’s body or bodily functions, which data is used or intended to be used, singly or in combination with other personal data for identification purposes.”
Contacts
- Related Practices