As we outlined in our previous blog article, California recently became the second state to enact a law safeguarding consumer brain data, following a similar law passed by Colorado in April. Both state laws prevent the sale or unauthorized sharing of data generated by consumer neurotechnology products. Under these new state privacy laws, companies must disclose the types of brain data they collect and their uses and disclosures of it.

The amendment adds brain data (i.e., neural data) neural data to the definition of personal information and will take effect on January 1, 2025. Neural data is information derived from an individual’s brain, spinal cord, or nervous system, which is collected and interpreted by a device. Neurotechnology includes any device designed to understand brain activity or visualize brain processes. These products, which are becoming more accessible to consumers, can be beneficial as they can improve or repair brain functions. Additionally, these products have the ability to observe and record brain data, which could, in turn, be used to determine consumers’ emotions and preferences and infer thoughts, all of which raise privacy concerns.

These technologies are not novel; they have been used to diagnose and treat neurological disorders and alleviate systems of neurological diseases such as epilepsy. The novelty lies in the use of neurotechnology outside of the clinical setting by consumers on the free market.

Consumers can purchase headbands to help them meditate and earbuds to monitor stress levels and other brain activity. Without appropriate regulation of this data and its use, companies could misuse the data for behavioral advertising, profiling, and/or discrimination. Further, if not secured properly, this type of data could be sought after by cybercriminals due to its sensitive, valuable nature. Similar to biometric data, brain data is uniquely tied to an individual’s identity. If an individual’s brain data is compromised, it cannot be replaced or updated in the same way that a credit card account number can be canceled and reissued.

We’ll continue to monitor the regulatory landscape for additional state amendments that are likely to come.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.