On April 17, Colorado became the first state to provide consumer privacy protections for data generated from a person's brain waves.
The new law, H.B. 24-1058,[1] specifically expands the safeguards for sensitive data under the Colorado Privacy Act,[2] or CPA, to cover neural data.
The Broader Ecosystem of Neurodata
Colorado's law is the latest in an emerging series of regulatory efforts for neural data, also known as neurodata.
"Neurodata" is generally defined as information generated by a person's brain, spinal cord, or nervous system that is collected and interpreted by a device.
Research suggests neurodata can be used to accurately identify persons and even provide insights into their memories, biases and intentions. Devices and processes used to collect and interpret neurodata are referred to as neurotechnology.
Neurotechnology includes:
- Devices and processes used to collect raw neurodata, such as electroencephalography, electromyography and functional magnetic resonance imaging;
- Devices and processes used to interpret raw neurodata, such as software and artificial intelligence; and
- Devices that moderate neural input or output, such as ones that could alter a person's consciousness or cause hallucinations — technology not yet available but contemplated by certain laws.
Neurotechnology once only available to patients in a medical setting is now commercially available to consumers.
Wearables, such as electroencephalogram headbands[3] used by consumers to track their brain waves to measure the quality of their attention or sleep, are relatively inexpensive and widely available.
Meta Platforms Inc. also recently reported its development of noninvasive electromyography wristbands[4] that will enable consumers to type or move a cursor on a screen using only their minds.
The Colorado Law
Colorado's law extends the CPA's general protections for sensitive data to include neural data.
Under the CPA, businesses are required to obtain opt-in consent to process their sensitive data, so businesses will now need to obtain opt-in consent to collect and process neural data.
Businesses must also perform data protection assessments when collecting and using sensitive data, meaning that activities involving neural data would also trigger the need to document the benefits, risks and mitigating controls in place for neural data.
Colorado's law rather vaguely defines "neural data" as "information that is generated by the measurement of the activity of an individual's central or peripheral nervous systems and that can be processed by or with the assistance of a device."
But within the scheme of the CPA's sensitive data categories, neural data is included as a subtype of biological data, which is generally defined as "data generated by the technological processing, measurement, or analysis of an individual's ... neural properties ... which data is used or intended to be used ... for identification purposes."
This ambiguous definitional structure and other CPA exemptions and exceptions mean that interpretive questions remain concerning how neural data will be regulated in Colorado. Key issues include the following.
Definitional Ambiguity
The definitions of both "neural data" and "biological data" are vague and ambiguous.
It's unclear whether neural data includes both the raw data collected from the nervous system — e.g., an EEG — and the inferences and conclusions drawn from such raw neurodata, or whether neural data triggers CPA protections whenever it's collected or only when it's "intended to be used for identification purposes."
The Colorado law's definition of "neural data" may only cover raw neural data and not inferences obtained from processing such neural data.
But neurodata is often interpreted as naturally having at least two components:
1. The initial signal collected from the person as recorded by a device; and
2. The interpretation of the data derived from the device or provided by a secondary device.
For example, in its June 2023 report[5] on neurotechnology, the U.K. Information Commissioner's Office defines "neurodata" as "first order data gathered directly from a person's neural systems (inclusive of both the brain and nervous systems) and second order inferences based directly upon this data."
When we compare the ICO's definition of "neurodata" with the definition of "neural data" in the Colorado law, it's unclear from the Colorado law whether inferences obtained from the processing of neural data are intended to be considered as information that is generated from neural activity.
If regulators determine inferences are not included as a part of neural data, companies may have more freedom to use conclusions drawn from raw neural data for certain business purposes.
The Colorado law's definition of biological data also muddies the waters as to the scope of neural data.
Under Colorado's law, information classified as biological data must be used for identification purposes. This requirement introduces an additional layer of ambiguity to the definition of neural data.
While the definition of "neural data" doesn't include an express requirement that it be used for identification purposes, neural data is nested under biological data, and it can be argued that the identification purposes requirement of biological data also applies to neural data.
This requirement would greatly narrow the applicability of Colorado's law and exclude the types of neurodata collected for nonidentification purposes, such as attention tracking.
The identification purposes requirement also makes it difficult to distinguish between biological data and biometric data.
The definition of "biological data" tracks closely to the definitions of "biometric data" and "biometric identifiers" in the CPA regulations.[6] These similarities may make it difficult to find daylight between the two terms.
Exemptions and Exceptions of CPA Still Apply
The Colorado law doesn't alter the exemptions or exceptions that apply to the CPA more broadly.
For example, the CPA doesn't apply to employee or job applicant data, common exemptions in general state privacy laws. This means companies looking to track employee attention,[7] biases and burnout using neurotechnology may not be subject to Colorado's law when doing so.
The CPA also does not apply to publicly available information, which includes information a consumer has intentionally made available online where the consumer "has not restricted the information to a specific audience." For example, companies that make neurotechnology wearables may allow consumers to post images of their brain waves collected via a headband or earbuds to their social media pages.
Social media pages can arguably be restricted to a specific audience, e.g., "friends only" posts, but they can be public as well — and even if not, friends can reshare publicly. Thus, if a person's neurodata that they voluntarily post online is deemed publicly available information, such neurodata will fall outside the scope of the Colorado law.
Effective and Informed Consent
There will likely be questions on how to collect effective consent for processing neurodata, given the complexity of the data itself and the seemingly limitless potential for future use cases.
The drafters of the Colorado law appear to suggest there are open questions as to whether effective informed consent to process neural data can even be obtained.
The preamble to the Colorado law states: "Even if individuals consent to the collection and processing of their [neural] data for a narrow use, they are unlikely to be fully aware of the content or quantity of information they are sharing."
The language in the preamble is nonbinding, but it may serve as a harbinger for further updates to the CPA regulations in this area.
Currently, the CPA regulations require consent to be indicated through:
"Clear affirmative action," via deliberate and clear conduct or a statement that clearly indicates acceptance of the proposed processing;
"Freely given," which means the controller cannot withhold services if consent is refused, unless the information is required to perform a service;
"Specific" to each processing purpose; and
"Informed," which requires explaining the reason consent is required and the purposes for which the requested data will be processed.
These requirements are already complex. Still, one could imagine the drafters of the Colorado law considering additional neural-data-specific requirements for obtaining valid consent.
California and Minnesota Neuroprivacy Legislation
Neuroprivacy bills have been introduced in California and Minnesota.
Like the Colorado law, California's S.B. 1223[8] proposes expanding the state's consumer privacy law, the California Privacy Rights Act, to include neural data and classify it as a type of sensitive data.
Minnesota doesn't have a similar state consumer privacy law, but Minnesota's S.F. 1110[9] includes amendments to the state's statutes governing data practices, computer damages and unauthorized computer access — and criminalizes certain neuroprivacy misconduct.
The Minnesota bill has been stalled in committee without forward movement for over a year and seems unlikely to pass. California's bill, which is supported by the Neurorights Foundation,[10] is progressing through the state's legislative process.
The Future of Neuroprivacy
The Colorado law is a first step in providing privacy protection for neurodata in the state.
Despite the ambiguity and open questions introduced, it's undeniable that the new law has helped turn the spotlight on neurodata and neurotechnology — a trend likely to continue as neurotechnology is increasingly adopted.
Businesses are not required to comply with the Colorado law until this fall, but companies looking to prepare should consider analyzing data elements collected by different business processes to determine whether those elements could potentially be considered neural data under the new law.
Businesses wanting to be conservative may opt to cast a wide net when making such determinations, but ultimately the approach should be tailored to each specific business and its unique risk profile.
Footnotes:
[1] See https://leg.colorado.gov/sites/default/files/documents/2024A/bills/2024a_1058_enr.pdf.
[2] See https://coag.gov/app/uploads/2022/01/SB-21-190-CPA_Final.pdf.
[3] See https://focuscalm.com/products/focuscalm-eeg-headband.
[4] See https://www.uploadvr.com/zuckerberg-neural-wristband-will-ship-in-the-next-few-years/.
[5] See https://ico.org.uk/about-the-ico/research-reports-impact-and-evaluation/research-and-reports/technology-and-innovation/ico-tech-futures-neurotechnology/.
[6] See https://coag.gov/app/uploads/2023/03/FINAL-CLEAN-2023.03.15-Official-CPA-Rules.pdf.
[7] See https://www.hrgrapevine.com/content/article/2023-06-12-neurotech-could-be-used-to-track-employee-attention-spans-watchdog-warns.
[8] See https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240SB1223.
[9] See https://www.revisor.mn.gov/bills/text.php?number=SF1110&version=latest&session=ls93&session_year=2023&session_number=0.
[10] See https://neurorightsfoundation.org/.