When Thought Becomes Data: The MIND Act and the Coming Debate Over Neurotechnology

Critical Questions by Kuhu Badgi and Taylar Rajic

Published November 4, 2025

The human brain remains one of the most mysterious and unexplored frontiers. However, with the rapid development of science and technology, this is changing. The advancement of neurotechnologies, devices and systems that record, interpret, or alter brain activity, is fast becoming a powerful tool to explore the possibilities and limits of human thought and consciousness. These innovations hold immense promise, positioned as cures to alleviate human suffering and symptoms associated with incurable neurological and movement disorders such as Alzheimer's and Parkinson's disease. Yet these same technologies rely on the collection and processing of vast amounts of intimate neural data, raising unprecedented ethical, privacy, and security challenges. The future success of these technologies depends on the establishment of policies that can enhance consumer trust and provide regulatory clarity.

In September 2025, Senator Chuck Schumer (D-NY), Senator Maria Cantwell (D-WA), and Senator Ed Markey (D-MA) announced their plan to introduce the Management of Individuals' Neural Data of 2025 Act, otherwise known as the MIND Act. Neural data, or information collected from an individual's central or peripheral nervous system, has emerged as a new category of personal health information with the recent advancement of brain-oriented technologies. Even under conservative projections, the neurotechnology market is expected to surpass $38 billion by 2032. This rapid growth underscores the need to safeguard the sensitive data these technologies generate and process.

Q1: What does the MIND Act seek to accomplish?

A1: If enacted, the MIND Act would direct the Federal Trade Commission (FTC) to examine how neural data should be protected to safeguard privacy and prevent exploitation as neurotechnology develops. The MIND Act would also empower the FTC to develop a regulatory framework enabling it to restrict companies that misuse the purchase or use of sensitive neural data-potentially through fines, injunctive relief, or other enforcement mechanisms.

The Senators emphasized that neural data is some of users' most sensitive information, and while neurotechnologies have immense capabilities, they could also largely impede privacy rights without proper regulation. As neurotechnology begins to transition from medical settings into consumer markets, policymakers are racing to define what counts as "neural data" and who should protect it. The proposed MIND Act marks Congress's first serious attempt to regulate the emerging neurotech industry, but it also raises complex questions about innovation, enforcement, and the scope of privacy rights.

Q2: What is neural data?

A2: The bill defines neural data as any information obtained by measuring the activity of an individual's central or peripheral nervous system through the use of neurotechnology.

Cognitive biometric data, which includes neural data, is particularly sensitive because it provides deep insights into human thought and emotion. Unlike conventional biometric or personal health data, such as fingerprints, facial recognition, or heart rate, which can only infer emotional states indirectly, neural data transcends biological identification altogether. It can reveal what individuals think, how they think, and even when they intend to act. This capacity to infer cognition, emotion, and intention extends far beyond traditional notions of biological identification, raising profound questions about how it should be regulated.

Q3: What are some examples of neurotechnologies that the MIND Act would regulate?

A3: In practice, this technology refers to devices, procedures, or systems that access, monitor, record, analyze, predict, stimulate, or alter the nervous system of an individual to understand, influence, restore, or anticipate the activities or functions of the nervous system. Many of these devices are known as brain-computer interfaces (BCIs), which harness the brain's natural electrical communication to enable direct interaction with computers. By detecting and translating neural signals, BCIs transform the brain's internal communication processes into commands that external devices can understand and respond to.

There are two main types of devices that fall under the category of neurotechnology: those that detect brain activity and those that stimulate the brain.

The first type is detection neurotechnologies. These are the wearable devices that typically come to mind when neurotech is discussed, such as headbands, earbuds, helmets, and wristbands, that detect and monitor activity from the central or peripheral nervous system.

The second type is stimulation technologies, which have the capability to influence brain function. One use case of these technologies is intervention for neurological disorders, such as depression. Research has indicated that BCIs can be used to modulate neural activity in targeted brain regions, helping to restore or enhance cognitive, motor, or emotional functions through real-time feedback and closed-loop neural stimulation systems. However, concerns surrounding this technology arise from its potential to unintentionally or improperly influence patients' emotions, behaviors, or thought processes, raising significant ethical and safety considerations.

Q4: How would the MIND Act address the governance of neural data?

A4: The MIND Act would require the FTC to create a commission tasked with writing a report about what additional authorities it needs to regulate neural and related data, best practices for the private sector to protect neural data, and the extent to which existing laws such as the Health Information Portability and Accountability Act (HIPAA) govern neural data and any gaps that exist in its regulation. It would also require the FTC to consult with the director of the White House Office of Science and Technology Policy (OSTP), the commissioner of food and drugs, the privacy sector, academic, and civil liberties stakeholders, and any other relevant federal agencies. Finally, the MIND Act would require the FTC to submit and publish a report on these findings within a year of its enactment.

The MIND Act would also require OSTP to develop guidance on how federal agencies may collect and process neural data. For this guidance to be effective, OSTP would need to design an innovative interagency coordination process necessary for neurotechnology regulation, given the Food and Drug Administration's jurisdiction over medical devices and human-subject research and the FTC's regulation of consumer protection, data privacy, and commercial uses of emerging technologies.

Q5: How does the MIND Act fit into the broader U.S. data governance landscape?

A5: The United States lacks a comprehensive federal privacy law, and existing health-specific protections like HIPAA generally do not apply to neural data. HIPAA only protects personal health information when it is collected in a clinical or medical setting, is linked to an identifiable individual, and pertains to that individual's physical or mental health. Given that most neural data is currently processed by neurotech companies, such as Meta or Neuralink, through their consumer neurotech devices, and is not associated directly with treatment, it typically falls outside HIPAA's scope.

While the federal government is yet to determine its approach to protecting neural data, some states have begun this process, namely California, Colorado, Connecticut, and Montana, which have already passed laws regulating the collection and use of neural data.

California, the first state to protect neural data, enacted legislation that classified data from the "peripheral nervous system" as protected under the California Consumer Privacy Act.

Q6: How are other governments regulating neural data?

A6: Given the nascent nature of neurotechnologies, very few countries have enacted legislation specific to their regulations. However, Chile is a prominent example, after it amended its constitution to include protections for "brain activity, as well as the information derived from it." Under this law, the Chilean Supreme Court also made a landmark ruling against the company Emotiv, a bioinformatics company that develops neurotechnologies, after it collected and retained a customer's neural data for research purposes without consent. The court ordered Emotiv to delete neural data it had collected from the customer.

The European Union, often considered a strong proponent for privacy regulation, technically protects neural data under its General Data Protection Regulation, under which neural data qualifies as biometric or health data that requires heightened protections as "special categories of data."

Several countries also have proposals to enact legislation or amend their constitution to protect neural data. This includes Mexico, which has two pending neural privacy bills seeking to amend its constitution, Brazil, which has several neural privacy initiatives, amongst other countries that have begun discussions to protect neural data, including Costa Rica, Colombia, Argentina, and Uruguay.

Q7: What are the national security and privacy implications of neural data?

A7: Given the large increase in consumer products that collect neural data, there has been an increase in discourse surrounding the protection of such data and the right to mental privacy and cognitive liberty. There has been immense recognition of the numerous opportunities that lie in neurotechnologies, including advanced medical treatments for neurological, movement, and sensory disorders. However, advocates have argued that these are only possible if patients and consumers can confidently share their brain data without fear of its exploitation.

These fears have already been partially realized, with a wide variety of applications emerging that many argue could infringe on mental privacy. For example, brain-monitoring technology has been proposed for workplace use to track employees' attention and efficiency, and many of the companies that are developing these technologies have commodified other types of personal data for years, such as Meta's purchase of highly targeted advertising data derived from users' online behavior and personal information. Additionally, weapons are being developed to disable or disorient the brains of adversaries. For example, militaries have explored "neuroweapons" such as directed-energy systems that can induce confusion or nausea, acoustic and microwave devices designed to disrupt balance and perception, and chemical or biological agents capable of impairing neural function. Such developments underscore the growing national security stakes of neurotechnology, as adversaries could seek to weaponize or exploit neural data to influence decision-making, compromise personnel, or gain cognitive advantages in future conflicts.

Many argue that companies should be prohibited from selling neural data for purposes such as microtargeting, and that governments must be prevented from using such data to monitor, manipulate, or punish individuals for their thoughts, beliefs, or decisionmaking. Advocates also emphasize the need for safeguards against the interception, alteration, or coercive use of neural information, framing these protections as essential to preserving cognitive freedom and mental privacy.

Q8: How might this affect industry stakeholders?

A8: The MIND Act could affect startups developing neurotechnology devices, and many fear that broad definitions could hinder innovation, research, and development. On the other hand, major technology companies like Meta or Neuralink that experiment with neural interfaces for alternate reality and virtual reality may advocate for risk-based, harm-focused regulation, rather than strict data-type restrictions. This mirrors broader debates in AI governance, where companies like Meta signaled concern about categorical regulation and showed a preference for frameworks proportionate to risk.

Policymakers have also grappled with whether to regulate based on risk associated with a technology's use, such as in the European Union's AI Act, or to impose categorical restrictions on specific types of data or applications. Industry actors in both domains tend to favor the risk-based approach, arguing it allows for innovation while still mitigating the most serious harms.

Even if the MIND Act stalls, it marks a turning point in U.S. data policy, signaling that the line between mind and machine is no longer theoretical, and that Congress has the opportunity to decide who can access the human brain's most intimate data.

Kuhu Badgi is a program coordinator and research assistant with the Strategic Technologies Program at the Center for Strategic and International Studies (CSIS) in Washington, D.C. Taylar Rajic is an associate fellow with the Strategic Technologies Program at CSIS.

Programs & Projects