Colorado and California Get Ahead of Neural Data Regulation

It is often said that the law lags behind the pace of technological development. Yet, while computer chip implants and wearable brain activity monitors are only just starting to show technical viability, two states recently passed updates to their comprehensive privacy laws to regulate neural data.

Colorado became the first when it passed House Bill 24-1058, which expanded the definition of "sensitive data" under the Colorado Privacy Act to include "biological data," including "neural data." The bill was signed into law on April 17 and took effect on August 6. Then, on September 28, California enacted Senate Bill No. 1223 and Assembly Bill No. 1008, which expand the definition of "sensitive personal information" under the California Consumer Privacy Act (CCPA) to include "neural data." This amendment goes into effect on January 1, 2025. Below, we break down how these amendments define "neural data" and what businesses processing neural data must do to comply.

Definitions of "neural data"

In Colorado, "neural data" is defined as "information that is generated by the measurement of the activity of an individual's central or peripheral nervous systems and that can be processed by or with the assistance of a device." Neural data is a sub-category of "biological data," which is defined as "data generated by the technological processing, measurement, or analysis of an individual's biological, genetic, biochemical, physiological, or neural properties, compositions, or activities or of an individual's body or bodily functions, which data is used or intended to be used, singly or in combination with other personal data, for identification purposes. 'Biological data' includes neural data." The practical effect of this tiered definition is to classify information associated with an individual's body - including neural data - as sensitive, thereby requiring businesses to obtain informed consent before collecting, using, disclosing or otherwise processing these types of personal data, among other requirements discussed in more detail below.

California takes a slightly different approach. Neural data under the CCPA is now directly classified as a type of "sensitive personal information," meaning that it may be subject to the right to limit use and disclosure, among other requirements. The term "neural data" is defined as "information that is generated by measuring the activity of a consumer's central or peripheral nervous system and that is not inferred from nonneural information." While "nonneural data" is not defined, this potential ambiguity may have little practical effect because California's definition of "sensitive personal information" already includes "[p]ersonal information collected and analyzed concerning a consumer's health." Therefore, regardless of whether a business is processing neural data, biological data or health data, all such data would be classified as sensitive.

Compliance requirements

Because neural data is considered "sensitive" in both Colorado and California, businesses that process neural data will need to do so in accordance with certain requirements that go beyond those applicable to ordinary personal information. In both states, these requirements include conducting and documenting a data protection impact assessment prior to processing neural data. Colorado also requires businesses to obtain consent before processing sensitive data, including neural data. This consent must be an affirmative act signifying a consumer's freely given, specific, informed and unambiguous agreement, such as a written or electronic statement, or another clear, affirmative action by which the consumer signifies agreement to the processing of the data. In California, to the extent that a business processes sensitive personal information, including neural data, for a nonexempt purpose, the businesses must provide consumers with the right to limit the use and disclosure of that information.

Considerations for employee data

While neural technology is still in its infancy and practical uses may be hard to imagine for many businesses, one application where we may start to see commercialization of neural-monitoring technology in the coming years is in the employment context; for example, to monitor productivity and focus. In that context, employers may choose to approach privacy compliance for these types of technologies differently in California and Colorado because the CCPA applies to employee personal information while the Colorado Privacy Act does not. That said, practical and ethical considerations as well as the potential impact on employee morale may prove to carry more weight than either of these laws.

Conclusion

On the one hand, the mere classification of neural data as "sensitive," especially when other types of health data are already classified that way, is not particularly surprising or controversial. For example, most people would probably consider brain activity to be at the core of what they should be able to keep private. On the other hand, it is somewhat rare to see lawmakers preemptively regulate new technology in this way. While wide usage of neural-monitoring technology may still be years away, the amendments to the Colorado Privacy Act and the CCPA demonstrate a proactive approach, suggesting an intent to anticipate potential risks posed by rapidly evolving technologies rather than waiting to address specific issues after they materialize.