Your brain waves are up for sale – a new law wants to change that
By Jonathan Moens
New York: Consumers have grown accustomed to the prospect that their personal data, such as email addresses, social contacts, browsing history and genetic ancestry, are being collected and often resold by the apps and the digital services they use.
With the advent of consumer neurotechnologies, the data being collected is becoming ever more intimate.
One headband serves as a personal meditation coach by monitoring the user’s brain activity. Another purports to help treat anxiety and symptoms of depression. Another reads and interprets brain signals while the user scrolls through dating apps, presumably to provide better matches. (“‘Listen to your heart’ is not enough,” the manufacturer says on its website.)
The companies behind such technologies have access to the records of the users’ brain activity – the electrical signals underlying our thoughts, feelings and intentions.
On Wednesday, Colorado Governor Jared Polis signed a bill that, for the first time in the United States, tries to ensure that such data remains truly private. The new law, which passed by a 61-1 vote in the Colorado House and a 34-0 vote in the Senate, expands the definition of “sensitive data” in the state’s current personal privacy law to include biological and “neural data” generated by the brain, the spinal cord and the network of nerves that relays messages throughout the body.
“Everything that we are is within our mind,” said Jared Genser, general counsel and co-founder of the Neurorights Foundation, a science group that advocated the bill’s passage. “What we think and feel, and the ability to decode that from the human brain, couldn’t be any more intrusive or personal to us.”
“We are really excited to have an actual bill signed into law that will protect people’s biological and neurological data,” said Representative Cathy Kipp, a Democrat who introduced the bill.
Senator Mark Baisley, a Republican who sponsored the bill in the upper chamber, said: “I’m feeling really good about Colorado leading the way in addressing this and to give it the due protections for people’s uniqueness in their privacy. I’m just really pleased about this signing.”
The law takes aim at consumer-level brain technologies. Unlike sensitive patient data obtained from medical devices in clinical settings, which are protected by federal health law, the data surrounding consumer neurotechnologies go largely unregulated, Genser said. That loophole means that companies can harvest vast troves of highly sensitive brain data, sometimes for an unspecified number of years, and share or sell the information to third parties.
Supporters of the bill expressed their concern that neural data could be used to decode a person’s thoughts and feelings or to learn sensitive facts about an individual’s mental health, such as whether someone has epilepsy.
“We’ve never seen anything with this power before – to identify, codify people and bias against people based on their brain waves and other neural information,” said Sean Pauzauskie, a member of the board of directors of the Colorado Medical Society, who first brought the issue to Kipp’s attention. Pauzauskie was recently hired by the Neurorights Foundation as medical director.
The new law extends to biological and neural data the same protections granted under the Colorado Privacy Act to fingerprints, facial images and other sensitive, biometric data.
Among other protections, consumers have the right to access, delete and correct their data, as well as to opt out of the sale or use of the data for targeted advertising. Companies, in turn, face strict regulations regarding how they handle such data and must disclose the kinds of data they collect and their plans for it.
“Individuals ought to be able to control where that information – that personally identifiable and maybe even personally predictive information – goes,” Baisley said.
Experts say that the neurotechnology industry is poised to expand as major tech companies like Meta, Apple and Snapchat become involved.
“It’s moving quickly, but it’s about to grow exponentially,” said Nita Farahany, a professor of law and philosophy at Duke University.
From 2019 to 2020, investments in neurotechnology companies rose about 60 per cent globally, and in 2021 they amounted to about $US30 billion ($47 billion), according to one market analysis. The industry drew attention in January, when Elon Musk announced on the social media platform X that a brain-computer interface manufactured by Neuralink, one of his companies, had been implanted in a person for the first time. The patient demonstrated how he could now control a mouse solely with his thoughts and play online chess.
While eerily dystopian, some brain technologies have led to breakthrough treatments. In 2022, a completely paralysed man was able to communicate using a computer simply by imagining his eyes moving. And last year, scientists translated the brain activity of a paralysed woman and conveyed her speech and facial expressions through an avatar on a computer screen.
“The things that people can do with this technology are great,” Kipp said. “But we just think that there should be some guardrails in place for people who aren’t intending to have their thoughts read and their biological data used.”
That is already happening, according to a 100-page report published this week by the Neurorights Foundation. The report analysed 30 consumer neurotechnology companies to see how their privacy policies and user agreements squared with international privacy standards.
It found that only one company restricted access to a person’s neural data in a meaningful way and that almost two-thirds could, under certain circumstances, share data with third parties. Two companies implied that they already sold such data.
“The need to protect neural data is not a tomorrow problem – it’s a today problem,” said Genser, who was among the authors of the report.
The Colorado bill is the first of its kind to be signed into law in the United States, but Minnesota and California are pushing for similar legislation. On Tuesday, California’s Senate Judiciary Committee unanimously passed a bill that defines neural data as “sensitive personal information”.
Several countries, including Chile, Brazil, Spain, Mexico and Uruguay, have either already enshrined protections on brain-related data in their state-level or national Constitutions or taken steps towards doing so.
“In the long run,” Genser said, “we would like to see global standards developed,” for instance by extending existing international human rights treaties to protect neural data.
In the US, proponents of the new Colorado law hope it will establish a precedent for other states and even create momentum for federal legislation. But the law has limitations, experts noted, and might apply only to consumer neurotechnology companies that are gathering neural data specifically to determine a person’s identity, as the new law specifies. Most of these companies collect neural data for other reasons, such as for inferring what a person might be thinking or feeling, Farahany said.
“You’re not going to worry about this Colorado bill if you’re any of those companies right now because none of them are using them for identification purposes,” she added.
But Genser said the Colorado Privacy Act protected any data that qualifies as personal. Given that consumers must supply their names to purchase a product and agree to company privacy policies, this use falls under personal data, he said.
“Given that previously neural data from consumers wasn’t protected at all under the Colorado Privacy Act,” Genser wrote in an email, “to now have it labelled sensitive personal information with equivalent protections as biometric data is a major step forward.”
In a parallel Colorado bill, the American Civil Liberties Union and other human-rights organisations are pressing for more stringent policies surrounding collection, retention, storage and use of all biometric data, whether for identification purposes or not. If the bill passes, its legal implications would apply to neural data.
Big tech companies played a role in shaping the new law, arguing that it was overly broad and risked harming their ability to collect data not strictly related to brain activity.
TechNet, a policy network representing companies such as Apple, Meta and Open AI, successfully pushed to include language focusing the law on regulating brain data used to identify individuals. But the group failed to remove language governing data generated by “an individual’s body or bodily functions”.
“We felt like this could be very broad to a number of things that all of our members do,” said Ruthie Barko, executive director of TechNet for Colorado and the central United States.
This article originally appeared in The New York Times.