Your brain waves are up for sale. A new law wants to change that.

Natasha Schull, a cultural anthropologist and associate professor at M.I.T., demonstrates ‘Muse: the brain sensing headband’ in Cambridge, Mass., on April 15, 2015. Colorado Gov. Jared Polis just signed a bill that, for the first time in the U.S, extends personal privacy protections to data generated by people’s brain, spinal cord, and the network of nerves that send messages to and from the rest of the body. — The New York Times

Consumers have grown accustomed to the prospect that their personal data, such as email addresses, social contacts, browsing history and genetic ancestry, are being collected and often resold by the apps and the digital services they use.

With the advent of consumer neurotechnologies, the data being collected is becoming ever more intimate. One headband serves as a personal meditation coach by monitoring the user’s brain activity. Another purports to help treat anxiety and symptoms of depression. Another reads and interprets brain signals while the user scrolls through dating apps, presumably to provide better matches. (“‘Listen to your heart’ is not enough,” the manufacturer says on its website.)

The companies behind such technologies have access to the records of the users’ brain activity – the electrical signals underlying our thoughts, feelings and intentions.

On Wednesday, Colorado Gov. Jared Polis signed a bill that, for the first time in the United States, tries to ensure that such data remains truly private. The new law, which passed by a 61-1 vote in the Colorado House and a 34-0 vote in the Senate, expands the definition of “sensitive data” in the state’s current personal privacy law to include biological and “neural data” generated by the brain, the spinal cord and the network of nerves that relays messages throughout the body.

“Everything that we are is within our mind,” said Jared Genser, general counsel and co-founder of the Neurorights Foundation, a science group that advocated the bill’s passage. “What we think and feel, and the ability to decode that from the human brain, couldn’t be any more intrusive or personal to us.”

“We are really excited to have an actual bill signed into law that will protect people’s biological and neurological data,” said Rep. Cathy Kipp, a Democrat who introduced the bill.

Sen. Mark Baisley, a Republican who sponsored the bill in the upper chamber, said: “I’m feeling really good about Colorado leading the way in addressing this and to give it the due protections for people’s uniqueness in their privacy. I’m just really pleased about this signing.”

The law takes aim at consumer-level brain technologies. Unlike sensitive patient data obtained from medical devices in clinical settings, which are protected by federal health law, the data surrounding consumer neurotechnologies go largely unregulated, Genser said. That loophole means that companies can harvest vast troves of highly sensitive brain data, sometimes for an unspecified number of years, and share or sell the information to third parties.

Supporters of the bill expressed their concern that neural data could be used to decode a person’s thoughts and feelings or to learn sensitive facts about an individual’s mental health, such as whether someone has epilepsy.

“We’ve never seen anything with this power before – to identify, codify people and bias against people based on their brain waves and other neural information,” said Sean Pauzauskie, a member of the board of directors of the Colorado Medical Society, who first brought the issue to Kipp’s attention. Pauzauskie was recently hired by the Neurorights Foundation as medical director.

The new law extends to biological and neural data the same protections granted under the Colorado Privacy Act to fingerprints, facial images and other sensitive, biometric data.

Among other protections, consumers have the right to access, delete and correct their data, as well as to opt out of the sale or use of the data for targeted advertising. Companies, in turn, face strict regulations regarding how they handle such data and must disclose the kinds of data they collect and their plans for it.

“Individuals ought to be able to control where that information – that personally identifiable and maybe even personally predictive information – goes,” Baisley said.

Experts say that the neurotechnology industry is poised to expand as major tech companies like Meta, Apple and Snapchat become involved.

“It’s moving quickly, but it’s about to grow exponentially,” said Nita Farahany, a professor of law and philosophy at Duke University.

From 2019 to 2020, investments in neurotechnology companies rose about 60% globally, and in 2021 they amounted to about US$30bil, according to one market analysis. The industry drew attention in January, when Elon Musk announced on the social media platform X that a brain-computer interface manufactured by Neuralink, one of his companies, had been implanted in a person for the first time. Musk has since said that the patient made a full recovery and is now able to control a mouse solely with his thoughts and play online chess.

While eerily dystopian, some brain technologies have led to breakthrough treatments. In 2022, a completely paralysed man was able to communicate using a computer simply by imagining his eyes moving. And last year, scientists were able to translate the brain activity of a paralysed woman and convey her speech and facial expressions through an avatar on a computer screen.

“The things that people can do with this technology are great,” Kipp said. “But we just think that there should be some guardrails in place for people who aren’t intending to have their thoughts read and their biological data used.”

That is already happening, according to a 100-page report published Wednesday by the Neurorights Foundation. The report analysed 30 consumer neurotechnology companies to see how their privacy policies and user agreements squared with international privacy standards. It found that only one company restricted access to a person’s neural data in a meaningful way and that almost two-thirds could, under certain circumstances, share data with third parties. Two companies implied that they already sold such data.

“The need to protect neural data is not a tomorrow problem – it’s a today problem,” said Genser, who was among the authors of the report.

The new Colorado bill won resounding bipartisan support, but it faced fierce external opposition, Baisley said, especially from private universities.

Testifying before a Senate committee, John Seward, research compliance officer at the University of Denver, a private research university, noted that public universities were exempt from the Colorado Privacy Act of 2021. The new law puts private institutions at a disadvantage, Seward testified, because they will be limited in their ability to train students who use “the tools of the trade in neural diagnostics and research” purely for research and teaching purposes.

“The playing field is not equal,” Seward testified.

The Colorado bill is the first of its kind to be signed into law in the United States, but Minnesota and California are pushing for similar legislation. On Tuesday, California’s Senate Judiciary Committee unanimously passed a bill that defines neural data as “sensitive personal information.” Several countries, including Chile, Brazil, Spain, Mexico and Uruguay, have either already enshrined protections on brain-related data in their state-level or national constitutions or taken steps toward doing so.

“In the long run,” Genser said, “we would like to see global standards developed,” for instance by extending existing international human rights treaties to protect neural data.

In the United States, proponents of the new Colorado law hope it will establish a precedent for other states and even create momentum for federal legislation. But the law has limitations, experts noted, and might apply only to consumer neurotechnology companies that are gathering neural data specifically to determine a person’s identity, as the new law specifies. Most of these companies collect neural data for other reasons, such as for inferring what a person might be thinking or feeling, Farahany said.

“You’re not going to worry about this Colorado bill if you’re any of those companies right now, because none of them are using them for identification purposes,” she added.

But Genser said that the Colorado Privacy Act protects any data that qualifies as personal. Given that consumers must supply their names in order to purchase a product and agree to company privacy policies, this use falls under personal data, he said.

“Given that previously neural data from consumers wasn’t protected at all under the Colorado Privacy Act,” Genser wrote in an email, “to now have it labeled sensitive personal information with equivalent protections as biometric data is a major step forward.”

In a parallel Colorado bill, the American Civil Liberties Union and other human-rights organizations are pressing for more stringent policies surrounding collection, retention, storage and use of all biometric data, whether for identification purposes or not. If the bill passes, its legal implications would apply to neural data.

Big tech companies played a role in shaping the new law, arguing that it was overly broad and risked harming their ability to collect data not strictly related to brain activity.

TechNet, a policy network representing companies such as Apple, Meta and Open AI, successfully pushed to include language focusing the law on regulating brain data used to identify individuals. But the group failed to remove language governing data generated by “an individual’s body or bodily functions”.

“We felt like this could be very broad to a number of things that all of our members do,” said Ruthie Barko, executive director of TechNet for Colorado and the central United States. – The New York Times

Follow us on our official WhatsApp channel for breaking news alerts and key updates!



Next In Tech News

Apple challenges $2 billion EU antitrust fine at EU court
FTX's Bankman-Fried being transferred to new prison, WSJ reports
Saudi woos electric flying taxi company Archer as Gulf rivals vie to be aviation hub
US securities regulator urges against crypto bill adoption
WisdomTree, 21Shares to list crypto products on London Stock Exchange
Intercontinental Exchange to pay $10 million over delayed cyber disclosures, SEC says
Amazon to launch AI-overhauled Alexa with paid plans, CNBC reports
Nigerian court adjourns Binance, executives' tax evasion trial to June 14
Analog Devices forecasts quarterly revenue above estimates
Summit host South Korea says world must cooperate on AI technology

Others Also Read