Consumers have become accustomed to the prospect that their personal data, such as their email addresses, social contacts, browsing history, and genetic ancestry, will be collected and often resold by the apps and digital services they use.
With the advent of consumer neurotechnology, the data collected is becoming increasingly intimate. One headband acts as a personal meditation coach by monitoring the user's brain activity. Another claims it can help treat symptoms of anxiety and depression. Another system reads and interprets brain signals while users scroll through dating apps, possibly offering better matches. (“‘Listen to your heart’ is not enough,” the manufacturer says on its website.)
The companies behind these technologies have access to records of your brain activity, the electrical signals that underlie our thoughts, emotions, and intentions.
On Wednesday, Colorado Governor Jared Polis signed into law the first state in the United States to ensure that such data remains truly private. The new law, passed by a vote of 61-1 in the Colorado House of Representatives and 34-0 in the Senate, expands the definition of “sensitive data” under the state's current personal privacy law to include biological data and “confidential data.” data. “Neural data” is generated by neural networks that carry messages throughout the brain, spinal cord, and body.
“Everything about who we are is in our hearts,” said Jared Guenther, general counsel and co-founder of the Neurolights Foundation, a scientific group that advocated for the bill's passage. “What we think and feel, and our ability to decipher it from the human brain, cannot be more intrusive and personal to us.”
This law targets consumer-level brain technology. Unlike sensitive patient data from medical devices in clinical settings, which is protected by federal health law, consumer neurotechnology data is largely unregulated, Guenther said. This loophole means that companies can collect vast amounts of sensitive brain data, sometimes for an unspecified period of time, and then share or sell that information to third parties.
Supporters of the bill have raised concerns that neural data could be used to decipher a person's thoughts and emotions and learn sensitive information about a person's mental health, such as whether they have epilepsy. did.
“We've never seen anything with this ability to identify, organize, and bias people based on their brain waves and other neural information,” said Sean Pawzowski, director of the Colorado Medical Society. There is no such thing.” I first brought this issue to Kip's attention. Mr. Pauzawski was recently hired by the Neurolights Foundation as medical director.
The new law extends the same protections to biological and neurological data that are granted to fingerprints, facial images, and other sensitive biometric data under the Colorado Privacy Act.
Among other protections, consumers have the right to access, delete, and correct their data, and to opt out of the sale or use of their data for targeted advertising. On the other hand, companies face strict regulations regarding their handling of such data and must disclose the types of data they collect and their plans to do so.
“Individuals should be able to control where that information goes, personally identifying information and even personally predictive information,” Bazley said.
Experts say the neurotech industry is poised to expand with the entry of big tech companies like Meta, Apple and Snapchat.
“It's going fast, and it's about to grow exponentially,” said Nita Farahany, a professor of law and philosophy at Duke University.
According to one market analysis, investment in neurotechnology companies increased by about 60% globally from 2019 to 2020, reaching about $30 billion in 2021. In January, Elon Musk attracted industry attention when he announced in X that a brain-computer interface made by one of his companies, Neuralink, had been implanted in a human body for the first time. Musk later said the patient had made a full recovery and was now able to control a mouse and play online chess using just his thoughts.
It's a creepy dystopia, but some brain technology has led to breakthrough treatments. In 2022, a completely paralyzed man can now communicate using a computer simply by imagining his eyes moving. And last year, scientists were able to translate the brain activity of a paralyzed woman and convey her speech and facial expressions through an avatar on a computer screen.
“It's amazing what people can do with this technology,” Kipp said. “But we think we need to put some guardrails in place for people who don't want their thoughts read or their biological data used.”
That's already happening, according to a 100-page report released Wednesday by the Neurolights Foundation. This report analyzed 30 consumer neurotechnology companies to see how their privacy policies and user agreements align with international privacy standards. As a result, all but one company limits access to individuals' neural data in a meaningful way, and nearly two-thirds share data with third parties under certain circumstances. It turns out it can be done. Two companies have hinted that they already sell such data.
“The need to protect neural data is today's problem, not tomorrow's,” said Guenther, one of the report's authors.
Colorado's new bill had overwhelming bipartisan support, but faced fierce opposition from outside, especially from private universities, Bazley said.
In testimony before a Senate committee, John Seward, director of research compliance at the University of Denver, a private research university, pointed out that public universities are exempt from the Colorado Privacy Act of 2021. The new law puts private institutions at a disadvantage, Seward said. This is because there are limits to the ability to train students to use “tools of the neurodiagnostic and research industry” purely for research and educational purposes.
“The playing field is not level,” Seward testified.
Colorado's bill is the first of its kind to be signed into law in the United States, but Minnesota and California are also pushing for similar legislation. The California Senate Judiciary Committee unanimously passed a bill Tuesday that would define neural data as “sensitive personal information.” Several countries, including Chile, Brazil, Spain, Mexico, and Uruguay, have already enshrined or taken steps to protect brain-related data in their state or national constitutions.
“In the long term, we would like to see global standards developed,” Guenther said, for example by extending existing international human rights treaties to protect neural data.
In the United States, supporters of Colorado's new law hope it will establish a precedent for other states and even create momentum for federal legislation. But experts say the law has limitations, and as the new law specifies, it only applies to consumer neurotech companies that collect neural data to specifically identify individuals. It was pointed out that there is a possibility that Farahany said most of these companies collect neural data for other purposes, such as inferring what people are thinking or feeling.
“If you are currently one of these companies, you do not need to worry about this Colorado bill because none of them are using them for identification purposes,” she added.
But Guenther said Colorado's privacy law protects any data that is considered personal. This use constitutes personal data, he said, given that consumers must enter their names to purchase products and consent to companies' privacy policies.
“Given that neural data from consumers previously had no protection at all under Colorado privacy law, labeling sensitive personal information with the same protections as biometric data is a significant Progress,” Guenther wrote in an email. ”
Alongside Colorado's bill, the American Civil Liberties Union and other human rights groups are calling for stricter policies regarding the collection, retention, storage, and use of all biometric data, whether for identification purposes or not. . If the bill passes, its legal implications would also apply to neural data.
Big tech companies weighed in on the new law, arguing it was too broad and risked hurting their ability to collect data not strictly related to brain activity.
TechNet, a policy network representing companies like Apple, Meta, and Open AI, successfully pushed to include legislation focused on regulating brain data used to identify individuals. However, the group failed to remove language governing data generated by “an individual's body or bodily functions.”
“We felt this could be very pervasive to a lot of things that all of our members are doing,” said Lucy Berco, executive director of TechNet for Colorado and the central United States.