by LawInc Staff
September 30, 2024
In September 2024, California Governor Gavin Newsom signed into law Senate Bill 1223, a groundbreaking measure to protect the privacy of individuals’ brain data. The bill, sponsored by State Senator Josh Becker, amends the California Consumer Privacy Act (CCPA) to include “neural data” as a new category of sensitive personal information. This guide provides an in-depth look at SB 1223, including what protections it offers, why it matters, and what it means for you.
From brain-computer interfaces to consumer EEG headbands, emerging neurotechnology is advancing rapidly – often without sufficient safeguards for the data it collects. SB 1223 aims to close that gap by giving Californians greater control over their neural data privacy. Learn what rights the law grants you, what companies it applies to, how to exercise your neural data protections, and more.
1. Understand What SB 1223 Covers & Why It Matters
-
- Defining “Neural Data”: Information generated by measuring central or peripheral nervous system activity, not inferred from other sources.
- Granting Sensitive Data Protections: Neural data gets same CCPA safeguards as biometrics, DNA, precise geolocation, and more.
- Responding to Advancing Neurotechnology: Brain and nerve-tracking consumer devices are proliferating with insufficient oversight.
- Preventing Potential Misuse: Neural data, if mishandled, could reveal identity, health conditions, mental states, and more.
- Following Colorado’s Lead: In April 2024, CO became the first state to include neural data in its privacy law.
Examples:
-
- Brainwave data collected by a sleep-tracking headband would be covered as “neural data” under SB 1223.
- Using an fMRI brain scan to diagnose Alzheimer’s generates sensitive health info that the bill aims to protect.
- Facebook’s wrist sensor that translates nerve signals into digital commands highlights the need for neural privacy regs.
- In the wrong hands, EEG data could be exploited to infer mental health issues, opening the door to discrimination.
- SB 1223 follows Colorado’s law treating neural data as biometric info to close a gap in consumer privacy.
How SB 1223 Protects You:
-
- Requires companies to disclose what neural data they collect and give you access to your information.
- Allows you to opt out of businesses selling or sharing your neural data with third parties.
- Gives you the right to request corrections or deletions of the neural data a company has on you.
- Prevents businesses from retaliating against you for exercising your neural data privacy rights.
- Empowers you to hold companies accountable for mishandling or misusing your neural information.
FAQs:
-
- What companies does SB 1223 apply to? Businesses that collect CA consumers’ personal info and meet revenue or data volume thresholds under CCPA.
- Does it cover data from medical neurotech devices? No, FDA-approved medical devices are exempt, but not unregulated consumer neurotech.
- When do the new rules take effect? SB 1223’s provisions become operative on January 1, 2025.
- How can I tell if a company is collecting my neural data? Check their privacy policy or information collection disclosures – if they don’t specify, ask!
- What if a company ignores my neural data requests? File a consumer complaint with the CA Attorney General. Companies can face fines for noncompliance.
2. Know Your Neural Data Rights Under CCPA
-
- Right to Know: Request disclosure of what neural data a business has collected about you in the past 12 months.
- Right to Access: Obtain a copy of the specific pieces of neural information a company has collected on you.
- Right to Delete: Request that a business delete any neural data they have collected from you, with some exceptions.
- Right to Opt-Out: Direct a business not to sell or share your neural information to third parties.
- Right to Non-Discrimination: Receive equal service and pricing, even if you exercise your neural data privacy rights.
Examples:
-
- Jenna requests a neurotech company disclose the brainwave data its meditation app has collected from her.
- Mike obtains a copy of his raw EEG readings and neurofeedback reports from a brain training clinic.
- After losing his job, Tyler asks a neuromarketing firm to delete his neural data profile to avoid employment bias.
- Leery of third-party exploitation, Sarah opts out of a brain-sensing VR game studio selling her neural info.
- Ryan’s memory-tracking app can’t charge him more or degrade his service for limiting their use of his neural data.
How to Exercise Your Neural Data Rights:
-
- Find the “Do Not Sell or Share My Personal Information” link on the company’s homepage to opt out of neural data sales.
- Submit requests to know, access, correct or delete via the company’s designated methods (online form, toll-free number, etc.).
- Businesses must verify your identity before fulfilling your request – look for confirmation emails, reference codes, etc.
- Companies have 45 days to respond to your neural data request, with a possible 45-day extension for complex requests.
- If you believe a business has violated your neural data rights, notify them in writing and/or file a complaint with the CA AG.
FAQs:
-
- Can I request neural data collected more than 12 months ago? No, the “right to know” only covers the preceding 12 months of data collection.
- What methods must companies offer to submit data requests? At minimum, a toll-free number and online form.
- Is there a limit to how often I can request my data? Businesses must fulfill data access requests 2 times in a 12-month period.
- Do companies have to delete all my data if I ask? There are some exceptions, like completing a transaction or detecting security incidents.
- What if I signed a neural data agreement with a company? Most neurotech user agreements will need updating for CCPA. Your statutory rights likely override conflicting terms.
3. Go Beyond Legal Compliance – Best Practices for Neurotech Users
-
- Understand the Tech: Learn how a neurotech device or platform works, what data it captures and what it’s used for.
- Read Privacy Policies: Review company disclosures on neural data collection, use, sharing, security and your opt-out rights.
- Use Privacy Controls: Adjust neural data-related settings and permissions to your comfort level (where available).
- Monitor Your Data: Periodically request your neural data report to verify what’s being collected and watch for unauthorized uses.
- Consider Tradeoffs: Weigh the benefits of neurotech against the privacy risks and only share what you’re comfortable with.
Examples:
-
- Lin researches the difference between EEG, fNIRS and other neural data collection methods before buying a BCI.
- Kai scours a brain training app’s privacy policy to see if they share his cognitive performance data with employers or insurers.
- Amira disables her mental health chatbot’s permission to use her neural sentiment data for targeted ads.
- Every few months, Zack requests a copy of his neural data from his emotion-sensing wearable to monitor for misuse.
- Wary of privacy risks, Nadia only uses her productivity neuroheadset for work tasks, not personal browsing.
Questions to Ask About Neurotech:
-
- What specific neural data does this device/platform collect and how is it measured, analyzed and applied?
- Is using this neurotech worth the tradeoff of sharing sensitive data about my brain activity and mental states?
- How might my neural data be used in ways I’m not expecting or could harm me if accessed by the wrong parties?
- What rights and controls does the provider give me over my data and how well do they protect my neural privacy?
- What would the consequences be (personally/professionally) if my neural data was breached or misused?
FAQs:
-
- How can I tell if a neurotech company is trustworthy with my data? Look for transparency in their data practices, use of privacy safeguards, and affirmative user rights.
- What security measures should I look for? At minimum: encryption, access controls, secure storage, and regular security audits.
- Is it safe to use neurotech if I’m worried about privacy? No tech is risk-free. Weigh benefits & risks, use trusted brands, and practice good neural data hygiene.
- Should I pay extra for a privacy-focused neurotech device/app? It may be worth it for sensitive use cases. Compare offerings and read independent reviews.
- What should I do if I suspect neural data misuse? File complaints with the company, FTC, and your state AG. Consider legal action for serious violations.
The Future of Neural Data Protection – Challenges & Opportunities
-
- Keeping Pace with Innovation: Neural privacy laws must evolve as neurotech advances in power, precision and applications.
- Addressing Unique Neural Data Risks: Brainwave readings enable emotional manipulation, thought decoding and other novel harms.
- Preventing Thought Surveillance: Regulations are needed to block attempts to covertly collect and exploit neural data.
- Updating Consent Models: Neural data challenges assumptions about informed consent. New frameworks are needed.
- Harmonizing Global Standards: Neurotech is borderless. Aligning neural privacy norms across jurisdictions is key.
Examples:
-
- Current neural privacy rules may quickly become outdated as BCIs evolve from headbands to implants to brain-to-brain links.
- Neural data could enable manipulation via hyper-targeted ads or content that exploit your mental triggers and vulnerabilities.
- Businesses might try to read job candidates’ minds with EEG to surface disqualifying thoughts. Laws are needed to prevent “cognitively intrusive” practices.
- Can one truly consent to share neural data if they can’t predict how it might be used to harm them by a future bad actor? New models are needed.
- The NeuroRights Initiative is pushing for neural privacy frameworks at the United Nations to protect human rights as neurotech goes global.
Why Neural Privacy Matters:
-
- Your brain data contains insights into your most intimate inner life – thoughts, feelings, memories, habits, and vulnerabilities.
- Advances in neurotech could expose you to job discrimination, emotional manipulation, mental health stigma and other harms based on your neural info.
- If neurotech becomes as integral to life as smartphones, you shouldn’t have to sacrifice your mental privacy to access those tools.
- Your rights to mental integrity, freedom of thought and cognitive liberty depend on strong neural data safeguards.
- Securing the privacy of our brains is key to human dignity and flourishing in an era of pervasive neurotech.
FAQs:
-
-
- Will more states copy SB 1223? Yes, lawmakers in several states are working on similar bills and watching CA to see how it plays out.
- Is federal neural privacy legislation likely? Some in Congress want to pass a national neurotech privacy bill to unify safeguards and avoid a state patchwork.
- Could neural privacy become a global human right? Initiatives like the NeuroRights Foundation are pushing the U.N. to recognize mental privacy as a fundamental right.
- What’s the biggest threat to neural privacy? Tech that can accurately decode thoughts + lax neural data protections = surveillance & exploitation of the mind.
- What can I do to support better neural privacy? Stay informed, demand protections from neurotech you use, and tell your elected officials to make it a priority.
-
Summary
California’s SB 1223 grants crucial new privacy rights for your neural data, the intimate information generated by your brain. The law requires businesses to disclose what neural data they collect, let you access your own data and opt out of having it sold or shared. You can also request corrections and deletions of your neural data.
As consumer neurotech explodes, from EEG headbands to brain-computer interfaces, SB 1223 is an important step to safeguard the privacy of your mind. But it’s just the beginning – further action will be needed as the tech evolves. Watch this space and take charge of your own neural privacy in the meantime!
Test Your SB 1223 Savvy
Neural Data Basics:
-
- 1. Which of the following would be considered “neural data” under SB 1223?
- A) A social media sentiment analysis
- B) Your heart rate from a fitness tracker
- C) An fMRI scan of your brain activity
- D) A retinal eye scan for identification
- 2. What part of the nervous system must neural data be generated from to fall under SB 1223?
- A) The central nervous system only
- B) The peripheral nervous system only
- C) Either the central or peripheral nervous system
- D) The enteric nervous system
- 3. What was the first US state to add neural data to its privacy law?
- A) Colorado
- B) California
- C) Virginia
- D) Washington
- 4. Neural data is given the same privacy protections under SB 1223 as what other sensitive data types?
- A) Financial account numbers
- B) Social Security numbers
- C) Precise geolocation
- D) All of the above
- 5. What percent of consumer neurotech companies currently share neural data with third parties?
- A) 25%
- B) 50%
- C) 75%
- D) 90%
- 1. Which of the following would be considered “neural data” under SB 1223?
Answers: Neural Data Basics
-
- 1. C) An fMRI directly measures brain activity, so that neural data is covered. The other options don’t involve direct nervous system measurements.
- 2. C) SB 1223 applies to neural data from either the central nervous system (brain & spinal cord) or peripheral nervous system (nerves outside CNS).
- 3. A) Colorado amended its privacy law in April 2024 to include neural data, becoming the first state to do so. CA followed about 5 months later.
- 4. D) The new law categorizes neural data as “sensitive personal information,” like biometric data, precise location, and government IDs. This grants extra protections.
- 5. B) A 2024 report found over 50% of current consumer neurotech companies share neural data with third parties, often without clear consent.
Your Neural Data Privacy Rights:
-
- 1. How far back can you request a company disclose the neural data it has collected on you?
- A) 30 days
- B) 6 months
- C) 12 months
- D) As long as they’ve had it
- 2. If you tell a business to delete your neural data, do they have to comply?
- A) Yes, no matter what
- B) No, they can refuse for any reason
- C) Only if you provide a reason
- D) Yes, with some exceptions
- 3. What happens if you opt out of a company selling or sharing your neural data?
- A) They can ignore your request
- B) They must stop selling/sharing it
- C) They can still sell/share it for some purposes
- D) You lose access to their services
- 4. How often must companies let you request access to your neural data they’ve collected?
- A) Once ever
- B) Twice per year
- C) 5 times per year
- D) Unlimited
- 5. How long does a company have to respond to your request to know what neural data they’ve collected on you?
- A) 10 days
- B) 45 days
- C) 90 days
- D) 6 months
- 1. How far back can you request a company disclose the neural data it has collected on you?
Answers: Your Neural Data Privacy Rights
-
- 1. C) The “right to know” provision lets you request disclosure of personal info, including neural data, collected in the past 12 months.
- 2. D) Businesses must delete your neural data on request, with some exceptions like completing a transaction or securing their systems.
- 3. B) Once you opt out, they must stop selling or sharing your neural data. They can’t make you waive this right to use their service.
- 4. B) Companies must let you request access to your neural data twice in a 12-month period. Beyond that, it’s up to them.
- 5. B) In general, businesses have 45 days to respond to your data request, with the option to extend another 45 days for complex requests.
Need Legal Help?
If you need legal assistance, in any field of law, our free concierge service can connect you with experienced attorneys in any practice area and state. Contact us to learn more.
Also See
California’s Plastic Bag Ban 2.0: What You Need to Know About SB 1053
In-N-Out Grills San Diego Sports Bar Fairplay Over Trademark Infringement
Follow LawInc on Instagram
View this post on Instagram