Examples:

• • Brainwave data collected by a sleep-tracking headband would be covered as “neural data” under SB 1223.
  • Using an fMRI brain scan to diagnose Alzheimer’s generates sensitive health info that the bill aims to protect.
  • Facebook’s wrist sensor that translates nerve signals into digital commands highlights the need for neural privacy regs.
  • In the wrong hands, EEG data could be exploited to infer mental health issues, opening the door to discrimination.
  • SB 1223 follows Colorado’s law treating neural data as biometric info to close a gap in consumer privacy.

How SB 1223 Protects You:

• • Requires companies to disclose what neural data they collect and give you access to your information.
  • Allows you to opt out of businesses selling or sharing your neural data with third parties.
  • Gives you the right to request corrections or deletions of the neural data a company has on you.
  • Prevents businesses from retaliating against you for exercising your neural data privacy rights.
  • Empowers you to hold companies accountable for mishandling or misusing your neural information.

FAQs:

• • What companies does SB 1223 apply to? Businesses that collect CA consumers’ personal info and meet revenue or data volume thresholds under CCPA.
  • Does it cover data from medical neurotech devices? No, FDA-approved medical devices are exempt, but not unregulated consumer neurotech.
  • When do the new rules take effect? SB 1223’s provisions become operative on January 1, 2025.
  • How can I tell if a company is collecting my neural data? Check their privacy policy or information collection disclosures – if they don’t specify, ask!
  • What if a company ignores my neural data requests? File a consumer complaint with the CA Attorney General. Companies can face fines for noncompliance.

Examples:

• • Jenna requests a neurotech company disclose the brainwave data its meditation app has collected from her.
  • Mike obtains a copy of his raw EEG readings and neurofeedback reports from a brain training clinic.
  • After losing his job, Tyler asks a neuromarketing firm to delete his neural data profile to avoid employment bias.
  • Leery of third-party exploitation, Sarah opts out of a brain-sensing VR game studio selling her neural info.
  • Ryan’s memory-tracking app can’t charge him more or degrade his service for limiting their use of his neural data.

How to Exercise Your Neural Data Rights:

• • Find the “Do Not Sell or Share My Personal Information” link on the company’s homepage to opt out of neural data sales.
  • Submit requests to know, access, correct or delete via the company’s designated methods (online form, toll-free number, etc.).
  • Businesses must verify your identity before fulfilling your request – look for confirmation emails, reference codes, etc.
  • Companies have 45 days to respond to your neural data request, with a possible 45-day extension for complex requests.
  • If you believe a business has violated your neural data rights, notify them in writing and/or file a complaint with the CA AG.

FAQs:

• • Can I request neural data collected more than 12 months ago? No, the “right to know” only covers the preceding 12 months of data collection.
  • What methods must companies offer to submit data requests? At minimum, a toll-free number and online form.
  • Is there a limit to how often I can request my data? Businesses must fulfill data access requests 2 times in a 12-month period.
  • Do companies have to delete all my data if I ask? There are some exceptions, like completing a transaction or detecting security incidents.
  • What if I signed a neural data agreement with a company? Most neurotech user agreements will need updating for CCPA. Your statutory rights likely override conflicting terms.

Examples:

• • Lin researches the difference between EEG, fNIRS and other neural data collection methods before buying a BCI.
  • Kai scours a brain training app’s privacy policy to see if they share his cognitive performance data with employers or insurers.
  • Amira disables her mental health chatbot’s permission to use her neural sentiment data for targeted ads.
  • Every few months, Zack requests a copy of his neural data from his emotion-sensing wearable to monitor for misuse.
  • Wary of privacy risks, Nadia only uses her productivity neuroheadset for work tasks, not personal browsing.

Questions to Ask About Neurotech:

• • What specific neural data does this device/platform collect and how is it measured, analyzed and applied?
  • Is using this neurotech worth the tradeoff of sharing sensitive data about my brain activity and mental states?
  • How might my neural data be used in ways I’m not expecting or could harm me if accessed by the wrong parties?
  • What rights and controls does the provider give me over my data and how well do they protect my neural privacy?
  • What would the consequences be (personally/professionally) if my neural data was breached or misused?

FAQs:

• • How can I tell if a neurotech company is trustworthy with my data? Look for transparency in their data practices, use of privacy safeguards, and affirmative user rights.
  • What security measures should I look for? At minimum: encryption, access controls, secure storage, and regular security audits.
  • Is it safe to use neurotech if I’m worried about privacy? No tech is risk-free. Weigh benefits & risks, use trusted brands, and practice good neural data hygiene.
  • Should I pay extra for a privacy-focused neurotech device/app? It may be worth it for sensitive use cases. Compare offerings and read independent reviews.
  • What should I do if I suspect neural data misuse? File complaints with the company, FTC, and your state AG. Consider legal action for serious violations.

Examples:

• • Current neural privacy rules may quickly become outdated as BCIs evolve from headbands to implants to brain-to-brain links.
  • Neural data could enable manipulation via hyper-targeted ads or content that exploit your mental triggers and vulnerabilities.
  • Businesses might try to read job candidates’ minds with EEG to surface disqualifying thoughts. Laws are needed to prevent “cognitively intrusive” practices.
  • Can one truly consent to share neural data if they can’t predict how it might be used to harm them by a future bad actor? New models are needed.
  • The NeuroRights Initiative is pushing for neural privacy frameworks at the United Nations to protect human rights as neurotech goes global.

Why Neural Privacy Matters:

• • Your brain data contains insights into your most intimate inner life – thoughts, feelings, memories, habits, and vulnerabilities.
  • Advances in neurotech could expose you to job discrimination, emotional manipulation, mental health stigma and other harms based on your neural info.
  • If neurotech becomes as integral to life as smartphones, you shouldn’t have to sacrifice your mental privacy to access those tools.
  • Your rights to mental integrity, freedom of thought and cognitive liberty depend on strong neural data safeguards.
  • Securing the privacy of our brains is key to human dignity and flourishing in an era of pervasive neurotech.

FAQs:

• • • Will more states copy SB 1223? Yes, lawmakers in several states are working on similar bills and watching CA to see how it plays out.
    • Is federal neural privacy legislation likely? Some in Congress want to pass a national neurotech privacy bill to unify safeguards and avoid a state patchwork.
    • Could neural privacy become a global human right? Initiatives like the NeuroRights Foundation are pushing the U.N. to recognize mental privacy as a fundamental right.
    • What’s the biggest threat to neural privacy? Tech that can accurately decode thoughts + lax neural data protections = surveillance & exploitation of the mind.
    • What can I do to support better neural privacy? Stay informed, demand protections from neurotech you use, and tell your elected officials to make it a priority.

Neural Data Basics:

• • 1. Which of the following would be considered “neural data” under SB 1223?
    • A) A social media sentiment analysis
    • B) Your heart rate from a fitness tracker
    • C) An fMRI scan of your brain activity
    • D) A retinal eye scan for identification
  • 2. What part of the nervous system must neural data be generated from to fall under SB 1223?
    • A) The central nervous system only
    • B) The peripheral nervous system only
    • C) Either the central or peripheral nervous system
    • D) The enteric nervous system
  • 3. What was the first US state to add neural data to its privacy law?
    • A) Colorado
    • B) California
    • C) Virginia
    • D) Washington
  • 4. Neural data is given the same privacy protections under SB 1223 as what other sensitive data types?
    • A) Financial account numbers
    • B) Social Security numbers
    • C) Precise geolocation
    • D) All of the above
  • 5. What percent of consumer neurotech companies currently share neural data with third parties?
    • A) 25%
    • B) 50%
    • C) 75%
    • D) 90%

Answers: Neural Data Basics

• • 1. C) An fMRI directly measures brain activity, so that neural data is covered. The other options don’t involve direct nervous system measurements.
  • 2. C) SB 1223 applies to neural data from either the central nervous system (brain & spinal cord) or peripheral nervous system (nerves outside CNS).
  • 3. A) Colorado amended its privacy law in April 2024 to include neural data, becoming the first state to do so. CA followed about 5 months later.
  • 4. D) The new law categorizes neural data as “sensitive personal information,” like biometric data, precise location, and government IDs. This grants extra protections.
  • 5. B) A 2024 report found over 50% of current consumer neurotech companies share neural data with third parties, often without clear consent.

Your Neural Data Privacy Rights:

• • 1. How far back can you request a company disclose the neural data it has collected on you?
    • A) 30 days
    • B) 6 months
    • C) 12 months
    • D) As long as they’ve had it
  • 2. If you tell a business to delete your neural data, do they have to comply?
    • A) Yes, no matter what
    • B) No, they can refuse for any reason
    • C) Only if you provide a reason
    • D) Yes, with some exceptions
  • 3. What happens if you opt out of a company selling or sharing your neural data?
    • A) They can ignore your request
    • B) They must stop selling/sharing it
    • C) They can still sell/share it for some purposes
    • D) You lose access to their services
  • 4. How often must companies let you request access to your neural data they’ve collected?
    • A) Once ever
    • B) Twice per year
    • C) 5 times per year
    • D) Unlimited
  • 5. How long does a company have to respond to your request to know what neural data they’ve collected on you?
    • A) 10 days
    • B) 45 days
    • C) 90 days
    • D) 6 months

Answers: Your Neural Data Privacy Rights

• • 1. C) The “right to know” provision lets you request disclosure of personal info, including neural data, collected in the past 12 months.
  • 2. D) Businesses must delete your neural data on request, with some exceptions like completing a transaction or securing their systems.
  • 3. B) Once you opt out, they must stop selling or sharing your neural data. They can’t make you waive this right to use their service.
  • 4. B) Companies must let you request access to your neural data twice in a 12-month period. Beyond that, it’s up to them.
  • 5. B) In general, businesses have 45 days to respond to your data request, with the option to extend another 45 days for complex requests.