Consumers have become accustomed to the prospect that their personal data (such as email addresses, social contacts, browsing history, and genetic ancestry) is being collected and often resold by the apps and digital services they use.
With the advent of consumer neurotechnology, the data collected is becoming increasingly intimate. A headband acts as a personal meditation coach by monitoring the user’s brain activity. Another claims to help treat symptoms of anxiety and depression.Another reads and interprets brain signals When a user scrolls through a dating app, presumably to provide a better match. (“‘Listen to your heart’ is not enough,” the manufacturer says on its website.)
The companies behind such technologies can obtain records of users’ brain activity—the electrical signals underlying our thoughts, feelings, and intentions.
On Wednesday, Colorado Governor Jared Polis signed a bill that, for the first time in the United States, attempts to ensure that such data is truly private. The new law, which passed the Colorado House of Representatives by a vote of 61-1 and the Senate by a vote of 34-0, expands the definition of “sensitive data” in the state’s current personal privacy law to include biometric and “sensitive data.” “included. “Neural data” is generated by the brain, spinal cord, and neural networks that carry information throughout the body.
“We’re all in our heads,” said Jared Genser, general counsel and co-founder of the NeuroRights Foundation, a science group advocating for the bill’s passage. “Our thoughts and feelings, and the ability to decode these messages from the human brain, are very invasive and personal to us.”
“We’re really excited to have an actual bill signed into law that protects people’s biological and neurological data,” said Rep. Cathy Kipp, D-Colorado, who sponsored the bill.
Colorado Republican Sen. Mark Besley, who sponsored the bill in the upper chamber, said: “I couldn’t be more pleased that Colorado is taking the lead on addressing this issue and providing people’s unique privacy with the protections it deserves. I couldn’t be more pleased with this signing.”
The law targets consumer-level brain technology. Unlike sensitive patient data obtained from medical devices in clinical settings, which is protected by federal health law, data related to consumer neurotech is largely unregulated, Genser said. The vulnerability means companies can collect large amounts of highly sensitive brain data, sometimes for an unknown amount of time, and share or sell the information to third parties.
Supporters of the bill have expressed concerns that neural data could be used to decode a person’s thoughts and feelings, or learn sensitive facts about a person’s mental health, such as whether someone has epilepsy.
“We’ve never seen anything before that has the ability to identify, profile and bias people based on their brain waves and other neurological information,” said Sean Pauzauskie, a Colorado Medical Society board member. Kip starts with The lady noticed the problem. Mr. Pauzauskie was recently hired as Medical Director by the Neurorights Foundation.
New law extends protection to biological and neurological data Colorado Privacy Laws Fingerprints, facial images and other sensitive biometric data.
Among other protections, consumers have the right to access, delete, and correct their data, as well as to opt out of its sale or use for targeted advertising. Companies, in turn, face strict regulations on how to handle this data and must disclose the type of data they collect and their plans.
“Individuals should be able to control where this information — personally identifiable information and possibly even personally predictive information — goes,” Mr. Besley said.
Experts say the neurotech industry is poised to expand with the participation of major tech companies like Meta, Apple and Snapchat.
“It’s moving very fast, but it’s about to grow exponentially,” said Nita Farahany, a professor of law and philosophy at Duke University.
According to statistics, global investment in neurotechnology companies increased by approximately 60% from 2019 to 2020, with investment volume in 2021 approximately US$30 billion a market analysis. The industry drew attention in January when Elon Musk Published on X His company Neuralink makes a brain-computer interface that is implanted into the human body for the first time. Musk has since said the patient has fully recovered and is now able to control a mouse and play online chess using just his thoughts.
Although bizarrely dystopian, some brain technologies are already leading to breakthrough treatments. In 2022, a completely paralyzed man was able to communicate using a computer simply by imagining his eyes moving. And last year, scientists can Translating a paralyzed woman’s brain activity and conveying her speech and facial expressions through an avatar on a computer screen.
“There are so many things people can do with this technology,” Ms. Kipp said. “But we just think there should be some guardrails in place for people who are not going to have their thoughts read and their biodata used.”
That’s already happening, according to a 100-page report released Wednesday by the Neurorights Foundation. The report analyzes 30 consumer neurotechnology companies to see how their privacy policies and user agreements meet international privacy standards. The study found that only one company limits access to personal neural data in a meaningful way, while nearly two-thirds can share data with third parties under certain circumstances. Both companies suggested they had sold such data.
“The need to protect neural data is not a problem of tomorrow, but of today,” said Mr. Guenther, one of the report’s authors.
Besley said Colorado’s new bill won strong bipartisan support but also faced strong opposition from the outside, particularly from private universities.
John Seward, a research compliance officer at the University of Denver, a private research university, testified before a Senate committee that public universities are not subject to the 2021 Colorado Privacy Act. Mr Seward said the new law puts private institutions at a disadvantage because their ability to train students who use “the tools of the neurodiagnostic and research industry” purely for research and teaching purposes will be limited.
“The playing field was not level,” Mr. Seward testified.
Colorado’s bill is the first of its kind in the United States to be signed into law, but Minnesota and California are advancing similar legislation. On Tuesday, the California Senate Judiciary Committee unanimously passed a bill that would Defining neural data as “sensitive personal information”. Several countries, including Chile, Brazil, Spain, Mexico and Uruguay, already have protections for brain-related data in their state or national constitutions, or have taken steps to do so.
“In the longer term,” Mr. Guenther said, “we hope to see the development of global standards” such as by extending existing international human rights treaties to protect neural data.
In the United States, supporters of Colorado’s new law hope it will set a precedent for other states and even create momentum for federal legislation. But experts note that the law has limitations and may only apply to consumer neurotech companies that specialize in collecting neural data to determine an individual’s identity, as the new law would provide. Most of these companies collect neural data for other reasons, such as inferring what a person might be thinking or feeling, Ms. Farahani said.
“If you were one of these companies right now, you wouldn’t be worried about this bill in Colorado because none of them are using them for identification purposes,” she added.
But Mr. Guenther said Colorado privacy laws protect any data that belongs to an individual. He said such use would be personal data given that consumers must provide their name to purchase the product and agree to the company’s privacy policy.
“Given that neural data from consumers was not protected at all under the Colorado Privacy Act,” Mr. Guenther wrote in an email, “it is now marked as sensitive personal information and provided with biometric Equal protection of data is a big step forward.”
exist parallel colorado billThe American Civil Liberties Union and other human rights groups are pressing for stricter policies surrounding the collection, retention, storage and use of all biometric data, whether or not for identification purposes. If the bill passes, its legal implications would apply to neural data.
Big tech companies played a role in crafting the new law, which they argue is too broad and could harm their ability to collect data that is not strictly related to brain activity.
TechNet, a policy network representing companies such as Apple, Meta and Open AI, has successfully pushed to focus the law on language regulating brain data used to identify individuals. But the organization failed to remove language that controls data generated by “an individual’s body or bodily functions.”
“We think this could be very broad for a lot of things that all of our members do,” said Ruthie Barko, executive director of TechNet Colorado and Central America.
