Colorado Protects Brain Wave Privacy With First Neurodata Law

Colorado has become the first state to explicitly extend privacy rights to a person’s neural data under a law signed Wednesday by Gov. Jared Polis (D).

The law (H.B. 24-1058) adds data generated by activity in the nervous system to the personal information covered by Colorado’s existing consumer privacy law. Companies must treat neural data as sensitive information and secure consent before collecting or processing.

Neurotechnology, including devices that can record, monitor, or alter a person’s brain activity, pose emerging privacy concerns for regulators. Meta Platforms Inc. is among companies exploring such technology, including to help people who can’t speak be able to communicate by using their brain signals.

Colorado proponents cited fears the new devices could eventually allow bad actors to manipulate a person’s thoughts without safeguards. California and Minnesota lawmakers are also considering neural data protections.

The nonprofit Neurorights Foundation, which backed the Colorado law, released a report Wednesday noting gaps in the privacy practices of existing consumer neurotechnology devices. The report found nearly every company out of 30 reviewed appeared “to have access to the consumer’s neural data and provide no meaningful limitations to this access.”

The Colorado law notes a lack of regulation over neurotechnology that isn’t used in medical settings and doesn’t fall under existing health privacy protections such as the federal Health Insurance Portability and Accountability Act. Consumers are likely unaware of the extent and uses of data collected, the law states.

Colorado’s consumer privacy requirements apply to companies that handle the personal data of at least 100,000 residents per year. That threshold drops to 25,000 consumers if they sell personal data.

The neurodata provisions will take effect 90 days after the legislature adjourns this year. The Computer & Communications Industry Association said that timeline is too short for businesses to comply in comments opposing the bill. The group’s members include Meta and Apple Inc.

The law’s broad definition of biological data will include most wearable technology, the computer association said. The law is unnecessarily burdensome for businesses, especially those navigating numerous state privacy laws, it argued.