“Neural data” is the newest addition to the ever expanding California Consumer Privacy Act (CCPA). Signed into law on September 28, 2024, SB 1223 amends the CCPA to add “personal information that reveals neural data” to the categories of personal information that constitute sensitive personal information. It further amends the CCPA to define “neural data” as “information that is generated by measuring the activity of a consumer’s central or peripheral nervous system, and that is not inferred from nonneural information.” The new law follows Colorado, which earlier this year became the first state to address neural data explicitly in its consumer privacy legislation.

Traditionally neural data was measured by high performance medical devices like MRIs that were regulated by health care providers. However, the development of new consumer technologies powered by AI that use electromyography to interpret neural signals associated with hand and body gestures, gives rise to new ways for businesses to collect and use neural data. These emerging uses of neural data have begun to capture the attention of lawmakers. SB 1223’s author noted that while “consumer-facing neurotechnology” may enable early diagnosis and personalized treatment of neurological and cognitive conditions, improve our ability to meditate, focus and even communicate with a seamless technological telepathy, they might “also pose very real risks to mental privacy, freedom of thought and self-determination.”

Mapping Out the Neural Network of Data

Under the CCPA, sensitive personal information is afforded a higher degree of protection than other forms of personal information. For example, under § 1798.121, an individual may request that a business limit their use and disclosure of sensitive personal information (SPI) to that which is necessary to perform the services or provide the goods requested by the consumer. Businesses are required to include a link on their websites titled “Limit the Use of My Sensitive Personal Information,” which consumers can use to communicate their preferences. If a consumer directs a business to limit its use and disclosure of the consumer’s SPI, the business is prohibited from using or disclosing the information beyond the permissible purposes enumerated in the CCPA unless the consumer subsequently provides consent for additional purposes.

The use of SPI has become an enforcement priority for regulators and SB 1223 demonstrates that lawmakers will revisit the definition of SPI to account for technological developments and the evolution of cultural sensibilities. Organizations that collect, use, or transact neural data should review their privacy programs and disclosures to ensure this data is classified accurately and to ensure that consumers are able to exercise their statutory rights with respect to this data.

Author

Adam Aft helps global companies navigate the complex issues regarding intellectual property, data, and technology in product counseling, technology, and M&A transactions. He leads the Firm's North America Technology Transactions group and co-leads the group globally. Adam regularly advises a range of clients on transformational activities, including the intellectual property, data and data privacy, and technology aspects of mergers and acquisitions, new product and service initiatives, and new trends driving business such as platform development, data monetization, and artificial intelligence.

Author

Cynthia J. Cole is Chair of Baker McKenzie’s Global Commercial, Tech and Transactions Business Unit, a member of the Firm’s global Commercial, Data, IP and Trade (CDIT) practice group steering Committee and Co-chair of Baker Women California. A former CEO and General Counsel, just before joining the Firm, Cynthia was Deputy Department Chair of the Corporate Section in the California offices of Baker Botts where she built the technology transactions and data privacy practice. An intellectual property transactions attorney, Cynthia also has expertise in AI, digital transformation, data privacy, and cybersecurity strategy.

Author

Brian provides advice on global data privacy, data protection, cybersecurity, digital media, direct marketing information management, and other legal and regulatory issues. He is Chair of Baker McKenzie's Global Data Privacy and Security group.

Author

Cristina focuses her practice on regulatory and transactional issues in global privacy and data protection, including data security, data breach notification, global privacy, website privacy policies, behavioral advertising, cross-border data transfers, and comprehensive compliance programs.

Author

Ella is an associate in our Firm's Intellectual Property & Technology Practice Group and is based in our San Francisco office.

Author

Justine focuses her practice on both proactive and reactive cybersecurity and data privacy services, representing clients in matters related to information governance, diligence in acquisitions and investments, incident preparedness and response, the California Consumer Privacy Act, privacy litigation, and cyber litigation.

Author

Garrett is an associate in Baker McKenzie's North America Intellectual Property Group and is based in our San Francisco office. His practice focuses on helping clients build effective information governance programs, comply with privacy laws and regulations, and respond to cybersecurity incidents.

Author

Avi Toltzis is a Knowledge Lawyer in Baker McKenzie's Chicago office.