“Neural data” is the newest addition to the ever expanding California Consumer Privacy Act (CCPA). Signed into law on September 28, 2024, SB 1223 amends the CCPA to add “personal information that reveals neural data” to the categories of personal information that constitute sensitive personal information. It further amends the CCPA to define “neural data” as “information that is generated by measuring the activity of a consumer’s central or peripheral nervous system, and that is not inferred from nonneural information.” The new law follows Colorado, which earlier this year became the first state to address neural data explicitly in its consumer privacy legislation.
Traditionally neural data was measured by high performance medical devices like MRIs that were regulated by health care providers. However, the development of new consumer technologies powered by AI that use electromyography to interpret neural signals associated with hand and body gestures, gives rise to new ways for businesses to collect and use neural data. These emerging uses of neural data have begun to capture the attention of lawmakers. SB 1223’s author noted that while “consumer-facing neurotechnology” may enable early diagnosis and personalized treatment of neurological and cognitive conditions, improve our ability to meditate, focus and even communicate with a seamless technological telepathy, they might “also pose very real risks to mental privacy, freedom of thought and self-determination.”
Mapping Out the Neural Network of Data
Under the CCPA, sensitive personal information is afforded a higher degree of protection than other forms of personal information. For example, under § 1798.121, an individual may request that a business limit their use and disclosure of sensitive personal information (SPI) to that which is necessary to perform the services or provide the goods requested by the consumer. Businesses are required to include a link on their websites titled “Limit the Use of My Sensitive Personal Information,” which consumers can use to communicate their preferences. If a consumer directs a business to limit its use and disclosure of the consumer’s SPI, the business is prohibited from using or disclosing the information beyond the permissible purposes enumerated in the CCPA unless the consumer subsequently provides consent for additional purposes.
The use of SPI has become an enforcement priority for regulators and SB 1223 demonstrates that lawmakers will revisit the definition of SPI to account for technological developments and the evolution of cultural sensibilities. Organizations that collect, use, or transact neural data should review their privacy programs and disclosures to ensure this data is classified accurately and to ensure that consumers are able to exercise their statutory rights with respect to this data.