Legal.io
May 07, 2024

Colorado Leads With Privacy Law on Neural Data

Colorado has classified consumer brain waves as "sensitive data" under the Colorado Privacy Act, setting a precedent for data privacy in neurotechnology.

Colorado Leads With Privacy Law on Neural Data

Brain waves are unique vibrations produced by different parts of the brain. Neurotechnology is a tool designed to understand and visualize this brain activity. It measures the electrical activity that occurs when a neuron fires. This activity can indicate various states such as being awake, asleep, anxious, calm, problem-solving, or depressed. Some neurotechnology tools can even alter these waves, which could potentially change the user’s behavior, or even read and store personal information about a user.

As neurotechnology becomes more widely available, there is a risk that private brain wave data could become as widely circulated as credit card data.

Colorado’s Approach to Neural Data

Colorado has classified consumer brain waves as “sensitive data.” As such, they are subject to the Colorado Privacy Act (CPA). This was enacted into law as HB 24-1058. While Colorado is leading the way in explicitly defining neural data under its data privacy statute, California’s State Senate has also passed a measure to protect neural data. Minnesota is considering a similar bill.

In the bill, “neural data” is defined as “information that is generated by the measurement of the activity of an individual’s central or peripheral nervous systems.” This includes the brain, spinal cord, and all nerves. It can be processed by or with the assistance of a device.

It should be noted that these devices do not include invasive tools like cochlear implants, which are protected under the federal Health Insurance Portability and Accountability Act (HIPAA). Instead, they refer to consumer-grade, noninvasive devices that are readily available through online marketplaces. These devices, such as wellness headbands and wristbands, or gaming headsets, collect neural data but are not subject to medical privacy regulations.

The Implications of the Law on Consumer Data

The collection and potential misuse of consumer neural data may seem like a concept from a science fiction story. However, data privacy attorneys who have researched these tools have expressed concern about the rapid proliferation of technologies that collect neural data. They are also concerned about the lack of laws that effectively regulate them.

At present, noninvasive neurotechnologies make up a small part of the rapidly expanding field of emerging tech. Therefore, the laws that aim to regulate them may overlap in some areas and differ in others. This creates a patchwork of regulations that businesses and lawyers will need to navigate.

Jared Genser, a former DLA Piper Partner, who founded law firm Perseus Strategies and now serves as the General Counsel of the nonprofit NeuroRights Foundation, hopes that these statutes will provide businesses with clear guidelines on how to operate in this new landscape of neurotechnologies. The NeuroRights Foundation has worked closely with the government of Colorado, providing advice and testimony to the State House and Senate.

The Law Is to Protect Sensitive Consumer Data and Not About Neurotech

Genser emphasized that Colorado’s law is not about developing neurotech. It is an amendment to a data protection law and is solely about the collection of data.

The amendment extends the protections awarded to consumers’ sensitive data under the CPA, such as DNA or fingerprints, to include neural data. As with other personal data, consumers will now be able to opt out of the sale and use of their neural data. They will also have the right to access, correct, or delete it, according to the CPA.

“Neural data obtained in a medical context is already protected under HIPAA and state medical privacy laws, but neural data collected by consumer products, even though they use medical-grade brain scanners, have had no protection,” Genser said. “This is because state privacy laws were unintentionally drafted in a way that excluded neural data.”

Indeed, neural data occupies a unique position when it comes to data that originates from the human body. Under traditional privacy terminology, it is not biological, because it measures electrical activity. It is also not biometric, because biometric data refers to an individually identifiable marker that has to be processed outside the body, like an iris scan or a fingerprint.

With neural data now covered by the CPA, many companies will need to update their compliance policies. The CPA applies to entities, including nonprofits, that conduct business or deliver services targeted to Colorado residents. It also applies to entities that process the personal data of more than 100,000 individuals in any calendar year or derive revenue or receive discounts on goods or services in exchange for the sale of personal data of 25,000 or more individuals.

Why Is There a Need for Such a Law?

Historically, laws have struggled to keep pace with technological development. However, in the case of neural data, states are taking the lead in regulating a technology before it becomes as widespread as social media or as popular as connected cars.

Genser explained that as he started researching neurotechnologies, he realized that things that he thought might be science fiction are actually already science. An international human rights lawyer, Genser joined Columbia University neuroscientist Rafael Yuste to create the NeuroRights Foundation, which works to put legal guardrails around neurotechnology.

Over a decade ago, Yuste pioneered research on technology that altered mouse behavior using nerve stimulation. He was startled by the potential impact of this technology on humans. Similar mechanisms are now used in meditation or mood-retraining tools like sens.ai or EMOTIV, among others.

The report released by the foundation identifies 30 tools currently on the market that collect neural data. However, the ability of generative AI to better synthesize brain scans and EEGs that the devices monitor means that these tools are likely to proliferate faster.

Until recently, neural data was confined to hospitals and subject to medical-grade stipulations. It did not require much attention from lawmakers drafting consumer data privacy bills. Sara Pullen Guercio, an attorney with Alston & Bird’s Technology and Privacy Group, said that even within legal circles, there wasn’t much talk about “neuropivacy” or “mental privacy” until 2023.

“In large part, that’s because we didn’t have to hear about it. It was mostly in the medical space,” she said. “And now we have this medical technology that’s been built into consumer goods—wearable headbands and brain-computer interfaces—and I think people are starting to pay attention because their consumers are not just patients anymore.”

The amendment to the Colorado Privacy Act to include neural data as sensitive data is a significant step towards protecting the privacy of individuals in the age of neurotechnology. As these technologies become more prevalent and accessible, it is crucial to have laws and regulations in place that explicitly protect the privacy and rights of individuals. The efforts of Colorado in this regard set a precedent for other states and countries to follow, ensuring that as we advance technologically, we are cognizant of the rights of individuals.

GovernmentPrivacy

Customer Stories

See how leading enterprise in-house teams have scaled smarter with Legal.io's high-caliber flex talent.

Plaid
How Plaid used Legal.io for Flexible, Cost Effective Legal Talent

FINANCE / ENTERPRISE

Medallia
How Medallia Managed Legal Overflow and Accelerated Deals with Legal.io

SAAS / ENTERPRISE

Verily
How Verily Addressed High-Volume Commercial Counsel Needs with Legal.io

HEALTHCARE / ENTERPRISE

Zoom
How Zoom Streamlined Legal Operations with Flexible Staffing

TECHNOLOGY / ENTERPRISE

More from Legal.io

Technology
StructureFlow Secures $6M in Series A Funding to Enhance Legal Data Visualization

UK-based legal tech company StructureFlow has raised $6 million in Series A funding to advance its AI-driven visual representation tools for legal professionals.

Technology
May 31, 2024
Read More
Legal Insights
AI Tools Surpass Lawyers in Legal Research Accuracy, Vals Report Finds

A new Vals AI report shows tools like Alexi, Counsel Stack, Midpage, and ChatGPT outperform lawyers in legal research accuracy and authoritativeness.

Oct 23, 2025
Read More
3 Ways to Maintain A Healthy Work-Life Balance
3 Ways to Maintain A Healthy Work-Life Balance

Did you know that hunter-gatherers need to work for only around 20 hours per week to feed themselves? That was the norm throughout most of human history, but when human beings first discovered agriculture and began living in settled communities around 12,000 years ago in the Levant, this figure slowly began to creep up (which has long led archaeologists and ancient historians to speculate as to why humans began farming in the first place).   Modern lawyers, of course, regularly face working weeks of 40 hours, sometimes rising to 50 and beyond. Now, there are of course a few perks available to the modern lawyer that were not accessible to ancient hunter-gatherers or the first farming communities. But the point is that it’s not natural to be on call for work 24 hours a day, seven days a week. To stay healthy and enjoy our time on Earth, we need to maintain some kind of work-life balance. Here are some tips to help you do exactly that. 

Law FirmsCareer
Jul 06, 2020
Read More
EU Strikes Deal to Regulate ChatGPT, AI Tech in Landmark Act
EU Strikes Deal to Regulate ChatGPT, AI Tech in Landmark Act

The AI Act is set to become the most comprehensive regulation of AI in the western world.

TechnologyInternational
Dec 12, 2023
Read More
Law Firms
3 Tips for Law Firms and Remote Work

With stronger cloud tools, improved security, and wider connectivity - there isn't any reason why law firms cannot adopt sensible remote work policies. 

Law FirmsCareer
Mar 24, 2020
Read More
Ready to hire?

Schedule a free consultation to discuss your hiring needs.

Schedule Call
Free 15-min consultation
Legal.io Platform
5 star reviews
Hiring made smarter

Easy-to-use platform for hiring legal talent, managing spend, and optimizing your panel — plus an average savings of 50%.

Need Immediate Help?

Submit a hiring request and let our experts handle the entire process for you.

Submit Hiring Request