How a new law protects your thoughts from tech companies – and why it matters

A bright blue visualization of brainwaves on a black background

Andriy Onufriyenko/Getty Images

If you open your devices with a fingerprint or face scan, you’re probably OK with tech companies having some of your biological data. Now, the rise of neurotech wearables is putting your brainwaves on the table, too. 

On Wednesday, the governor of Colorado signed a bill expanding the state’s existing privacy law to include neural data, or brain activity. The bill added brainwaves under the umbrella of biological data, which it defined as “data generated by the technological processing, measurement, or analysis of an individual’s biological, genetic, biochemical, physiological, or neural properties, compositions, or activities or of an individual’s body or bodily functions.”

Also: Humane Ai Pin: What went wrong and how it can be fixed (before it’s too late)

This includes recordings of your fingerprints and face, which tech companies increasingly have, as well as your DNA. Prior to the bill, only fingerprints and facial images were protected in Colorado.

Neurotech uses electroencephalography (EEG), a method of measuring brain activity using electrodes. Invasive brain-computer interfaces (BCIs) — like Neuralink or Synchron — are implanted in the body and, therefore, are considered medical devices, meaning they’re regulated under higher data protections. But non-invasive neurotech, like wearables that use EEG, are considered consumer devices – and these aren’t regulated yet. 

Also: Forget Neuralink: This less invasive brain implant company is recruiting trial participants

Consumer products that incorporate EEG have been around for a while – companies like Emotiv and NeuroSky have been exploring the technology for fitness, digital health, and even perfume for nearly a decade. Meta, Apple, and Snap are working on their own devices. 

Plenty of unregulated neurotech wearables are now available, from headsets promising better athletic performance to headbands that help you meditate. This tech tracks, analyzes, and, at least in some cases, records your brain activity. 

The Colorado legislation was passed in response to growing concerns about privacy in consumer BCIs. “Data concerning the activity of the human brain and wider nervous systems, or “neural data”, is extremely sensitive and can reveal intimate information about individuals, including information about health, mental states, emotions, and cognitive functioning,” the bill states. 

Also: Alphabeats says it can train athletes’ brains to optimize their performance – here’s how

In the wrong hands, that data could be used against individuals by companies or third parties. A report from The Neurorights Foundation found that 29 out of 30 companies surveyed “appear to have access to the consumer’s neural data and provide no meaningful limitations to this access.” 

The report also mentions several recent studies that contribute to the “growing scientific consensus that neural data collected by non-invasive devices can indeed decode human thought,” a privacy weakness if left unprotected. 

Also: Limitless’ $99 AI wearable to promises to remember your meetings and, well, everything else

As artificial intelligence – which famously needs lots of data to train on – has exploded into the mainstream over the last two years, general concerns over the collection and sale of user data have, too. AI in the tech industry is still relatively unregulated, and the US has lagged behind Europe in terms of data privacy legislation

Colorado’s move is a small but notable step in the right direction. California and Minnesota are making similar progress, but no policy on neural data exists yet at the federal level.

READ MORE HERE