On August 31, the California assembly passed SB1223, which amends the CCPA/CPRA to include “neural data” as a type of sensitive data. SB1223, which is likely to become law, defines “neural data” as “information that is generated by measuring the activity of a consumer’s central or peripheral nervous system, and that is not inferred from nonneural information.” California follows Colorado as the second state to include “neural data” as a category of sensitive data under its state comprehensive privacy law.
Motivations for Amendment:
The California legislators cite “the emergence of neurotechnologies” and “protecting our neural data” as reasons to enact SB1223. Neurotechnology, like implanted brain-computer-interfaces and commercially-available EEG headbands, has been making headlines because of its potential to both improve quality of life for patients with brain and/or spinal cord related diagnoses and collect and interpret information gathered from consumers’ central nervous systems (i.e., the brain and spinal cord) and peripheral nervous systems (i.e., the other nerves in the body) to identify individuals and their biases, predict future actions, and interpret emotions and memories.
What is “Neural Data”?
The final definition of “neural data” under SB1223 is the result of several rounds of revisions by the California legislators. While these revisions may make the definition more flexible for future technological advancements, they also cloud what data is considered “neural data”.
The March 18, 2024, version of SB1223 (“March Version”) defined neural data as “information that is generated by the measurement of the activity of an individual’s central or peripheral nervous systems that can be processed by, or with the assistance of neurotechnology.”[1] The March Version defined neurotechnology as “a device, instrument, or set of devices or instruments, that allows a connection with a person’s central or peripheral nervous system for various purposes, including, but not limited to, reading, recording, or modifying a person’s brain activity or the information obtained from a person’s brain activity.”
SB1223 excludes the reference to neurotechnology, which arguably makes the definition of “neural data” broader and more flexible. For example, by not requiring “neural data” to result from “a device, instrument, or set of devices or instruments” connecting with an individual’s nervous system, the new definition of “neural data” in SB1223 likely avoids arguments that the law does not apply to future neurotechnology which may not require a physical connection in order to collect data from an individual’s nervous system.
SB1223 also expressly excludes inferences made from “nonneural information” from the definition of “neural data” (i.e., neural data does not include nonneural information). Nonneural information is undefined and the circular reference creates ambiguity in what exactly is considered “neural data”.
If we assume that nonneural information is the inverse of the first half of the definition of “neural data”, then “nonneural information” is “information that is not generated by measuring the activity of a consumer’s central or peripheral nervous system.” Unfortunately, this is still not enough information to untangle what is and what is not “activity of the central or peripheral nervous system”.
In particular, the blurred line between muscular movement and control of muscular movement by the peripheral nervous system is a common point of discussion in the neuroprivacy community. For example, it is unclear whether technology designed to track eye movements generates neural data. Physiologically, eye movements themselves occur due to contraction of eye muscles, but voluntary (e.g., looking to your left) and involuntary (e.g., pupillary contraction) eye movements are enabled and initiated by a cranial nerve which is part of the peripheral nervous system. Indeed, TechNet wrote in opposition to SB1223 citing “systems that monitor drivers’ eye movements” as those which “could be considered measurements of the [peripheral nervous system].”
What Does This Mean for Businesses?
Despite the ambiguity, businesses that collect “neural data” and are subject to the CCPA/CPRA will need to comply with SB1223’s changes when they become effective. As a first step, businesses should assess whether they are (or might be) collecting any data which could be considered “neural data” under California law – taking into account how and from where the data is collected and/or derived. If the business determines it is collecting neural data, it should work to include such data as “sensitive data” in its existing privacy governance structure, such as by permitting users to limit the business’s use of neural data. Note, however, exemptions – such as whether the information is publicly available – also still apply.
[1] This definition closely tracks with Colorado’s definition of “neural data”, the ambiguity of which we previously discussed here.