California continues to lead the US with privacy legislation, joining Colorado in passing legislation aimed at protecting the privacy of users' thoughts.
Once the thing of science fiction, technology that can read minds is quickly becoming reality. While there are some beneficial applications for the technology, such as medical uses, people's private thoughts represent the ultimate gold mine for advertisers and data brokers.
California has now joined Colorado, becoming only the second state to have a law aimed at protecting the privacy of one's thoughts. According to some reports, California's legislation even surpasses Colorado's, in terms of the protection it offers.
The legislation comes as an amendment to the California Consumer Privacy Act of 2018, adding "neural data" to the long list of "personal sensitive information" covered by the CCPA.
The Neurorights Foundation, one of the bill's cosponsors, applauded the legislation.
In doing so, the amended law now protects neural data from misuse and abuse by extending to neural data the same legal protections already granted to other forms of sensitive personal information, such as a consumer's genetic data, biometric data, precise geolocation data, and credentials to access their financial accounts. These protections include the right to know what information is being collected and how it is used or shared; the right to delete collected information; the right to opt-out on the sale or sharing of information; and the right to limit the use and disclosure of sensitive personal information.
The Neurorights Foundation acknowledged the value of neural devices for medical use, but emphasized the potential for abuse.
Neurotechnology devices used in a medical setting must be licensed by the Food & Drug Administration as medical devices and the collected neural data is generally protected by HIPAA and state medical data privacy laws. But neural data gathered by consumer neurotechnologies is essentially unregulated, even though these consumer devices can use medical-grade technologies. This is particularly concerning given that neural data is capable of revealing highly sensitive information, including information about mental health, physical health, and cognitive processing.
Indeed, neurotechnologies have been rapidly expanding into the consumer sphere. In a landmark report published earlier this year, the Neurorights Foundation analyzed the data practices of 30 companies that sell consumer neurotechnology products and the rights provided to their users and concluded they fall far short global privacy standards. The report focused on five areas of concern: Access to Information, Data Collection and Storage, Data Sharing, User Rights, and Data Safety and Security. Significant deficiencies emerged across each category, which is particularly worrying given that 29 of the 30 companies appear to have unlimited access to the consumer's neural data and can transfer consumer data to third parties.
"It was an extraordinary achievement that reflects the enormous importance of protecting neural data that not only was this new law adopted unanimously but it took less than eight months from its introduction to being signed into law," said Jared Genser, General Counsel to the Neurorights Foundation. "This new law in California will make the lives of consumers safer while sending a clear signal to the fast-growing neurotechnology industry there are high expectations that companies will provide robust protections for mental privacy of consumers. That said, there is much more work ahead. This isn't an issue that should just be regulated piecemeal by States. The U.S. Congress needs to act urgently to adopt a law to protect neural data at a Federal level. And neural data also needs to be protected by international law, multilateral regulatory processes, and national legislation around the world."
Hopefully California and Colorado are not the last jurisdictions to pass laws protecting the most sensitive and private data imaginable.