Cybersecurity & the Current State of Neural Data Regulation

Neurotechnology is rapidly invading the market for direct to consumer products that monitor brain activity. These non-invasive consumer neurotechnologies collect neural data that is then incorporated into computer programs that yield information about the consumer related to wellness, research, entertainment, gaming, among many other activities. Although these devices may have some extraordinary benefits, there is great concern about the collection, use, and exposure of the neural data collected. Discussions have begun about direct to consumer devices that collect brain activity and the need to include neural data within a privacy right framework, yet very few regulations currently exist. This article explores the current state of neural data protection laws and how effective they will be safeguarding against risks associated with cyber security and consumer neurotechnology.

Although there is no universal definition of neural data, those legal systems that have adopted and/or proposed neural data protection legislation define neural data similarly as the measurement of activity stemming from the consumers central or peripheral nervous system. Neural data is unique from other data because it can potentially detect emotional and cognitive processes in addition to other health information. The sensitive nature of neural data has compelled the need for separate and distinct regulations. There is no specific checklist for neural data protection legislation; however, basic requirements may include a concise/international definition of neural data, affirmative consent, advanced encryption protocols, risk assessment, strict sharing guidelines, and data minimization.

In the United States only two states have enacted neural data privacy laws. Colorado’s H.B. 24-1058 amended the Colorado Privacy Act (hereinafter ‘CPA”) to include neural data. The bill characterizes neural data as biological data which is considered sensitive data under the CPA. Neural data is defined as, “information that concerns the activity of an individual central nervous system, or peripheral nervous system, including the brain and spinal cord, and that can be processed by or with the assistance of the device.” Neural data is now given the full protection as sensitive data under the CPA, which requires affirmative opt in consent before collection, processing, and sale of data. Businesses must comply with consumer right to access and deletion, conduct data protection assessments, and implement data minimization. There is no mandatory encryption, but the law does require that sensitive data be permanently anonymized or inaccessible within a reasonable time after there is no longer consent to process. The Bill became Law on April 17, 2024.

Similarly, California S.B. 1223 amended the California Consumer Privacy Act (hereinafter ‘CCPA’) which expanded the definition of sensitive data to include neural data. Neural data is defined as, “information that is generated by measuring the activity of a consumer central or peripheral nervous system and that is not inferred from non-neural information.” Neural data now enjoys the protection of enhanced security regulations under the CCPA. Consumers have the right to opt out of collection, but unlike Colorado, there is no affirmative consent requirement to opt in. Consumers do have the right to access, restrict, or delete the processing of their data. The CCPA has very specific rules pertaining to data sharing, which includes the right for consumers to opt out. Risk assessments must be done on a regular basis Businesses collection, use, retention and sharing of the data is limited to the timeframe necessary to achieve the purpose it was collected and processed. The CCPA does not require encryption, but mandates businesses to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information. Interestingly, the CCPA does provide for specific relief for any data breach on unencrypted data. The amendments became law on September 28, 2024 and went into force on January 1, 2025.

Outside of the United States, there are several countries with pending amendments to their data privacy laws. On October 25, 2021, Chile’s constitution was amended to include brain activity as a protected right. Just under two years later, on August 9, 2023, the Chilean Supreme Court determined that neural data is sensitive and biometric data and falls under the protection of their Data Protection Act 19.698. On August 24, 2024, the Chilean legislature approved Law 21.179 for the protection of personal data, Ley sobre Protección de la Vida Privada (hereinafter ‘LPVP’) to replace 19.698. This legislation is far more extensive than its predecessor. There is no formal definition of neural data, other than the Chilean Supreme Court’s categorization. The amended law requires affirmative consent from consumers. Additionally, risk assessments, data minimization, and purpose limitation are required. There are specific cross border data sharing regulations and encryption is suggested, but not required. The LPVP was published on December 13, 2024, and will become fully effective twenty-four months after that date (in December 2026).

Brazil is currently seeking to include neural data under its comprehensive data protection law, the Brazilian Data Projection Law (hereinafter ‘LGDP’). Bill number 522/2022 contains a legal provision defining neural data as “any information obtained, directly or indirectly, from the activity of the central nervous system and accessed through brain-computer interfaces or any other invasive or non-invasive technology.” The bill also includes the wording “specific consent” for neural data processing. Should this bill pass, neural data would enjoy the other safeguards in the LGDP, including, but not limited to, data minimization, purpose limitations, risk assessments, and international data transfer guidelines. Like Chile’s Data protection laws, encryption is suggested, but not required.

On March 21, 2025, Mexico’s new data privacy law, the Federal Law for the Protection of Personal Data held by Private Parties (hereinafter ‘LFPDPPP’) replaced its previous 2010 version. Waiting in abeyance is the passing of the General Law on Neuro-Rights and Neurotechnologies. This law was introduced to the Senate of Mexico on July 17, 2024 and is an extremely thorough regulation of neurotechnology and cyber technology. The law defines neural data as, “Any personal data, record, or information derived from the anatomy or physiology of the central and peripheral nervous system, and mental and brain activity, including genetic data, neuroimaging, and neural activity patterns, among others, obtained through any technology directly or indirectly.” If the law passes, neural data would be protected under the new LFPDPPP, which would strengthen some rights for data subjects; however, it does not include specific guidelines for sharing/cross boarder transfers, nor are risk assessments required. The LFPDPPP does establish the notice of a retention period. Notably article 28 of the proposed law calls for mandatory encryption. The law is currently before the Senate committees.

Although not an exhaustive list, the six criteria referenced above are certainly worthy of implementing to protect neural data from cyber threats. The current neural data regulations and proposed bills each contain some, but not all of these criteria. Mexico is the only country looking to mandate encryption for neural data which currently may prove to be the most efficient way to avoid a breach. Perhaps combining many of the aforementioned neural data protection laws would provide a thorough framework for an international neural data and neurotechnology privacy law. Although these laws are still in their infancy, the need for a universal set of neural data regulations is imminent and in need of a global conversation.