A MoFo Privacy Minute Q&A: California Revises CCPA to Cover Neural Data

This is “A MoFo Privacy Minute,” where we answer the questions our clients are asking us in sixty seconds or less.

Question: How does the California amendment relating to “neural data” align with Colorado’s recent amendment to its Privacy Act, and what should my business know?

Answer: California Governor Gavin Newsom approved an amendment to the California Consumer Privacy Act (CCPA), SB 1223, extending privacy rights to a person’s neural data, defined as “information that is generated by measuring the activity of a consumer’s central or peripheral nervous system, and that is not inferred from nonneural information.” The amendment adds neural data to the list of data elements California includes in its definition of “sensitive personal information,” grouping it along with other sensitive data such as Social Security numbers, driver’s license numbers, geolocation data, and genetic data.

The California amendment follows Colorado’s April 2024 amendment to its state privacy law, the Colorado Privacy Act (CPA), which likewise added “neural data” to the definition of sensitive personal information. (Read our MoFo Minute detailing Colorado’s amendment.) However, California’s amendment differs from the Colorado amendment in the following key ways. 

• Narrower Definition of Neural Data. The Colorado law defines neural data as “information that is generated by the measurement of the activity of an individual’s central or peripheral nervous systems and that can be processed by or with the assistance of a device.” Unlike the Colorado amendment, the California amendment excludes from its definition of neural data any data that is inferred from nonneural information. The exclusion means that behavioral and physiological data (which would be “nonneural” data) that could be used to infer mental state would not be covered under the amended CCPA. For example, fitness trackers or wearable devices that capture data from systems other than the central or peripheral nervous system (e.g., the heart) and that reveal stress level would not be covered under the amended CCPA, while electrical activity data from consumer neurotechnologies (devices that directly capture data from the brain) would be covered.
• Unclear Definition of Nonneural Data. Adding to the confusion, exactly how the term “nonneural information” will be interpreted is unclear. Nonneural information could refer to only raw data gleaned from consumer neurotechnologies or it could encompass processed data or inferences drawn from neural data. If the latter, the law would potentially create a gap in coverage, allowing companies that process conclusions from neural data to skirt the requirements of the law. For example, if EEG data is captured from a consumer headset to determine the emotional state of an individual, that information would clearly be covered by the amended CCPA. However, if such emotional state data is subsequently processed, that secondary processing may fall outside the scope of the CCPA.
• Opt-in vs. Opt-out Requirements. The Colorado CPA requires covered businesses to obtain opt-in consent to collect and use sensitive personal information, including neural data. In comparison, the California law only gives consumers a limited right to opt out of the use and disclosure of their sensitive personal information, now including neural data, for purposes other than to provide the goods or services requested.
• Employee’s Neural Data. Unlike the Colorado law, the CCPA also applies to employee data, so California’s protections for neural data extend to California residents in their capacities as both consumers and employees and to organizations in their capacities as employers.

These state law amendments demonstrate increased attention to new and developing technologies in the neurotech space as well as the novel, and potentially conflicting and contradictory, results as lawmakers struggle to stay current with rapidly changing technology. Other states, including Minnesota (HF 1904), have introduced similar amendments to their privacy and consumer protection laws. Businesses should continue to keep an eye on any clarifications and developments with regard to the CCPA and prepare for additional states to pass similar measures.