Partner
In consumer privacy protection news, the California Governor has signed into law a statute that added “neural data” to the definition of “sensitive personal information” in California’s consumer privacy protection statute. See Barron’s media report here. The new law is an amendment to existing statutes and is known as Senate Bill 1223.
What is “sensitive personal information” in California?
California’s consumer data privacy protection statute attempts to protect consumers’ personal information. Examples of “personal information” include a person’s name, email address, purchase history, browsing history, address and other location data, IP address, and more. Within the category of “personal information” is a subset of data that is designated as “sensitive data.” As noted, California has now added “neural data” as a type of “sensitive personal information.” With the addition of “neural data,” “sensitive personal information” now means the following personal information:
(A) A consumer’s social security, driver’s license, state identification card, or passport number
(B) A consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account
(C) A consumer’s precise geolocation
(D) A consumer’s racial or ethnic origin, citizenship or immigration status, religious or philosophical beliefs, or union membership
(E) The contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication
(F) A consumer’s genetic data
(G) A consumer’s neural data
Senate Bill 1223 defines “neural data” to mean “… information that is generated by measuring the activity of a consumer’s central or peripheral nervous system, and that is not inferred from nonneural information.”
Why distinguish between “sensitive personal information” and “personal information?”
California’s consumer data protection statutes give consumers various rights regarding their data. For example, consumers are entitled to know what categories of data are being collected and processed, what the business purpose is for the collection and processing, what data is currently being held by the business, with whom the data is sold or shared, etc. Those rights apply to all “personal information” that is collected and processed.
For the more limited category of “sensitive personal data,” the California statutes limit the uses for which businesses can collect and process such information. If a business wants to process sensitive personal information for other uses, then the business must provide a notice to consumers explaining those uses and allow consumers to opt out of allowing their sensitive personal data to be processed for those purposes. Generally, such “opt-out” choices must be permitted via a “clear and conspicuous link” on the website homepage that says something like: “Limit the Use of My Sensitive Personal Information.” “Neural data” is now on the list of data that requires a notice and an opt-out choice for non-approved business uses.
Contact The Consumer Data Privacy and Compliance Attorneys At Revision Legal
For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.
Neural data — information generated by measuring the activity of a person’s central or peripheral nervous system — has moved from the domain of medical research into consumer products at a pace that has outrun privacy regulation. Brain-computer interface (BCI) technology, once confined to clinical neuroscience, is now embedded in consumer devices: EEG headsets marketed for gaming focus, meditation apps that measure brainwave patterns, and wearable devices that monitor peripheral nervous system activity to assess stress levels, attention, and emotional states.
Companies collecting this data argue that it enables personalized experiences — a gaming headset that adapts difficulty based on measured focus levels, a productivity app that schedules tasks around peak cognitive windows inferred from neural signal patterns. The same data, however, can reveal information about neurological conditions, psychiatric diagnoses, emotional states, and cognitive vulnerabilities that the consumer would not consciously choose to disclose. It can potentially be used to manipulate behavior in ways that other forms of personal data cannot match. That is precisely why legislators are treating neural data as a category that warrants the highest level of privacy protection.
Under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), Cal. Civ. Code § 1798.100 et seq., sensitive personal information — including neural data following Senate Bill 1223 — is subject to restrictions on secondary use. A business that collects neural data may use it for the purpose it was collected (e.g., providing real-time feedback to the gaming headset user) but may not use it for other purposes — such as building advertising profiles, selling it to data brokers, or sharing it with third parties — without meeting specific requirements.
Specifically, if a business wants to process sensitive personal information for purposes beyond those strictly necessary for the disclosed service purpose, it must: (1) provide a clear and conspicuous link on its website or app homepage titled “Limit the Use of My Sensitive Personal Information” or a similar formulation; (2) honor consumer requests made through that link to restrict secondary uses; and (3) not penalize consumers who exercise that right. The Sensitive Personal Information opt-out mechanism is separate from and in addition to the general opt-out of sale and sharing that CCPA requires for all personal information.
California is not alone in adding neural data protections. Colorado enacted the Colorado Privacy Act, which the Colorado legislature amended in 2024 to add neural data as a category of sensitive data. Colorado’s framework similarly restricts the processing of sensitive data — requiring consent before a business can process sensitive data for purposes beyond those disclosed to the consumer at the time of collection.
Minnesota enacted specific neural data legislation, the Neurotechnology Consumer Privacy Act, signed into law in 2024. The Minnesota statute is one of the most specific BCI privacy laws in the United States, covering neural data collected by neurotechnology devices and requiring explicit consent before collection, with restrictions on secondary uses, data sharing, and retention. Violations are enforceable by the Minnesota Attorney General and, unlike many state privacy statutes, the Minnesota act includes a private right of action for affected consumers.
The emergence of parallel state statutes specifically targeting neural data signals that this category of privacy law is developing rapidly. Businesses operating in multiple states and collecting neural data through consumer devices need to map their obligations against each applicable state statute — not just CCPA — and build consent and opt-out mechanisms that satisfy the most demanding applicable standard.
The most obvious neural data collectors are BCI companies manufacturing dedicated headsets and wearables. But neural data collection may occur in less obvious contexts:
In each of these cases, the platform collecting and processing the neural data may not have designed privacy practices specifically for that data category. A health app that added BCI integration as a feature update may still be operating under a privacy policy that describes only health and activity tracking data, without any reference to neural data collection. That gap is a compliance problem under SB 1223 for any California consumer who uses the BCI feature.
Neural data is among the most sensitive categories of personal information ever subjected to consumer privacy regulation, and the law in this area is developing quickly. If your product collects or processes neural data, you need a privacy counsel review now — not after the first enforcement action. Contact the consumer data privacy and compliance attorneys at Revision Legal through the form on this page or call (855) 473-8474.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?