Partner
Neural data is a form of biometric data and is yet another type of information that can be used to uniquely identify a person. However, neural data has the potential to disclose intimate aspects of an individual involving ongoing and changing emotional and mental states.
Consumer privacy advocates have been (and are) seeking to have “neural data” covered by consumer data privacy statutes to prevent companies from misusing the data. One might think that neural data can only be collected in a medical setting (like a CAT scan) involving the collection of brain activity. However, rapidly evolving scanning technology is providing businesses with more neural-rated data than in the past. Further, neural data can be collected as a byproduct of collecting other biometric data, such as fingerprints, retinal scans, heart rates, precise body temperatures, etc.
Advocates for neural data privacy identify at least three main possible misuses. First, neural data — like other sensitive data — can be misused as part of data profiling. For example, if your neural data show that you are depressed, then companies can use that information for targeted advertising. That is, the companies might use your neural data to sell you anti-depression medication.
Second, neural data might be misused for another type of profiling involving an individual’s need and desire for products and services. Maybe a company discriminates based on neural data for the provision of insurance or credit, or uses neural data in hiring or housing decisions.
Third, neural data might be misused by law enforcement and the criminal justice system. Certain types of neural data — brain scans — have been shown to correlate with intentions and active choices made by individuals. As such, neural data has the potential to be used in criminal settings to prove intentional conduct on the part of those accused of crimes.
There are, of course, other possible misuses of neural data.
Privacy advocates have been successful in convincing some lawmakers that neural data should have legal protection. Thus, for example, Connecticut recently amended the Connecticut Data Privacy Act (“CTDPA”) to add “neural data” to the definition of personal and sensitive information. Connecticut now joins only three other States in regulating the collection and processing of neural data. The other three are: California, Colorado, and Montana.
Like similar statutes, the CTDPA grants consumers various rights related to their personal and sensitive data. These rights include the right to know what data is being collected and processed, the purpose for the collection and processing, the right to correct inaccurate data, the right to opt out of having certain data processed, etc. The statutes also generally impose certain restraints on controllers and processors of personal and sensitive data, such as data collection/processing minimization and deletion/destruction mandates. With the amendments, the CTDPA now applies these rights to neural data.
Further, since neural data is defined as sensitive, extra protections are mandated, such as limits on the sale and sharing of such data and mandates required when the data is used for automated decision-making and profiling. Thus, for example, if neural data is used as part of an automated decision, Connecticut consumers now have a right to know that neural data is being used, what inferences are being drawn from the data, how the automated decision was made, and more.
Neural data, sometimes called “neurotechnology data” or “brain-computer interface data,” encompasses any information derived from the measurement of brain or nervous system activity. This includes electroencephalography (“EEG”) readings, functional magnetic resonance imaging (“fMRI”) data, and data generated by consumer wearables like sleep-tracking headbands, attention-monitoring devices, and emerging consumer neurotechnology products marketed for meditation, focus, or cognitive enhancement. It also includes data inferred from other biometric signals that correlate with neural activity, such as galvanic skin response, pupillometry, and certain heart rate variability measurements.
The commercial availability of consumer neurotechnology has accelerated rapidly. Devices like the Muse meditation headband, the Neurosity Crown developer headset, and similar products collect brain activity data and transmit it to cloud platforms. Entertainment companies are experimenting with neural interfaces for gaming. Employers have piloted attention-monitoring wearables in workplace settings. As the technology becomes cheaper and more capable, the volume and sensitivity of neural data in commercial hands will only increase.
As of 2026, four states have enacted specific neural data protections:
The California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), includes “neural data” within the definition of “sensitive personal information” subject to heightened protections. Cal. Civ. Code § 1798.140(ae)(1)(L). Consumers have the right to limit the use and disclosure of sensitive personal information, and businesses must provide a “Limit the Use of My Sensitive Personal Information” link.
Colorado amended its Consumer Protection Act to include neural data in its definition of “sensitive data,” requiring explicit consent for collection and processing, and prohibiting the sale of neural data without consent. Colo. Rev. Stat. § 6-1-1303.
Montana enacted the Consumer Data Privacy Act with neural data expressly included as a category of sensitive data. Mont. Code Ann. § 30-14-3103. The statute grants consumers the right to opt out of processing for targeted advertising, sale, or profiling, and imposes heightened consent requirements for collection.
Connecticut amended the CTDPA in 2025 to expressly add “neural data” to the definition of sensitive personal data. Consumers in Connecticut now have rights of access, correction, deletion, and portability with respect to their neural data, as well as the right to opt out of processing for targeted advertising and automated profiling.
No comprehensive federal statute specifically regulates neural data. The Health Insurance Portability and Accountability Act (“HIPAA”) covers neural data collected in medical contexts, but the vast majority of consumer neurotechnology data is collected outside healthcare settings and is therefore not subject to HIPAA protections. The FTC has general authority under 15 U.S.C. § 45 to prohibit unfair or deceptive practices, which could reach neural data misuse, but this provides a narrower protection than state-level privacy statutes. Federal neural data legislation has been introduced but not enacted as of 2026.
Businesses that collect, process, or sell neural data in California, Colorado, Montana, or Connecticut must:
Legal scholars and privacy advocates are raising questions that go beyond existing statutory frameworks. Can neural data be compelled in criminal investigations? Does involuntary neural data collection violate constitutional protections against self-incrimination or unreasonable searches? How should employment law address employers who collect neural data from workers? These questions will be litigated and legislated in the coming years. Businesses building products or services that touch neural data should be developing legal compliance strategies now, before the regulatory landscape solidifies.
If you have questions about data privacy law, the experienced attorneys at Revision Legal can help. We represent businesses, entrepreneurs, and individuals across the country. Contact us through the form on this page, visit our data privacy law practice page, or call us at (855) 473-8474.
Artificial intelligence has become part of nearly every business operation. Businesses now use AI tools to write marketing copy, generate product images, compose emails, draft social media posts, and produce video and audio content at a scale that was not possible a few years ago. The efficiency gains are real. But so are the legal […]
Read more about The Risks of Using AI-Generated Content in Your Business
Receiving a cease and desist letter can feel alarming. One minute you are running your business as usual, and the next you are staring at a legal demand accusing you of trademark infringement, copyright violation, breach of contract, or some other wrong. The situation can escalate quickly if not handled properly. But receiving a cease […]
Read more about How to Respond to a Cease and Desist Letter
Learn what counts as deceptive pricing in e-commerce, including false discounts, hidden fees, drip pricing, and fake urgency. Revision Legal’s internet law attorneys help online retailers stay compliant with FTC rules.
Read more about What Counts as Deceptive Pricing in E-Commerce?