Neural data is a form of biometric data and is yet another type of information that can be used to uniquely identify a person. However, neural data has the potential to disclose intimate aspects of an individual involving ongoing and changing emotional and mental states.

Consumer privacy advocates have been (and are) seeking to have “neural data” covered by consumer data privacy statutes to prevent companies from misusing the data. One might think that neural data can only be collected in a medical setting (like a CAT scan) involving the collection of brain activity. However, rapidly evolving scanning technology is providing businesses with more neural-rated data than in the past. Further, neural data can be collected as a byproduct of collecting other biometric data, such as fingerprints, retinal scans, heart rates, precise body temperatures, etc.

Advocates for neural data privacy identify at least three main possible misuses. First, neural data — like other sensitive data — can be misused as part of data profiling. For example, if your neural data show that you are depressed, then companies can use that information for targeted advertising. That is, the companies might use your neural data to sell you anti-depression medication.

Second, neural data might be misused for another type of profiling involving an individual’s need and desire for products and services. Maybe a company discriminates based on neural data for the provision of insurance or credit, or uses neural data in hiring or housing decisions.

Third, neural data might be misused by law enforcement and the criminal justice system. Certain types of neural data — brain scans — have been shown to correlate with intentions and active choices made by individuals. As such, neural data has the potential to be used in criminal settings to prove intentional conduct on the part of those accused of crimes.

There are, of course, other possible misuses of neural data.

Privacy advocates have been successful in convincing some lawmakers that neural data should have legal protection. Thus, for example, Connecticut recently amended the Connecticut Data Privacy Act (“CTDPA”) to add “neural data” to the definition of personal and sensitive information. Connecticut now joins only three other States in regulating the collection and processing of neural data. The other three are: California, Colorado, and Montana.

Like similar statutes, the CTDPA grants consumers various rights related to their personal and sensitive data. These rights include the right to know what data is being collected and processed, the purpose for the collection and processing, the right to correct inaccurate data, the right to opt out of having certain data processed, etc. The statutes also generally impose certain restraints on controllers and processors of personal and sensitive data, such as data collection/processing minimization and deletion/destruction mandates. With the amendments, the CTDPA now applies these rights to neural data.

Further, since neural data is defined as sensitive, extra protections are mandated, such as limits on the sale and sharing of such data and mandates required when the data is used for automated decision-making and profiling. Thus, for example, if neural data is used as part of an automated decision, Connecticut consumers now have a right to know that neural data is being used, what inferences are being drawn from the data, how the automated decision was made, and more.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.