A new battle over privacy is underway as tech devices capture our brain waves


Nomadsoul1 | Istock | Getty Images

The question “What is a thought?” is no longer strictly philosophical. Like anything else measurable, our thoughts are subject to increasingly technical answers, with data captured by tracking brain waves. That advancement also means that the data is marketable, and companies in the wearable consumer technology sector are already buying and selling captured brain data, with few protections for users.

In response, Colorado recently passed a first-in-the-nation privacy law aimed at protecting these rights. The law falls under the existing “Colorado Consumer Protection Act,” which aims to protect “the privacy of individuals’ personal data by establishing certain requirements for entities that process personal data.” [and] Includes additional protections for sensitive data.”

The key language of the Colorado law is the expansion of the term “sensitive data” to include “biological data,” meaning numerous biological, genetic, biochemical, physiological, and neural properties.

Elon Musk’s Neuralink is the most famous example of how technology is being integrated into the human mind, though it is not alone in this field, with Paradromics emerging as a close contender, along with devices that have restored speech to stroke victims and helped amputees move prosthetic limbs with their minds. All of these products are medical devices that require implantation and are protected by the strict privacy requirements of HIPAA. The Colorado law focuses on the rapidly growing sphere of consumer technology and devices that do not require medical procedures, have no analogous protections, and can be purchased and used without medical supervision of any kind.

There are dozens of companies making products that are wearable technologies that capture brain waves (aka neural data). On Amazon alone, there are pages of products ranging from sleep masks designed to optimize deep sleep or promote lucid dreaming, to headbands that promise to promote focus, to biofeedback headphones that will take your meditation session to the next level. These products, by design and necessity, capture neural data by using tiny electrodes that produce readings of brain activity, and some deploy electrical impulses to influence brain activity.

The laws in force for the management of all this brain data are practically non-existent.

“We've entered the realm of science fiction,” said the lead sponsor of the Colorado bill, Rep. Cathy Kipp. “As with any scientific advancement, there must be guardrails.”

The 'ChatGPT moment' for consumer brain technology

A recent study by The NeuroRights Foundation found that of thirty companies examined that make wearable technology capable of capturing brain waves, twenty-nine “offer no significant limitations on this access.”

“This revolution in consumer neurotechnology has centered on the increasing ability to capture and interpret brain waves,” said Dr. Sean Pauzauskie, medical director of The NeuroRights Foundation. Devices that use electroencephalography, a technology readily available to consumers, constitute “a multibillion-dollar market that will double in the next five years,” he said. “In the next two to five years, it's not unlikely that neurotechnology could have a ChatGPT moment.”

The amount of data that can be collected depends on a number of factors, but the technology is advancing rapidly and could lead to an exponential increase in applications as the technology increasingly incorporates artificial intelligence. Apple has already filed patents for brain-sensing AirPods.

“Brain data is too important to be left unregulated. It reflects the inner workings of our minds,” said Rafael Yusuf, a professor of biological sciences and director of the Center for Neurotechnology at Columbia University, as well as president of the NeuroRights Foundation and a leading figure in the neurotechnology ethics organization Morningside Group. “The brain is not just another organ of the body,” he added. “We need to engage private actors to ensure they adopt a framework for responsible innovation, as the brain is the sanctuary of our minds.”

Pauzauskie said the value for companies lies in interpreting or decoding the brain signals picked up by wearable technologies. As a hypothetical example, he said, “if you were wearing headphones with brain sensors, Nike would not only know that you searched for running shoes from your browsing history, but it could also know how interested you are while browsing.”

A wave of biological privacy legislation may be needed

The concerns raised in the Colorado law may lead to a wave of similar laws, with greater attention paid to the combination of rapidly advancing technologies and the commodification of user data. In the past, consumer rights and protections have lagged behind innovation.

“The best and most recent analogies between technology and privacy might be the largely unnoticed revolutions in the Internet and consumer genetics,” Pauzauskie said.

A similar arc could follow unchecked advances in the collection and commodification of consumer brain data. Hacking, corporate profit motives, ever-changing privacy agreements for users and a lack of laws regulating data are all major risks, Pauzauskie said. Under the Colorado Privacy Act, brain data has the same privacy rights as fingerprints.

According to Professor Farinaz Koushanfar and Associate Professor Duygu Kuzum of UC San Diego’s Department of Electrical and Computer Engineering, it is still too early to understand the limitations of the technology, as well as the depths of potentially intrusive data collection.

Neural data tracking could mean monitoring a wide range of cognitive processes and functions, including thoughts, intentions and memories, they wrote in a joint emailed statement. At one extreme, neural data tracking could mean direct access to medical information.

The wide range of possibilities is itself a problem. “There are still too many unknowns in this field and that is worrying,” they wrote.

According to Koushanfar and Kuzum, if these laws become widespread, companies may be forced to review their current organizational structure. It may be necessary to appoint new compliance officers and implement methods such as risk assessment, external auditing and anonymization as mechanisms to establish requirements for the entities involved.

On the consumer side, the Colorado law and any subsequent efforts represent important steps toward better educating consumers, as well as providing them with the tools necessary to verify and exercise their rights if they are violated.

“The privacy law [in Colorado] “The issue of neurotechnology may be a rare exception, where rights and regulations precede any widespread misuse or abuse of consumer data,” Pauzauskie said.

scroll to top