Neural Data Privacy: What SB 1223 Means for BCI Startups

California just expanded privacy laws to your brainwaves. Medtech founders, take note. 🧠

Defining "Neural Data"

SB 1223 amends the California Consumer Privacy Act (CCPA) to explicitly include "neural data" within the definition of "sensitive personal information."

The law defines neural data as information generated by the activity of the brain or wider nervous system. This includes data collected by:

• Brain-Computer Interfaces (BCIs): Implants or external headsets that control devices.
• Wearables: Headbands that monitor sleep, focus, or meditation states (EEG).
• Eye Tracking: In some contexts, data derived from eye movements that infer cognitive state.

Impact on BCI and Neurotech

If you are building a BCI or a consumer neurotech device, you now have strict obligations. Because neural data is "sensitive," you must:

• Obtain Opt-In Consent: You cannot collect this data by default. The user must explicitly agree.
• Limit Use: You can only use the data for the specific purpose stated. You cannot sell it or use it for unrelated advertising without separate consent.
• Security: You must implement reasonable security procedures to protect this data.

The "Mental Privacy" Right

This law effectively creates a right to "mental privacy" in California. Users have the right to know what their neural data reveals about them (e.g., emotional state, cognitive decline) and to opt-out of its sale or sharing.

Conclusion

Neurotech is the next frontier of privacy. Build your systems with privacy by design. If you treat brain data like clickstream data, you will face significant legal peril.