Policy Details

SB1223 – Consumer Privacy: Sensitive Personal Information: Neural Data

Date Passed

9/28/2024

Effective Date

1/1/2025

Summary

Defines “neural data” (e.g., EEG/fMRI/BCI signals, eye‑tracking, neural recordings) as Sensitive Personal Information under the California Consumer Privacy Act. Extends CCPA rights and duties to neural data–right to know/limit/opt‑out, purpose limitation, and reasonable security–and prohibits selling or sharing neural data without opt‑in consent except as permitted by law.

Healthcare Implications

Neurotechnology, mental‑health apps, and medical devices that collect brain‑signal or neuro‑adjacent data must treat it as highly protected SPI, tightening consent and limiting secondary uses (e.g., AI training) outside Health Insurance Portability and Accountability Act. Providers and vendors integrating BCIs or neuro‑monitoring need new data‑governance controls and contractual terms for third‑party analytics. Raises compliance expectations for de‑identification and security when neural data are combined with other patient information.

Impact Level

Medium

Keywords

Privacy & Data

Stakeholders

Providers & Health Systems