On September 28, 2024, California Governor Gavin Newsom signed into law a pair of significant bills, S.B. 1223 and A.B. 1008, which amend the California Consumer Privacy Act of 2018 ("CCPA"). In tandem, the passage of these bills signals an evolving approach to California's safeguarding of personal information in the context of artificial intelligence and other emerging technologies.
S.B. 1223
Earlier this year, Colorado passed legislation to amend the Colorado Privacy Act, carving out neural data as a specific category of sensitive personal data for which the collection and processing thereof requires heightened protections and disclosure obligations. Consistent with Colorado's approach, S.B. 1223 expands the definition of "sensitive personal information" under the CCPA to expressly include California residents' neural data. "Neural data" is defined to mean "any information that is generated by measuring the activity of a consumer's central or peripheral nervous system, and that is not inferred from nonneural information." This expansion recognizes the unique nature of neural data that can provide insights into a person's thoughts, feelings, and behaviors. Specifically, neural data may be derived from wearable technologies, such as headbands that use electroencephalogram (EEG) technology to measure electrical activity in the brain during meditation or sleep, or the use of augmented reality headsets during gaming that track photoreceptors in an individual's eyes and the resulting dilation of eye pupils and corresponding emotions, which may be used by game developers for product improvement purposes. A person with an implemented electrocorticography (ECoG) system may also provide data on neural activity linked to their ability to move a prosthetic limb or to understand speech, providing insights into motor and sensory functions. The enactment of S.B. 1223 has been viewed as a key step in protecting the mental privacy of California residents in light of the proliferation of various neurotechnology startups residing in California.
Neural data now joins other subsets of sensitive personal information under the CCPA, including government identifiers; precise geolocation; information concerning sexual orientation; racial or ethnic origin; religious or philosophical beliefs; union membership; and citizen and immigration status. Pursuant to the CCPA, California residents have the right to direct businesses to limit the use and disclosure of their sensitive personal information, and a businesses' non-compliance may result in substantial penalties. By recognizing neural data as a subset of sensitive personal information, California and Colorado have set a precedent for other jurisdictions and have underscored the importance of ethical considerations in neuroscience and technology.
A.B. 1008
A.B. 1008 specifies that "personal information" (as defined under the CCPA) can exist in various formats, including, but not limited to, the following: (i) physical formats, including paper documents, printed images, vinyl records, or video tapes; (ii) digital formats, including text, image, audio, or video files; and (iii) abstract digital formats, including compressed or encrypted files, metadata, or artificial intelligence systems that are capable of outputting personal information. By including artificial intelligence (AI) systems in the definition of personal information, businesses developing or using AI models, especially large language models (LLMs) will need to consider these models as potential repositories of personal information. Further, A.B. 1008 emphasizes the need to carefully consider the data used to train AI models, as this data may be subject to CCPA regulations and California residents' exercise of their CCPA rights, including the right to access, delete, or correct personal information, which may extend to data used in or generated by AI systems.
The amendments are anticipated to become operative on January 1, 2025. Businesses subject to the CCPA should review existing practices and disclosures around the collection and processing of personal information and sensitive personal information to ensure compliance with S.B. 1223 and A.B. 1008.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.