Somewhere in a server farm right now, a file containing your brain activity probably exists. Maybe you wore an EEG headband to improve your sleep. Maybe you tried a meditation device that promised to measure your focus. Maybe you played around with one of the consumer neurofeedback products that have been popping up in electronics stores like particularly ambitious Fitbits. Whatever the entry point, if you’ve used a consumer neurotech device in the last few years, there’s a reasonable chance your neural data left your skull and landed somewhere you never thought about.

This isn’t fearmongering. It’s the finding of a systematic, 100-page investigation. In April 2024, the Neurorights Foundation, a Columbia University-affiliated nonprofit led by neuroscientist Rafael Yuste, analyzed the privacy policies and user agreements of 30 consumer neurotechnology companies. The numbers were stark: 29 out of 30 companies effectively claimed ownership over every piece of neural data collected through their devices. 20 out of 30 explicitly reserved the right to share or sell that data to third parties. Only one company had any meaningful restrictions. Yuste’s word for the user agreements: “predatory.”

The conversation about what’s happening to your financial data, your location data, your health data — all of it — has been happening loudly for years. The conversation about your brain data has barely started. That’s the gap this piece is trying to close.

What neural data actually is, and why it’s different from everything else 🧠

When people hear “brain data,” they imagine a neuroscientist in a lab coat watching a glowing scan of your skull while you think about your mother. The reality is both more mundane and more alarming. Neural data is any information generated by measuring the electrical, chemical, or vascular activity of your nervous system — and it doesn’t require surgery or a hospital to collect.

Consumer EEG headbands record voltage fluctuations across your scalp. Meditation apps process those signals into emotional state estimates. Sleep trackers identify sleep stages from brain wave patterns. Even some wellness earbuds with embedded sensors now log what your auditory cortex is doing while you commute. The collection is happening quietly, continuously, and in contexts that feel nothing like a medical procedure.

California’s SB 1223, which took effect on January 1, 2025, offers the clearest legal definition of what counts: information “generated by measuring the activity of a consumer’s central or peripheral nervous system, and that is not inferred from non-neural information.” The Future of Privacy Forum calls this “the broadest conception” adopted by any U.S. state so far, because it includes signals from the peripheral nervous system (think EMG data from muscles) in addition to brain activity. 🔬

Here’s what makes neural data categorically different from other sensitive data types:

• It can identify you even when anonymized. Research cited by TechPolicy Press shows that brain patterns can be cross-referenced with social media photos to re-identify individuals, even when data has been stripped of names and metadata

• It reveals information you haven’t disclosed. Neural signals can expose mental health conditions, emotional states, cognitive patterns, and political inclinations — none of which you agreed to share

• It’s far richer than necessary. A Neurorights Foundation analysis found that consumer devices often collect roughly 10,000 times more data than the application actually uses, leaving companies with vast stores of raw neural signal they have no stated purpose for

• It cannot be reset. Your password can be changed. Your credit card can be reissued. Your brain activity pattern is yours forever, which means a breach is permanent

I think this last point doesn’t get nearly enough attention. Every data breach risk framework I’ve ever seen treats data loss as a recoverable event. For neural data, there’s no recovery. Once your EEG fingerprint is out, it’s out.

The fine print problem 🔬

It’s worth pausing on what those 30 privacy policies actually said — or didn’t say. The Neurorights Foundation’s report found that fewer than half of the companies surveyed even encrypt the neural data they collect, let alone de-identify it. Most policies were written in language vague enough to permit almost any downstream use. And, critically, most of them said nothing at all about data broker relationships.

Here’s the uncomfortable legal reality that Senators Chuck Schumer, Maria Cantwell, and Ed Markey spelled out in a 2025 letter to the FTC: devices classified as “wellness” products don’t fall under HIPAA. Neuralink, because it’s a medical device, has to comply with federal health data protection law. But the meditation headband you bought on Amazon? Under current federal law, the company can do almost whatever it wants with the signals your neurons generated. The “wellness” label is doing a lot of regulatory heavy lifting, and not in your favor.

What companies are actually doing with collected neural data varies, but the range of disclosed uses in those 30 policies included:

• Sharing with “business partners” and “affiliates” — terms broad enough to include advertisers

• Training AI models on aggregated neural datasets, with no clear limits on what those models learn about emotional or cognitive patterns

• Transferring data in the event of a “merger, acquisition, or sale of assets” — meaning your brain data is a transferable business asset

• “Research purposes” with no definition of what research, by whom, or with what oversight

The phrase that keeps appearing in these policies is some variation of “as described in this policy” — which describes almost nothing. A group of researchers at Neuroethics Canada put it bluntly: the risks are compounded by “the behavior of consumers who accept user agreements with little regard to their terms, thereby giving access to their brain data for mining, analytics, and purchase by third parties.” Which is to say: the system is working exactly as designed, and the design is not in your favor. Is this actually surprising to you, or does it feel inevitable? 💡

The law is scrambling, unevenly ⚡

The regulatory picture in 2026 is a patchwork of state laws, stalled federal proposals, and international guidelines that carry no enforcement power. The short version: some protection exists in a few U.S. states, almost none exists at the federal level, and the European framework is clearer in theory than in practice.

Colorado moved first, signing the world’s first neural data protection bill into law in April 2024 — extending the Colorado Privacy Act to cover consumer neurotech devices. California’s SB 1223 followed, effective January 2025. Montana and Connecticut (with SB 1295, signed June 2025) completed the initial group of four states with neural data law on the books.

As of early 2026, a Morrison Foerster analysis cited by Inside BCI identified active neural data bills in Virginia, Alabama, New York, Illinois, and Vermont — each taking a different approach:

• Virginia HB 654 folds neural data into the existing definition of biometric data under state privacy law

• Alabama HB 263 creates a standalone neural data statute, which is a stronger structural choice because it can’t be quietly diluted by biometric data carve-outs

• Illinois HB 5179 gives individuals a private right of action — if a company unlawfully transfers your neural data to a third party, you’re presumed to have suffered at least $10,000 in damages, without having to prove actual harm

• New York’s S9008 would treat neural data under data broker regulations, which is an interesting angle given how much data broker infrastructure already exists

The federal picture is more discouraging. Senators Schumer, Cantwell, and Markey introduced the MIND Act (S.B. 2925) in September 2025, which would direct the FTC to conduct a one-year study of neural data practices and recommend national standards. As of May 2026, the bill hasn’t moved out of committee. Directing an agency to study something is already a pretty mild intervention; failing to even pass that is a sign of how little political momentum this issue currently has.

Internationally, the EU’s GDPR almost certainly covers neural data under its “special categories” rules for biometric and health data, but there are no neuro-specific provisions. The OECD published neurotechnology governance principles in 2019. UNESCO has a draft ethics instrument under intergovernmental negotiation since 2024. In 2025, the UN Special Rapporteur on privacy urged all states to enact targeted protections. None of this is binding. France and Germany are separately drafting employment-specific laws to prohibit mandatory neurotech adoption in workplace contracts, which is at least a concrete step toward a specific risk.

The most consequential legal ruling so far came from Chile’s Supreme Court, which became the world’s first court to protect brain data under a constitutional neurorights provision. That’s genuinely remarkable. It’s also a single ruling in one country, and it required a constitutional amendment first.

Why the stakes just got higher 🧬

The case for urgency didn’t need more evidence, but 2025 delivered some anyway. In August 2025, researchers at Stanford University published results showing that an AI system translated neural signals from a woman with ALS — referred to only as participant T16 — into readable sentences in real time. The work was presented as a speech restoration breakthrough, and it is one. It’s also a proof of concept for something more unsettling: if AI can reconstruct intended speech from neural signals, the technical barrier between “brain data collection” and “thought reading” is now a matter of engineering, not science.

Japanese researchers reported a parallel advance shortly after, demonstrating “mind captioning” — generating detailed descriptions of images a person was seeing or imagining, using non-invasive brain scans combined with multiple AI systems. The accuracy wasn’t perfect. It doesn’t need to be perfect to be dangerous.

What this means for the current state of neural data privacy:

• The data being collected now may be far more decodable in five years than it is today. Companies that acquire it under current “wellness” terms will have it when the decoding tools are ready

• Re-identification will get easier. As AI models trained on neural data improve, the “anonymized” datasets sitting in company servers become progressively less anonymous

• Research cited in a 2024 Neuron paper by Farahany and Ienca found that AI can infer political ideology from brain scan data — a fact that has specific implications when neural data ends up with data brokers in politically sensitive contexts

• The workplace dimension is already arriving. Pilot programs in 2025 explored cognitive monitoring for drivers, air traffic controllers, and office workers. A peer-reviewed analysis published in EMBO Reports in 2025 flagged the potential for neural data to appear in criminal proceedings, raising urgent self-incrimination concerns

The argument that gets made most often in response to all of this is: “Well, the data is low-resolution. Consumer EEGs aren’t capturing your actual thoughts.” That’s true right now. It’s a comfort that has a shorter shelf life than most people realize.

What you can actually do today 📈

I’m not going to pretend that individual action is a substitute for systemic regulation. It isn’t. But while the regulators catch up, a few things are actually within your control.

Before buying or using any consumer neurotech device:

• Read the privacy policy before purchasing. Specifically look for: what data is collected; whether it’s sold to third parties; how long it’s retained; and what happens to your data if the company is acquired. If the policy doesn’t address those questions, that absence is itself an answer

• Check your state protections. If you’re in California, Colorado, Connecticut, or Montana, you have legal rights around neural data that you may not know about — including the right to request deletion

• Prefer companies with explicit data minimization commitments. Some companies do commit in writing to collecting only what’s necessary for the stated function. Those commitments aren’t legally watertight everywhere, but they’re better than nothing and they create an accountability record

• Be skeptical of “wellness” framing. Products that position themselves as wellness rather than medical devices are deliberately outside HIPAA’s scope. That’s a choice companies make with regulatory consequences in mind

If you’re a developer, engineer, or founder building in this space, the 7 competitive advantages piece on NeurotechMag makes a point worth internalizing: data trust is a moat. Companies that build real privacy protections in now — not as compliance theater, but as architecture — will look dramatically different from their peers when the regulatory environment tightens. And it will tighten.

As we noted in our coverage of consumer neurotech devices you can buy today, “there’s a bigger conversation emerging about regulation and ethics — because once you start collecting neural data, questions about privacy, consent, and data use matter. Very much.” That conversation is overdue. The question is whether enough people demand it before the data already collected becomes impossible to claw back.

So here’s what I’d actually like to know: if your neurotech device’s privacy policy said explicitly that your brain signals could be sold to a data broker — would you still use it? And if the answer is no, why haven’t you checked whether that’s already happening? 👇