Neural Data Just Became a Sensitive Privacy Category Under State Law — Why That Matters Beyond Wearables

Connecticut's amended data privacy act, signed into law on June 24, 2025, takes effect July 1, 2026. It does something no other U.S. state has done in quite this way: it classifies neural data — information generated by measuring your brain activity — as a sensitive category under a comprehensive privacy statute, with zero volume threshold for compliance. If you process even one Connecticut resident's brainwave data, the full weight of the law applies. That framing matters more than the wearable-device headlines suggest.

Key Takeaways

What Exactly Did Connecticut Do?

Governor Ned Lamont signed Public Act 25-113 on June 24, 2025. Effective July 1, 2026, it amends the Connecticut Data Privacy Act (CTDPA) to add neural data — defined as information generated by measuring the activity of an individual's central nervous system — to the list of sensitive data categories. That list already included genetic data, biometric data, and precise geolocation. The amendment also adds status as transgender or nonbinary, disability and related treatment data, government-issued identification numbers, and certain financial account credentials to the sensitive category.

The important mechanic: once you're dealing with sensitive data, no consumer-volume threshold applies. The old 100,000-consumer floor — which let smaller operators avoid the law's reach — is eliminated for sensitive categories. Process one Connecticut resident's neural data, and you're in scope.

How Does Connecticut's Definition Compare to Other States?

Connecticut's definition is notably narrower than some. It covers only central nervous system activity — the brain and spinal cord. Other states with neural data provisions, including Colorado and California, use definitions that can extend to peripheral nervous system activity as well. The Future of Privacy Forum has described this as a "Goldilocks problem": too broad and you capture every fitness tracker measuring galvanic skin response; too narrow and you miss data that reveals cognitive states through indirect channels.

Connecticut is the fourth U.S. state to specifically regulate neural data. The timeline:

Each approach reflects different assumptions about what neural data is — biometric identifier, health data, or something categorically new. That disagreement across state lines is itself the problem.

Why Does This Matter If You Don't Make EEG Headbands?

Because the category of "brain-adjacent" data collection is expanding well beyond dedicated neurotechnology hardware. NextSense Smartbuds, launched in February 2026, are the first truly wireless EEG earbuds — they look and function like consumer audio products. The form factor is disappearing into everyday objects. Earbuds, headphones, VR headsets, sleep trackers — the line between "consumer electronics" and "neural data collection device" is getting blurry fast.

The market is scaling accordingly. One estimate pegs the neurotech consumer market at roughly $17 billion in 2026. A CSIS estimate projects the broader neurotechnology market to surpass $38 billion by 2032. The BCI sector alone closed Q1 2026 with over $960 million raised.

And the data practices are not great. A 2024 audit cited in coverage of the Connecticut law found that 96.7 percent of brain-wearable companies share user data with third parties. That's not a typo — 96.7 percent. If you're building anything that touches biosignal data, or integrating with devices that do, the Connecticut model should be your baseline assumption for where regulation is heading.

What Is the "Inference Gap" and Why Is It the Real Story?

The inference gap is the most consequential limitation in Connecticut's law — and in every existing state neural data statute. Here's the problem: the law regulates raw neural signals. It does not separately address what happens when those signals are processed through an AI model to generate inferences about your emotional state, cognitive load, attention level, or mental health status.

Legal commentary on the Connecticut amendment explicitly flags this gap: many device privacy policies do not separately address what happens to AI-derived inferences drawn from brainwave data, and Connecticut's law does not yet require them to.

Think about what that means in practice. A device captures your EEG data — that's regulated. The device maker feeds that data through a machine learning model that outputs "this user is experiencing elevated anxiety" or "this user's attention is declining." That inference — arguably more sensitive and more commercially valuable than the raw signal — exists in a regulatory gray zone.

Any product processing biosignals through an inference layer is creating a new, unregulated category of derived sensitive data. Some states are already trying to close this gap. California's SB 1223 includes language about data "inferred from non-neural sources." Illinois and Vermont are working to write similar inference-aware provisions into pending bills. The next amendment cycle in most states will almost certainly address this — which means if you're storing neural-derived inferences today, you're building a compliance liability for 2027 or 2028.

The responsible architecture — on-device inference where possible, no persistent storage of inference outputs, data minimization at the sensor level — isn't just good engineering. It's the only way to future-proof against the statute that's coming in eighteen months.

What Does "Zero-Threshold Sensitivity" Mean for Everyone Else?

The single most novel mechanic in Connecticut's law isn't the neural-data label itself. It's that once sensitive data categories are involved, no volume threshold applies at all. The floor is gone entirely.

Most privacy statutes include a de minimis trigger — you have to process data on some minimum number of consumers before the law kicks in. Connecticut kept that structure for non-sensitive data. But for sensitive categories — neural, genetic, biometric, disability, gender identity — the threshold is zero. One person. Any volume. Any exposure.

This is likely a preview of how regulators will eventually treat other AI-processed sensitive categories. Consider: voice-derived health inferences (a cough detector that identifies disease markers), biometric-derived emotion data (facial expression analysis in video calls), gait analysis from phone accelerometers. All of these produce data that is arguably as sensitive as EEG readings, and all of them are currently processed at scale with minimal regulatory oversight.

If you're building an AI product today and your compliance strategy includes the phrase "we're too small to be regulated" — you're exposed. The zero-threshold model is where state legislatures are heading for any data category they deem sensitive. The only scalable architecture is one that assumes consent-per-use, opt-in by default, and data minimization at the collection layer, regardless of your current user count.

Is Federal Law Going to Preempt This Patchwork?

No. Not anytime soon. The MIND Act, introduced by senators in late 2025, would direct the FTC to study neural data privacy and recommend national standards. But even if it passes — and it has not advanced beyond committee — it would not impose any obligations on businesses or researchers. It would produce an FTC study and a report. That's it. The IAPP's analysis makes this point clearly: the MIND Act is a study mandate, not a regulatory framework.

Which means states are the only enforceable authority for years to come. And states are moving fast.

A March 2026 tracking analysis by Morrison Foerster identified active neural data bills in Virginia, Alabama, California (a second measure focused on workplace surveillance), New York, Illinois, and Vermont. Each takes a distinct approach:

Four enacted laws. Seven-plus pending bills. No two identical. No federal floor. This is the regulatory environment you're building in.

Why Does the Patchwork Make "Lowest Common Denominator" Compliance Obsolete?

Because the denominators are diverging, not converging. Colorado's law triggers only when neural data is used for identification. California's excludes data inferred from non-neural sources. Connecticut's covers only central nervous system activity. Montana routed its protections through a genetic-information statute rather than a general privacy law. Illinois may add a private right of action — which would make it the BIPA of neural data, with all the litigation exposure that implies.

You can't build one policy that satisfies all of these by meeting only the least restrictive version. A company that meets Colorado's identification-only trigger will be non-compliant in Connecticut, where any processing of CNS data triggers the law. A company that meets Connecticut's central-nervous-system-only scope will be potentially exposed in states with broader peripheral-nervous-system definitions.

The practical move — and this is what we've concluded internally — is to build to the strictest common denominator now. That means:

This isn't compliance overhead. It's the only architecture that doesn't require a rewrite every time a state legislature convenes.

What About International Developments?

The U.S. state patchwork isn't happening in isolation. Chile became the first nation in 2021 to amend its constitution to protect neurorights. Brazil and Mexico have pending neurorights legislative or constitutional proposals. The framing in these international efforts is different — constitutional rights versus statutory categories — but the direction is the same: neural data is being treated as categorically different from other personal data, requiring heightened protection.

If you're building a product with any international user base and any biosignal component, you're looking at converging regulatory pressure from multiple jurisdictions, each with its own definitional approach and enforcement mechanism.

What Is Connecticut's Enforcement Posture?

It's tightening. The Connecticut Attorney General is a member of a multistate Consortium of Privacy Regulators and has publicly committed to investigative sweeps. The statutory cure period — which used to give companies a grace period to fix violations before facing enforcement — expired at the end of 2024. There is no guaranteed cure window once the neural-data provisions activate on July 1, 2026.

Connecticut has also passed companion legislation. SB 4 (Public Act 26-64/26-62), signed May 27, 2026, adds further protections effective October 1, 2026: a ban on selling precise geolocation data, a data broker registration framework, restrictions on surveillance pricing, and expanded genetic data protections. Mintz's analysis notes that the companion bill includes recognition that consumers have a property interest in their biological samples and genetic testing results — a framing that could easily extend to neural data in the next legislative cycle.

The trajectory is clear: Connecticut is building a layered, progressively stricter privacy regime, and it's doing so faster than most companies are updating their compliance programs.

How Should Builders Think About This Right Now?

A few concrete considerations if you're building products that touch biosignal data — or that might in the future:

  1. Audit your data taxonomy. Do you collect any data generated by measuring nervous system activity? This isn't limited to EEG headbands. If you integrate with sleep trackers, VR headsets, or earbuds with biosensors, you may be in scope.
  2. Map your inference pipeline. If raw biosignal data enters a model and an inference comes out, you now have two data objects with potentially different regulatory treatment. Most privacy policies don't distinguish between them. Yours should.
  3. Assume the zero-threshold model is coming for your data category. If you process biometric, health-adjacent, or emotion-derived data of any kind, design your consent and data-handling architecture as if there's no volume floor. Because there won't be.
  4. Don't wait for federal preemption. The MIND Act, if it passes, produces a study. That's it. State enforcement is the reality for 2026, 2027, and likely beyond.
  5. Treat deletion as a first-class engineering requirement. Not just for neural data — for every sensitive category. When a user deletes, the data should be gone. Actually gone. Not flagged, not archived, not retained under a derivative label.

Where We Stand on This

We build Selina as a privacy-first AI assistant. Some of what Connecticut's law demands — consent-per-use, data minimization, real deletion — aligns with choices we made before neural data regulation existed. Files and transfers through SelinaSEND are end-to-end encrypted. Memory is encrypted at rest but is NOT end-to-end encrypted — a slice of each request reaches a frontier provider at inference, and we think it's important to say that plainly rather than imply otherwise. Non-content operational metadata is kept for a short retention window, not stored indefinitely. Accounts are protected; content is encrypted.

We don't process neural data today. We don't claim to have solved the problems described in this piece. But the architectural assumptions behind Connecticut's law — that sensitive data deserves heightened protection regardless of volume, that deletion should be real, that consent should be specific rather than blanket — are assumptions we've built around from the start. The regulatory environment is catching up to what should have been standard practice all along.

The neural data provisions are a signal. Not just about brainwaves — about how legislators are starting to think about any data category where the sensitivity of the information outpaces the maturity of the industry handling it. If you're building AI products, this is the regulatory floor you should be designing for.

If you want to see what privacy-first AI architecture looks like in practice — start a free 7-day trial, no card required.

Frequently Asked Questions

What does Connecticut's Public Act 25-113 actually do?

Signed June 24, 2025 and effective July 1, 2026, it amends the Connecticut Data Privacy Act to add neural data — information from measuring central nervous system activity — to the list of sensitive data categories, alongside biometric, genetic, disability, and other newly added categories like transgender/nonbinary status.

How is 'zero-threshold sensitivity' different from typical privacy law thresholds?

Most privacy statutes only apply once a company processes data on a minimum number of consumers, but Connecticut eliminates that volume floor entirely for sensitive categories, meaning processing even one Connecticut resident's neural, genetic, biometric, or disability data triggers full compliance obligations.

How does Connecticut's neural data definition compare to other states like Colorado and California?

Connecticut's definition is narrower, covering only central nervous system activity, while Colorado and California's provisions can extend to peripheral nervous system activity; Colorado also only applies when biological data is used for identification, and California's SB 1223 excludes data inferred from non-neural sources.

What is the 'inference gap' in Connecticut's law?

The law regulates raw neural signals but doesn't address AI-derived inferences drawn from that data, such as conclusions about emotional state or cognitive load, leaving these arguably more sensitive and valuable outputs in an unregulated gray zone.

Will federal legislation like the MIND Act preempt these state neural data laws?

No — the MIND Act would only direct the FTC to study neural data privacy and recommend standards, imposing no business obligations even if passed, leaving states as the sole enforceable authority for the foreseeable future.

Sources & References

Michael C.

Michael C.

Founder & Principal Engineer, Selina Labs

Michael builds Selina, a privacy-first AI that remembers you across conversations. He ships security-sensitive AI in production — real attacks, real fixes, measured in minutes and dollars — and writes about privacy, security, and LLMs from that seat. Top Rated Plus and expert-verified on Upwork.