
Neural Data Just Became a Sensitive Privacy Category Under State Law — Why That Matters Beyond Wearables
Connecticut's amended data privacy act, signed into law on June 24, 2025, takes effect July 1, 2026. It does something no other U.S. state has done in quite this way: it classifies neural data — information generated by measuring your brain activity — as a sensitive category under a comprehensive privacy statute, with zero volume threshold for compliance. If you process even one Connecticut resident's brainwave data, the full weight of the law applies. That framing matters more than the wearable-device headlines suggest.
Key Takeaways
- Connecticut's Public Act 25-113 adds neural data to its sensitive-data definition alongside biometric, genetic, and disability-related information — and eliminates the consumer-volume floor entirely for sensitive categories, meaning a single user can trigger full compliance obligations.
- The law covers raw central nervous system signals, but a significant gap remains: AI-derived inferences from neural data are not yet separately regulated, creating a new class of unaddressed sensitive derived data.
- With four states now regulating neural data and seven-plus bills pending — each taking a different approach — the only viable architecture is building to the strictest common denominator now, not patching per jurisdiction later.
- Federal legislation (the MIND Act) would not impose any business obligations even if passed; it would only mandate an FTC study, leaving states as the sole enforceable authority for the foreseeable future.
- The "zero-threshold sensitivity" model is likely a preview of how regulators will treat all AI-processed sensitive categories — biometric emotion data, voice-derived health inferences — making privacy-by-design the only scalable compliance architecture.
What Exactly Did Connecticut Do?
Governor Ned Lamont signed Public Act 25-113 on June 24, 2025. Effective July 1, 2026, it amends the Connecticut Data Privacy Act (CTDPA) to add neural data — defined as information generated by measuring the activity of an individual's central nervous system — to the list of sensitive data categories. That list already included genetic data, biometric data, and precise geolocation. The amendment also adds status as transgender or nonbinary, disability and related treatment data, government-issued identification numbers, and certain financial account credentials to the sensitive category.
The important mechanic: once you're dealing with sensitive data, no consumer-volume threshold applies. The old 100,000-consumer floor — which let smaller operators avoid the law's reach — is eliminated for sensitive categories. Process one Connecticut resident's neural data, and you're in scope.
How Does Connecticut's Definition Compare to Other States?
Connecticut's definition is notably narrower than some. It covers only central nervous system activity — the brain and spinal cord. Other states with neural data provisions, including Colorado and California, use definitions that can extend to peripheral nervous system activity as well. The Future of Privacy Forum has described this as a "Goldilocks problem": too broad and you capture every fitness tracker measuring galvanic skin response; too narrow and you miss data that reveals cognitive states through indirect channels.
Connecticut is the fourth U.S. state to specifically regulate neural data. The timeline:
- Colorado amended its privacy law to cover "biological data" effective August 2024, but only when that data is used for identification purposes — a narrower trigger.
- California's SB 1223, effective January 2025, covers nervous-system data but excludes data inferred from non-neural sources.
- Montana took a different path entirely, extending its existing genetic-information privacy law (GIPA) to cover neural data via SB 163, rather than amending a comprehensive consumer privacy statute.
Each approach reflects different assumptions about what neural data is — biometric identifier, health data, or something categorically new. That disagreement across state lines is itself the problem.
Why Does This Matter If You Don't Make EEG Headbands?
Because the category of "brain-adjacent" data collection is expanding well beyond dedicated neurotechnology hardware. NextSense Smartbuds, launched in February 2026, are the first truly wireless EEG earbuds — they look and function like consumer audio products. The form factor is disappearing into everyday objects. Earbuds, headphones, VR headsets, sleep trackers — the line between "consumer electronics" and "neural data collection device" is getting blurry fast.
The market is scaling accordingly. One estimate pegs the neurotech consumer market at roughly $17 billion in 2026. A CSIS estimate projects the broader neurotechnology market to surpass $38 billion by 2032. The BCI sector alone closed Q1 2026 with over $960 million raised.
And the data practices are not great. A 2024 audit cited in coverage of the Connecticut law found that 96.7 percent of brain-wearable companies share user data with third parties. That's not a typo — 96.7 percent. If you're building anything that touches biosignal data, or integrating with devices that do, the Connecticut model should be your baseline assumption for where regulation is heading.
What Is the "Inference Gap" and Why Is It the Real Story?
The inference gap is the most consequential limitation in Connecticut's law — and in every existing state neural data statute. Here's the problem: the law regulates raw neural signals. It does not separately address what happens when those signals are processed through an AI model to generate inferences about your emotional state, cognitive load, attention level, or mental health status.
Legal commentary on the Connecticut amendment explicitly flags this gap: many device privacy policies do not separately address what happens to AI-derived inferences drawn from brainwave data, and Connecticut's law does not yet require them to.
Think about what that means in practice. A device captures your EEG data — that's regulated. The device maker feeds that data through a machine learning model that outputs "this user is experiencing elevated anxiety" or "this user's attention is declining." That inference — arguably more sensitive and more commercially valuable than the raw signal — exists in a regulatory gray zone.
Any product processing biosignals through an inference layer is creating a new, unregulated category of derived sensitive data. Some states are already trying to close this gap. California's SB 1223 includes language about data "inferred from non-neural sources." Illinois and Vermont are working to write similar inference-aware provisions into pending bills. The next amendment cycle in most states will almost certainly address this — which means if you're storing neural-derived inferences today, you're building a compliance liability for 2027 or 2028.
The responsible architecture — on-device inference where possible, no persistent storage of inference outputs, data minimization at the sensor level — isn't just good engineering. It's the only way to future-proof against the statute that's coming in eighteen months.
What Does "Zero-Threshold Sensitivity" Mean for Everyone Else?
The single most novel mechanic in Connecticut's law isn't the neural-data label itself. It's that once sensitive data categories are involved, no volume threshold applies at all. The floor is gone entirely.
Most privacy statutes include a de minimis trigger — you have to process data on some minimum number of consumers before the law kicks in. Connecticut kept that structure for non-sensitive data. But for sensitive categories — neural, genetic, biometric, disability, gender identity — the threshold is zero. One person. Any volume. Any exposure.
This is likely a preview of how regulators will eventually treat other AI-processed sensitive categories. Consider: voice-derived health inferences (a cough detector that identifies disease markers), biometric-derived emotion data (facial expression analysis in video calls), gait analysis from phone accelerometers. All of these produce data that is arguably as sensitive as EEG readings, and all of them are currently processed at scale with minimal regulatory oversight.
If you're building an AI product today and your compliance strategy includes the phrase "we're too small to be regulated" — you're exposed. The zero-threshold model is where state legislatures are heading for any data category they deem sensitive. The only scalable architecture is one that assumes consent-per-use, opt-in by default, and data minimization at the collection layer, regardless of your current user count.
Is Federal Law Going to Preempt This Patchwork?
No. Not anytime soon. The MIND Act, introduced by senators in late 2025, would direct the FTC to study neural data privacy and recommend national standards. But even if it passes — and it has not advanced beyond committee — it would not impose any obligations on businesses or researchers. It would produce an FTC study and a report. That's it. The IAPP's analysis makes this point clearly: the MIND Act is a study mandate, not a regulatory framework.
Which means states are the only enforceable authority for years to come. And states are moving fast.
A March 2026 tracking analysis by Morrison Foerster identified active neural data bills in Virginia, Alabama, California (a second measure focused on workplace surveillance), New York, Illinois, and Vermont. Each takes a distinct approach:
- Some use data-broker frameworks.
- Some amend existing biometric privacy laws.
- Some create standalone neural data statutes.
- Illinois's SB 2994 notably includes a private right of action — meaning individuals could sue directly rather than relying on the state attorney general to enforce.
Four enacted laws. Seven-plus pending bills. No two identical. No federal floor. This is the regulatory environment you're building in.
Why Does the Patchwork Make "Lowest Common Denominator" Compliance Obsolete?
Because the denominators are diverging, not converging. Colorado's law triggers only when neural data is used for identification. California's excludes data inferred from non-neural sources. Connecticut's covers only central nervous system activity. Montana routed its protections through a genetic-information statute rather than a general privacy law. Illinois may add a private right of action — which would make it the BIPA of neural data, with all the litigation exposure that implies.
You can't build one policy that satisfies all of these by meeting only the least restrictive version. A company that meets Colorado's identification-only trigger will be non-compliant in Connecticut, where any processing of CNS data triggers the law. A company that meets Connecticut's central-nervous-system-only scope will be potentially exposed in states with broader peripheral-nervous-system definitions.
The practical move — and this is what we've concluded internally — is to build to the strictest common denominator now. That means:
- Consent per use, not blanket consent at onboarding.
- Opt-in by default for any collection of data that could be classified as neural, biometric, or biosignal-derived.
- Data minimization at the sensor level — collect only what the current computation requires, not what might be useful later.
- Separate handling of inferences — even if current law doesn't require it, future law will.
- Deletion that means deletion — not archival, not anonymization, not retention under a different label.
This isn't compliance overhead. It's the only architecture that doesn't require a rewrite every time a state legislature convenes.
What About International Developments?
The U.S. state patchwork isn't happening in isolation. Chile became the first nation in 2021 to amend its constitution to protect neurorights. Brazil and Mexico have pending neurorights legislative or constitutional proposals. The framing in these international efforts is different — constitutional rights versus statutory categories — but the direction is the same: neural data is being treated as categorically different from other personal data, requiring heightened protection.
If you're building a product with any international user base and any biosignal component, you're looking at converging regulatory pressure from multiple jurisdictions, each with its own definitional approach and enforcement mechanism.
What Is Connecticut's Enforcement Posture?
It's tightening. The Connecticut Attorney General is a member of a multistate Consortium of Privacy Regulators and has publicly committed to investigative sweeps. The statutory cure period — which used to give companies a grace period to fix violations before facing enforcement — expired at the end of 2024. There is no guaranteed cure window once the neural-data provisions activate on July 1, 2026.
Connecticut has also passed companion legislation. SB 4 (Public Act 26-64/26-62), signed May 27, 2026, adds further protections effective October 1, 2026: a ban on selling precise geolocation data, a data broker registration framework, restrictions on surveillance pricing, and expanded genetic data protections. Mintz's analysis notes that the companion bill includes recognition that consumers have a property interest in their biological samples and genetic testing results — a framing that could easily extend to neural data in the next legislative cycle.
The trajectory is clear: Connecticut is building a layered, progressively stricter privacy regime, and it's doing so faster than most companies are updating their compliance programs.
How Should Builders Think About This Right Now?
A few concrete considerations if you're building products that touch biosignal data — or that might in the future:
- Audit your data taxonomy. Do you collect any data generated by measuring nervous system activity? This isn't limited to EEG headbands. If you integrate with sleep trackers, VR headsets, or earbuds with biosensors, you may be in scope.
- Map your inference pipeline. If raw biosignal data enters a model and an inference comes out, you now have two data objects with potentially different regulatory treatment. Most privacy policies don't distinguish between them. Yours should.
- Assume the zero-threshold model is coming for your data category. If you process biometric, health-adjacent, or emotion-derived data of any kind, design your consent and data-handling architecture as if there's no volume floor. Because there won't be.
- Don't wait for federal preemption. The MIND Act, if it passes, produces a study. That's it. State enforcement is the reality for 2026, 2027, and likely beyond.
- Treat deletion as a first-class engineering requirement. Not just for neural data — for every sensitive category. When a user deletes, the data should be gone. Actually gone. Not flagged, not archived, not retained under a derivative label.
Where We Stand on This
We build Selina as a privacy-first AI assistant. Some of what Connecticut's law demands — consent-per-use, data minimization, real deletion — aligns with choices we made before neural data regulation existed. Files and transfers through SelinaSEND are end-to-end encrypted. Memory is encrypted at rest but is NOT end-to-end encrypted — a slice of each request reaches a frontier provider at inference, and we think it's important to say that plainly rather than imply otherwise. Non-content operational metadata is kept for a short retention window, not stored indefinitely. Accounts are protected; content is encrypted.
We don't process neural data today. We don't claim to have solved the problems described in this piece. But the architectural assumptions behind Connecticut's law — that sensitive data deserves heightened protection regardless of volume, that deletion should be real, that consent should be specific rather than blanket — are assumptions we've built around from the start. The regulatory environment is catching up to what should have been standard practice all along.
The neural data provisions are a signal. Not just about brainwaves — about how legislators are starting to think about any data category where the sensitivity of the information outpaces the maturity of the industry handling it. If you're building AI products, this is the regulatory floor you should be designing for.
If you want to see what privacy-first AI architecture looks like in practice — start a free 7-day trial, no card required.
Frequently Asked Questions
What does Connecticut's Public Act 25-113 actually do?
Signed June 24, 2025 and effective July 1, 2026, it amends the Connecticut Data Privacy Act to add neural data — information from measuring central nervous system activity — to the list of sensitive data categories, alongside biometric, genetic, disability, and other newly added categories like transgender/nonbinary status.
How is 'zero-threshold sensitivity' different from typical privacy law thresholds?
Most privacy statutes only apply once a company processes data on a minimum number of consumers, but Connecticut eliminates that volume floor entirely for sensitive categories, meaning processing even one Connecticut resident's neural, genetic, biometric, or disability data triggers full compliance obligations.
How does Connecticut's neural data definition compare to other states like Colorado and California?
Connecticut's definition is narrower, covering only central nervous system activity, while Colorado and California's provisions can extend to peripheral nervous system activity; Colorado also only applies when biological data is used for identification, and California's SB 1223 excludes data inferred from non-neural sources.
What is the 'inference gap' in Connecticut's law?
The law regulates raw neural signals but doesn't address AI-derived inferences drawn from that data, such as conclusions about emotional state or cognitive load, leaving these arguably more sensitive and valuable outputs in an unregulated gray zone.
Will federal legislation like the MIND Act preempt these state neural data laws?
No — the MIND Act would only direct the FTC to study neural data privacy and recommend standards, imposing no business obligations even if passed, leaving states as the sole enforceable authority for the foreseeable future.
Sources & References
- Connecticut Data Privacy Act Updates Go Into Effect This Year : Moore & Van Allen
- Connecticut Amends the Connecticut Data Privacy Act
- Connecticut Expands Its Privacy Law: What PA 25-113 Means Starting July 1 | Recording Law
- Connecticut Revamps Its Privacy Law (Again) | Privacy and Cybersecurity Client Alert | Intelligence | Shook, Hardy & Bacon
- Connecticut Data Privacy Act: 2026 Amendments - Law Offices of Snell & Wilmer
- Connecticut Classifies Brain Data as Sensitive Starting July 1: New Rights for EEG Wearable Users
- Connecticut Overhauls Its Privacy Law: What Businesses Need to Know | Mintz
- Connecticut Broadens Data Privacy Act Requirements Effective July 1, 2026 | Benesch Law
- Connecticut's 2026 Privacy Law Amendments Expand Scope and Raise Compliance Expectations | Blog | OneTrust
- Connecticut Dramatically Expands Its Data Privacy Act: What Businesses Need to Know Now | Foley & Lardner
- 1 BRIEFING NOTE U.S. STATE LEGISLATION TO PROTECT NEURAL DATA Overview
- Emerging Trends as Neural Data Legislation Gains Momentum Across the States | Morrison Foerster
- US States Build Patchwork of Neural Data Privacy Laws as BCI Market Accelerates | Inside BCI
- The “Neural Data” Goldilocks Problem: Defining “Neural Data” in U.S. State Privacy Laws
- Your Brain, Their Rules: The Growing Patchwork of Neural Data Regulation // Cooley // Global Law Firm
- "You Read My Mind": Neural Data and the New Wave of Biometric Privacy Protections | Bass, Berry & Sims PLC
- 3 New Privacy Laws in 2026: What Website Owners Must Know
- Risk Management Magazine - State of Mind: The New Landscape of Neural Data Privacy Laws
- More States Propose Privacy Laws Safeguarding Neural Data | Morrison Foerster
- State Privacy Laws: 2026 Changes & Compliance
- Text - S.2925 - 119th Congress (2025-2026): MIND Act of 2025 | Congress.gov | Library of Congress
- When Thought Becomes Data: The MIND Act and the Coming Debate Over Neurotechnology | CSIS
- Congress Introduces Neural Data Bill | Inside Privacy
- U.S. Senators Propose "MIND Act" to Study and Recommend National Standards for Protecting Consumers' Neural Data | Davis Wright Tremaine
- Senators ask FTC to study neurotechnology's promises, implications | IAPP
- US SB2925 | 2025-2026 | 119th Congress | LegiScan
- MIND Act of 2025 (S. 2925) - GovTrack.us
- Sens. Cantwell, Schumer, Markey Introduce Legislation to Shield Americans’ Brain Data From Exploitation - U.S. Senate Committee on Commerce, Science, & Transportation
- Congress Introduces Neural Data Bill - Lexology
