
Many makers of brain-monitoring headsets and other consumer neurotechnology devices may be playing fast and loose with their privacy and data-sharing policies. An analysis of these companies’ policies shows many gather users’ neural data and maintain the right to share or sell the information without additional permission from users.
The findings come from a by the Neurorights Foundation, a research organisation based in New York. The foundation looked at 30 companies that sell neurotech devices or services directly to consumers with promised benefits such as improving sleep quality or promoting mental health. The majority of the companies are based in the US, Canada, the UK or the European Union.
“Our position is that brain data is at least as sensitive as personal health data,” says , co-founder of the Neurorights Foundation. “Why should people be okay about sharing brain data that can be decoded – if not today then in the future?”
Advertisement
Such consumer-facing devices typically use electroencephalogram (EEG) technology built into a headband or helmet to measure the electrical signals of neurons. A few also rely on infrared light to measure changes in blood oxygen levels.
The Neurorights Foundation found that 29 of the 30 companies appeared to have access to customers’ neural data without providing meaningful limitations on how they are allowed to share that information. Two-thirds allow for the sharing of customer data and almost another third left this unclear, meaning just one company specifically said it would not share customer data.
Furthermore, only 12 of the 30 companies grant customers both the right to withdraw consent for data processing and the right to request data deletion.
Among several companies contacted for comment, a few pushed back against the Neurorights Foundation’s report. The Sweden-based company Flow Neuroscience clarified to żěè¶ĚĘÓƵ that it does not collect any neural data. A representative noted that its transcranial direct current stimulation device has regulatory approval as a medical device in Europe.
A spokesperson for the Canada-based company InteraXon, which offers the Muse neurotech brand, said the company works with organisations such as the Institute of Neuroethics, a think tank based in Atlanta, Georgia, to keep its privacy policies up to date and “to ensure the ethical use of brainwave data to enable scientific progress and improve health outcomes”.
And Tre Azam, founder of the UK-based company MyndPlay, said his company never has access to or stores “brainwave data or any other data” from customers. He described the company’s software as running locally on devices without sending any information to cloud computing servers.
The problem is not necessarily “malicious” neurotech but rather the absence of US government regulations, says Yuste, in comparison with the data privacy protections of the European Union. But that could be changing: Colorado became the first US state to add privacy protections for brain data in April 2024. The Neurorights Foundation is sponsoring similar legislation in California, which could be a “game changer” if it passes, says Yuste.
Still, some researchers suggest that neurotechnology is far from being the most serious data privacy threat. “In my mind, the type of inferences that you can do with consumer [neurotechnology devices] is probably similar to what people can get from just browsing our social media data or looking at our credit card purchases,” says at the Pennsylvania State University.
Neurotechnology is just one of many technologies that “allows companies to collect incredibly fine-grained, revealing information about us”, says at Cornell University in New York. “We should use public concern about new technologies like neurotech to motivate lawmakers to regulate the consumer surveillance industry more broadly.”