All the World's Neural Data, No Common Rule
Consumer neurotechnology is crossing an important threshold in 2026. Devices that read brain and muscle signals, in some cases acting on them in real time, are now shipping to consumers at commercial scale. As with most cutting-edge technologies, existing legal frameworks and terms of service agreements are struggling to catch up. This advisory identifies the potential gaps between neurotech device capabilities and existing federal and state statutes, regulations, common law and contractual frameworks for device makers, consumers, and the general public, and proposes some potential early solutions for policymakers to consider adopting.
All That We See or Seem Is but a Machine Within a Machine
We have been tracking the progress and legal risks of neurotech for the last four years,[1] waiting for broader adoption of the technology. Now, in the first half of 2026, the market for consumer neurotech is finally expanding—and we're here for it. In February, NextSense launched Smartbuds, the first wireless earbuds with embedded electroencephalography (EEG) sensors, which deliver audio stimulation to guide the brain to deeper sleep. InteraXon's Muse headband uses real-time brainwave feedback to guide users through sessions via responsive audio for meditation and sleep. Both devices not only observe neural states they intervene to change them. At CES 2026, Meta expanded control of the Meta Neural Band beyond its AI glasses to vehicle infotainment controls via a proof-of-concept integration with Garmin, and launched a $150,000-per-team university research initiative studying how users learn to control computers via wrist-based electromyography (EMG). Users in Meta's Early Access program can now send WhatsApp messages by writing with a finger on any surface, while the band detects motor intent before visible movement occurs.
These three examples of neurotech systems do more than collect information about physiological states; they interpret and act on them in real time, functioning increasingly as interfaces rather than passive sensors. Validation and regulatory frameworks struggle to keep pace with these capabilities, however. Industry analysis has highlighted a growing "wearable gap," where sensor capabilities are advancing faster than the evidentiary and analytical standards required to validate them. In the clinical sector where regulations do apply, a 2025 Digital Medicine scoping review questions whether such procedural compliance falls short of meaningfully engaging with the ethical considerations of devices that can directly affect a person's mental state. When it comes to consumer tech, frameworks that may have been sufficient for more rudimentary fitness trackers and smartwatches now need to contemplate the collection and use of neural data.
Neural Data by Any Other Name
One challenge in regulating consumer neurotechnology is the lack of common terminology and how to scope what to regulate. Although some state privacy laws have generally defined "neural data" as sensitive data subject to heightened protections, there is no consistent definition across jurisdictions, and consumer contracts rarely use the term at all. Legislative approaches vary widely: some definitions limit neural data to signals from the central nervous system captured through implanted or contact devices, while others extend to physiological signals from the peripheral nervous system, including wrist-based electromyography (EMG). As a result, whether data generated by devices such as smartwatches, earbuds, or EMG wristbands fall within existing neural data protections often depends on unresolved definitional questions. We wrote last fall about the proposed federal Management of Individuals' Neural Data Act (MIND Act) that would direct the FTC to study the collection and use of data capable of revealing thoughts, emotions, and cognitive states, and provide a standard, federal definition of neural data. The bill has not advanced in the current Congress, and we suspect it won't in an election year.
Until Congress acts, neural data will remain regulated at the federal level only by Section 5 of the Federal Trade Commission (FTC) Act, which prohibits companies from engaging in unfair or deceptive acts or practices. Unlike state privacy laws, the FTC Act does not require companies to post privacy policies or to give consumers the right to access, correct, or delete personal information that the company has collected about them. A comprehensive survey conducted by the Neurorights Foundation (their Safeguarding Brain Data report) in 2024 found that the privacy practices of 29 out of 30 consumer neurotechnology companies appeared to allow access to the consumer's neural data with no meaningful limitations. Seventy-three percent (73%) of those companies had privacy policies on their websites governing the use of neurotechnology products, but 60% of the surveyed companies provided no information to consumers about their neural data specifically (i.e., how it is handled, what rights they have). It is unclear the extent to which these neurotechnology companies may be subject to state privacy laws that require clear and conspicuous privacy notices explaining categories of personal data collected, the purposes for which such data is used, and consumers' rights with respect to such data, among other things. If neurotechnology companies are not subject to those laws, the survey identified a potential regulatory gap that policymakers may decide to close.
Oh, the Places States May Go
As emerging technologies increasingly process neural data, some states have begun to develop frameworks specifically designed for the protection of such data. For instance, Vermont Governor Phil Scott recently signed a bill (H. 814) that provides neurological rights to individuals by creating privacy standards for such data and by giving individuals control over the processing of such data by neurotechnologies. Specifically, H. 814 states that Vermont "recognizes that each individual has the right to: (1) mental and neural data privacy; (2) freedom of thought; (3) nondiscrimination in the development and application of neurotechnologies; (4) change an individual's decision regarding neurotechnology and the right to determine by what means to change that decision; (5) be afforded protection from neurotechnological interventions of the mind and from unauthorized access to or manipulation of an individual's brain activity; and (6) be afforded protection from unauthorized neurotechnological alterations in mental functions critical to personality." This new law does not, however, explain how individuals can exercise their rights or how companies must operationalize the processes and procedures necessary to ensure individuals can do so. In addition, this law does not provide an enforcement mechanism or other means of accountability.
Because Innovation Could Not Stop for HIPAA
Neurotech companies typically disclaim medical accuracy in their terms of service and restrict use to personal, non-commercial purposes. However, we have not found any major providers make explicit prohibitions on the use of device outputs in high-stakes decision-making (e.g., employment determinations, insurance underwriting, or clinical and diagnostic assessments). A disclaimer that a focus-tracking output is "not a medical diagnosis" does not prevent an employer from requesting access to that output, an insurer from seeking it in underwriting, or a court from subpoenaing it in a custody proceeding. Eye-tracking technology is already being deployed in manufacturing environments to capture workers' visual attention patterns, with applications in training, skills transfer, and process efficiency. EMG-based gesture detection raises parallel questions. While the EU AI Act explicitly prohibits AI systems performing emotion recognition in workplace and educational settings, no equivalent federal prohibition exists in the United States.
The federal and state regulatory landscape further exposes gaps for devices that collect mental health or other neurological data: while data that reveals mental health conditions or diagnoses will generally be covered by state privacy laws if linkable to a specific person or device, such coverage remains fragmented. The American Academy of Neurology's March 2026 guidance frames consumer neurotech as a de facto adjunct to clinical treatment, even for devices that disclaim any medical purpose, and that characterization carries potential legal consequences. Yet HIPAA does not apply to a direct-to-consumer device manufacturer with no covered entity in the data chain. Although supplementary regulations exist, like the FTC's Health Breach Notification Rule which expressly covers health applications that track mental health or sleep, and state laws like California's CMIA, Nevada's CHD Law, and Washington's My Health My Data Act, which apply to such devices and provide private rights of action, the results remain highly fragmented and the level of protection for the same highly sensitive data can vary dramatically depending on whether neural data is collected in a clinical or consumer context, and on which state's law applies.
As neural devices expand into vehicles, workplaces, and other embedded environments, the line between consumer and enterprise use continues to blur. There is growing sensitivity and potential secondary uses of the neurological and behavioral data these systems generate.
Shall We Compare Thee to a Fiduciary?
Against this backdrop, manufacturers, consumers, and others will inevitably end up in a debate over whether meaningful, informed consent was ever obtained to collect and process neural data. Limited federal regulation, inconsistent state definitions, and company agreements that fill any gaps open the door to a different kind of legal argument: that neurotech companies have common law fiduciary obligations to their users, regardless of what their terms of service say. That fiduciary framing is reflected in recent legislative findings in Colorado, which note that the collection of neural data inherently involves involuntary disclosure of information and that individuals who consent to limited uses may still be unaware of the content or quantity of information they are sharing.
There is a growing body of scholarship around whether AI systems and the companies that deploy them should be regulated as fiduciaries. Fiduciary relationships form when one party acts on behalf of another while exercising discretion over a critical resource belonging to that other party, in a context where the beneficiary cannot reasonably monitor what the fiduciary is doing on their behalf. If applied to a consumer neurotech company, it would upend the current system: now, the consumer is expected to read, understand and consent; in a fiduciary system, that burden would shift to the device provider, which would be obligated to act in the user's best interest regardless of what the terms of service say.
Scholars have proposed fiduciary frameworks that, if adopted, could be imposed on digital companies that collect and use end-user data. One scholar, Jack Balkin, has proposed an "information fiduciary" framework for digital companies that collect and use end-user data because of the asymmetries of knowledge, power, and control involved.[2] Under this model, information fiduciaries would owe duties of confidentiality, loyalty, and care. The duty of loyalty would prohibit companies from manipulating users or designing systems that create conflicts of interest including, he argues, promoting addictive behavior. Applied to a device that intervenes in real time to alter a user's sleep or cognitive state, proponents would argue that the duty of loyalty would raise questions that no current agreement addresses. Under an alternative model, another commentator, Katharina Pistor, has argued that the producers of the underlying data should be treated as co-owners of aggregated datasets, with data-harvesting companies holding fiduciary duties as agents over that property.[3]
More recent scholarship has translated these principles into a design framework. Benthall and Shekman's "Designing Fiduciary Artificial Intelligence" proposes that any AI system operating in a fiduciary context should be built to understand the context of its deployment, identify its principals, assess their best interests, and align its behavior accordingly. The duty of loyalty would be operationalized as alignment with those interests, and the duty of care operationalized as adherence to community norms and safe practices. At the same time, the EU Data Governance Act has moved in a parallel direction, employing fiduciary language for data intermediaries who are required to "act in the best interests of the data subjects."
On the other side of the coin, some argue that the neurotech industry should self-regulate, or that the principle of an information fiduciary is too vague to be implemented.[4] Opponents like Lina Khan and David Pozen have argued that the information fiduciary model for technology companies is unworkable because it creates irreconcilable conflicts between duties to users and duties to shareholders.[5]
A distinct but related framework comes from Duke Law Professor Nita Farahany, who has argued for recognition of "cognitive liberty" as a fundamental human right to self-determination over one's own brain and mental experiences, and to be free from mental interference, manipulation, or coercion by others. Under this framework, a right to cognitive liberty would provide a new protection by shielding the identifying information, automatic processes, memories, and mental experiences in an individual's mind from others.
And What New World Begins When Thoughts Are Laid Bare?
We suspect that at any time we will start to see the development of consumer devices and legislation converge—things are getting less hypothetical. Even with legislation often trailing technology, companies with these types of devices should consider their consent, opt-in, and self-governance options sooner rather than later, anticipating that legislative gaps may close at some point, even if unlikely in 2026. States are the likely arbiters of the neural world for a time, at this time, when the mind's circuits are buzzing and thought itself is becoming known without ever speaking one's mind.
[1]Jeremy B. Merkelson, Wendy Kearns, David Rice, and Elyse Sparks, Neurotechnology Works Its Way Forward, 48 SEATTLE U. L. REV. ONLINE 57 (2025); Jeremy Ben Merkelson, Wendy Kearns, Michael Borgia, and Tanner Harris, Neurotechnology in the Workplace: A Futuristic Reality, 9-6 Mealey's Data Privacy Report 18 (2023).
[2] Jack Balkin, The Fiduciary Model of Privacy, 134 Harv. L. Rev. 11 (2020).
[3] Katharina Pistor, Rule by Data: The End of Markets?, 83 Law & Contemp. Probs. 101 (2020).
[4] See generally Mitchell Nemeth, Information Fiduciary Theory and the Market, MEDIUM, Aug. 2022; Julie Cohen, How (Not) to Write a Privacy Law, KN. FIRST AMEND. INST. COLUMBIA UNIV. (2021).
[5] Lina Khan & David Pozen, A Skeptical View of Information Fiduciaries, 133 HARV REV 497 (2019).
+++
Wendy Kearns is a partner in the technology practice group at Davis Wright Tremaine LLP and the partner-in-charge of the firm's Seattle office. Elyse Sparks is an associate in the technology practice group at Davis Wright Tremaine. Nancy Libin is a partner in the privacy & security practice group at Davis Wright Tremaine. Jeremy Ben Merkelson is a partner in the employment services practice group at Davis Wright Tremaine. Any commentary or opinions do not reflect the opinions of Davis Wright Tremaine. Copyright © 2026 by Wendy Kearns, Elyse Sparks, Nancy Libin, and Jeremy Ben Merkelson. Responses are welcome. For any questions or more insights, please reach out to the authors or another member of our technology + privacy & security, or employment services teams and sign up for our alerts.