
Neurorights and the Ethics of Reading the Brain
Brain-computer interfaces raise unprecedented questions about mental privacy, cognitive liberty, identity, and equitable access. Law and norms are only beginning to confront these questions - and consumer neurotechnology, which is regulated far more loosely than medical devices, is making them urgent.
Key facts
- Chile constitutionally protected neurorights in 2021 - the first country worldwide to do so.
- UNESCO adopted a Recommendation on the Ethics of Neurotechnology in November 2025.
- Colorado HB 24-1058 (2024) and California SB 1223 (2024) classify neural data as sensitive personal information.
- OECD's 2019 Recommendation on Responsible Innovation in Neurotechnology remains the leading member-state framework.
- Multiple peer-reviewed reports document DBS-related personality changes in a minority of patients.
- Yuste's five neurorights (identity, agency, mental privacy, fair access, algorithmic protection) are the dominant policy reference.
- Italy's Garante and Chile's regulator have already issued enforcement actions against consumer neurotech deployments.
The Neurorights Framework
Rafael Yuste (Columbia, NeuroRights Foundation) and colleagues have proposed a five-right framework that has become the de facto policy reference worldwide: (1) personal identity, (2) agency, (3) mental privacy, (4) fair access to mental augmentation, and (5) protection from algorithmic bias.
Chile became the first country to constitutionally protect neurorights through a 2021 amendment to Article 19 of its Constitution. Spain has incorporated digital and neurorights into its 2018 Digital Rights Charter; Brazil, Mexico, and Argentina have all advanced parallel legislation through 2023-2025.
UNESCO adopted a global Recommendation on the Ethics of Neurotechnology in November 2025 - the first instrument of its kind at the UN level. The OECD's 2019 Recommendation on Responsible Innovation in Neurotechnology remains the leading framework for member-state policy.
Mental Privacy
Even crude consumer EEG (Muse, Emotiv, Neurable, Mendi) can reveal information about emotional state, attention level, certain medical conditions (epileptiform activity, sleep architecture), and reactions to specific stimuli. The technical possibility of involuntary inference about mental content - what a person is attending to, whether they recognise a face, whether they intend to deceive - is no longer purely theoretical for some narrow tasks.
Colorado HB 24-1058 (signed April 2024) became the first US state law to explicitly classify neural data as 'sensitive personal information' under that state's privacy framework. California's Senate Bill 1223 (signed September 2024) added neural data to the categories protected under the CCPA. Minnesota and New Hampshire introduced similar bills in 2025.
The EU's GDPR already treats brain-related health information as a special category of personal data. The proposed EU AI Act's high-risk categorisation and Article 5 prohibitions further constrain emotion recognition and biometric inference in some contexts.
Identity, Agency, and Authenticity
Closed-loop stimulation that modulates mood or behaviour raises identity-altering possibilities and complicates legal notions of responsibility, consent, and authenticity of action. The literature on DBS-induced personality change is small but growing; a minority of DBS recipients report altered self-perception or interpersonal dynamics post-implant.
These reports are reshaping informed-consent practice. Many DBS programs now use formal preoperative neuropsychiatric assessment, post-operative monitoring for personality change, and structured shared-decision-making tools.
Legal scholarship (Bublitz, Merkel; Ienca; Wexler) explores how concepts such as cognitive liberty, mental integrity, and authenticity of decision-making should translate into criminal-responsibility and contract-law doctrines as neurotechnology becomes more capable.
Equity, Access, and the Neuro-Divide
Implanted BCIs in current clinical practice cost USD 100,000 to 500,000 per patient. Access depends on insurance, geography, surgical infrastructure, and clinical-trial enrolment - a combination that risks a sharp 'neuro-divide' if and when therapies become elective enhancements.
The WHO Global Initiative on Brain Health, UNESCO's neurotechnology workstream, and the OECD's Working Party on Bio- Nano- and Converging Technologies are coordinating to set minimum norms before consumer neurotech proliferates.
Low- and middle-income country access to even mature neuromodulation therapies (cochlear implants, DBS) remains highly uneven; the WHO estimates that the global cochlear-implant gap exceeds 90% of eligible candidates in many regions.
Workplace and Consumer Neurotech
Employer-mandated EEG monitoring is no longer hypothetical. Documented deployments in long-haul trucking, mining, and manufacturing - particularly in Australia and China - have raised consent and surveillance concerns now, not in the future.
Italy's data-protection authority (Garante) and Chile's neurorights regulator have issued enforcement actions against specific consumer-neurotechnology deployments. The European Data Protection Board is preparing guidance on neural data under the GDPR.
The Future of Privacy Forum's 2024 brain-data report and the Neuroethics Working Group's recommendations are emerging as practical reference standards for employers, schools, and consumer-product companies.
Security and Adversarial Threats
Wireless implanted devices have been shown in security research to be vulnerable to passive eavesdropping and, in some demonstrated cases, active interference (Halperin et al., IEEE 2008, on cardiac implants; subsequent work on insulin pumps and DBS systems). Industry response has improved encryption and authentication, but the surface area continues to grow.
Adversarial machine learning attacks against neural decoders are a distinct and underexplored threat class. Robust decoding under adversarial conditions is an active research direction.
Frequently asked
Can my brain be hacked?
+
Highly invasive implanted systems with wireless interfaces are theoretically attackable and academic security research has demonstrated vulnerabilities in analogous classes of implants (cardiac, insulin). Manufacturers have responded with stronger encryption and authentication, but the attack surface continues to grow as BCIs gain connectivity. Non-invasive consumer EEG devices raise distinct and serious data-privacy concerns even without active hacking.
Do I own my brain data?
+
Increasingly yes, by law. Colorado (2024) and California (2024) now classify neural data as sensitive personal information. EU law treats brain-related health data as a special category under GDPR. Most US federal law and many other jurisdictions remain incomplete or silent on neural data ownership - a gap that ongoing legislation aims to close.
Can BCI data be subpoenaed in court?
+
Yes, in principle, neural data is discoverable like any other recorded data, subject to applicable health-privacy protections and evolving sensitive-data rules. Several neurorights frameworks aim to give brain data special legal protection that would raise the bar for compelled disclosure, but no jurisdiction has yet enacted a comprehensive shield.
What are Yuste's five neurorights?
+
Personal identity, agency, mental privacy, fair access to mental augmentation, and protection from algorithmic bias. Proposed by Rafael Yuste and the NeuroRights Foundation at Columbia University, this framework has been adopted in whole or in part by Chile, Spain, Brazil, and several other jurisdictions, and is referenced in the UNESCO Recommendation on the Ethics of Neurotechnology.
Is consumer neurotech regulated?
+
Less than medical neurotech. Devices that make only general-wellness claims (focus, relaxation, meditation aid) typically fall outside FDA medical-device jurisdiction in the US. Marketing claims of medical benefit shift a product into the FDA's regulatory scope. The EU MDR, EU AI Act, and emerging state-level brain-data laws are progressively expanding consumer-neurotech regulation.
What is cognitive liberty?
+
Cognitive liberty is the legal and ethical principle that individuals have the right to control their own mental processes, cognition, and consciousness - including the right to refuse unwanted interference with mental states via drugs, stimulation, or surveillance. It is the philosophical foundation underlying much of the neurorights movement.
Sources & further reading
The NeuroRights Foundation
Columbia University
UNESCO Recommendation on the Ethics of Neurotechnology (2025)
UNESCO
Colorado HB 24-1058 - Neural Data Privacy
Colorado General Assembly
California SB 1223 - Neural data amendment to CCPA
California Legislature
OECD Recommendation on Responsible Innovation in Neurotechnology
OECD
Yuste et al. - Four ethical priorities for neurotechnologies and AI (Nature, 2017)
Nature
Continue in this series
Foundations
Brain-Computer Interfaces: An Overview
Industry
Neuralink, Synchron, and the BCI Industry
Therapeutics
Neural Implants and Stimulation
Frontier
Memory Prosthetics and Cognitive Augmentation
Outlook
The Future of Brain-Computer Interfaces
Related across BRAINMATTER
Cornerstone pages on the same topics — across other authority hubs.
Cognition & Neuroscience
Human Intelligence hub
Cognitive neuroscience for the modern mind.
Cognition & Neuroscience
The Future of Human Intelligence
Neuroplasticity, memory, and the 25-year outlook.
Cognition & Neuroscience
Neurodivergence
Cognitive variation across autism, ADHD, and dyslexia.
Cognition & Neuroscience
Glossary of cognitive terms
Authoritative definitions for the science.
