Companies handling brain data on US consumers face a new hard compliance date on 1 July 2026, when Connecticut’s Public Act 25-113 takes effect. Connecticut Governor Ned Lamont signed Senate Bill 1295 on 25 June 2025 after Senate passage 33 to 2 and House passage 127 to 15. The Act amends the Connecticut Data Privacy Act to add “any information that is generated by measuring the activity of an individual’s central nervous system” to the statute’s definition of sensitive data. Vermont’s Act 101, signed by Governor Phil Scott on 18 May 2026, takes effect the same day under a separately drafted neurological rights framework. After 1 July, five US states will have active neural data privacy law on the books: Colorado, California, Montana, Connecticut and Vermont.

What Public Act 25-113 changes inside the CTDPA

Public Act 25-113 amends the Connecticut Data Privacy Act, which has been in force since 1 July 2023, on three structural axes that matter for any company handling neural data.

The first axis is the applicability threshold. The original CTDPA applied to controllers processing the personal data of at least 100,000 Connecticut consumers, or 25,000 consumers plus more than 25 percent of gross revenue from the sale of personal data. The amendment replaces that ceiling with three triggers operating in parallel. A controller is now in scope if it processes the personal data of 35,000 consumers, if it processes any sensitive data (regardless of consumer count), or if it offers personal data for sale in trade or commerce. The any-sensitive-data trigger is what makes the neural data category structurally important. A company handling even a single Connecticut consumer’s neural data is now within statutory scope, with no de minimis exemption.

The second axis is the sensitive data category itself. Public Act 25-113 adds neural data to a set of new sensitive-data classes that also includes disability or treatment information, transgender or non-binary status, government-issued identification numbers, and financial-account credentials. Sensitive data triggers heightened processing obligations, the strictest of which is consent before any processing.

The third axis is profiling. The CTDPA previously gave Connecticut consumers the right to opt out of profiling using “solely automated” decisions. Public Act 25-113 expands that to any automated profiling, regardless of whether a human reviews the output. Combined with the neural data addition, the implication for any BCI commercial product that runs decoder inference on Connecticut consumers is direct: the inference itself is profiling, the inputs are sensitive data, and the controller must respect opt-out under the broader trigger.

Public Act 25-113 also requires controllers to disclose whether personal data is used for training large language models, narrows the Gramm-Leach-Bliley Act exemption from entity-level to data-level, and imposes a blanket ban on the sale or targeted advertising of minors’ data. Impact-assessment requirements apply to processing activities created on or after 1 August 2026 rather than retroactively, per the Future of Privacy Forum’s reading of the statute.

Why Connecticut’s neural data definition is the narrowest of the five

Connecticut’s “central nervous system” formulation, as drafted, does not extend to peripheral nervous system signals. Consumer surface electromyography (sEMG) wristbands, which read muscle nerve activity at the wrist rather than activity inside the brain or spinal cord, sit outside the CNS-only definition. The Future of Privacy Forum has framed the cross-state differences as a “neural data Goldilocks problem,” with Colorado, California, Montana, and Vermont each drawing the line at a different point on the central-peripheral-inferred spectrum. Montana’s Senate Bill 163 amended the Montana Genetic Information Privacy Act to add neural data alongside its existing biometric and genetic scope. Vermont’s Act 101 adopts a standalone neurological-rights framing.

The practical implication for BCI companies is that Connecticut’s narrower scope opens an arbitrage. A consumer wrist-worn device that reads peripheral nerve signals is regulated under Colorado, California, Montana and Vermont neural data provisions but not under Connecticut’s. The same company’s implanted cortical interface is regulated under all five.

The five-state patchwork after 1 July

Colorado was first. House Bill 24-1058, signed by Governor Jared Polis on 17 April 2024, took effect on 7 August 2024, amending the Colorado Privacy Act. California followed with Senate Bill 1223, signed by Governor Gavin Newsom on 28 September 2024 and effective 1 January 2025, amending the California Consumer Privacy Act. Montana’s Senate Bill 163 became operative on 1 October 2025. Connecticut’s Public Act 25-113 and Vermont’s Act 101 both come online on 1 July 2026.

The Future of Privacy Forum has described the resulting category as a “neural data Goldilocks problem,” with each jurisdiction drawing the line between protected and unprotected neural information at a different point on the central-peripheral-inferred spectrum. The federal regulatory floor under the Federal Trade Commission Act remains general unfair-or-deceptive-practice authority. The Federal Trade Commission has taken no neural-data-specific enforcement action through Q2 2026 despite an April 2025 letter from Senators Maria Cantwell, Chuck Schumer and Edward Markey calling for one.

What is pending in the 2026 legislative season

Three pending bills carry the highest enforcement-risk architecture and warrant tracking. Alabama House Bill 263, sponsored by Representative Ben Robbins, is a standalone neural data statute scoped to consumer health and fitness applications with state attorney general enforcement, no private right of action. Illinois Senate Bill 2994, sponsored by Senator Rachel Ventura, would extend the Illinois Genetic Information Privacy Act with a BIPA-style private right of action covering neural data, with statutory damages of $2,500 per negligent violation and $15,000 per intentional violation. California Assembly Bill 1221, sponsored by Assembly Member Isaac Bryan, would prohibit employer collection of neural data and adds a private right of action specific to workplace surveillance. Virginia House Bill 654 was tabled on 4 February 2026 and is dead for this session.

The patchwork against the global architecture

The US state-by-state pattern sits inside a global landscape that has hardened around three other regulatory postures over the past year. Chile remains the only jurisdiction worldwide with constitutional neurorights, in force since October 2021, with Brazil drafting parallel constitutional language. The European Union applies the AI Act and the General Data Protection Regulation as horizontal regulators that capture neural data through existing biometric and special-category provisions. China and South Korea operate as Industrial Builders, allocating state capital to BCI commercial scale-up through pricing pathways, industrial clusters and named industry associations.

For any company building a US commercial BCI strategy, the 1 July 2026 milestone is the first compliance date where a Connecticut consumer’s neural data triggers statutory obligations regardless of the company’s size, revenue or processing volume. The threshold removal is what shifts neural data privacy from a comprehensive-law footnote into a binding constraint at small operating scale.

What to watch

The first signal is whether the Connecticut Attorney General issues guidance on neural data processing requirements before or shortly after the 1 July 2026 effective date. Connecticut’s enforcement model is AG-only with no private right of action and an expired cure period. Concrete enforcement guidance from the Office of the Attorney General would set the operating template for controllers in the state.

The second signal is whether Illinois Senate Bill 2994 advances out of its current Assignments-committee referral. A BIPA-style private right of action on neural data would change the US enforcement calculus more than any other pending bill. Illinois’s existing BIPA has produced settlements in the hundreds of millions over biometric data, and the same architecture extended to neural data would create the first credible high-cost enforcement exposure in the category.

The third signal is whether the Federal Trade Commission responds to the April 2025 Senate letter with neural-data-specific guidance or enforcement action. Federal silence to date has been the structural reason state-by-state law has filled the vacuum. A single named enforcement action at federal level would compress the patchwork into a more uniform regulatory floor.

Sources

• Public Act 25-113 (SB 1295) text (Connecticut General Assembly)
• Governor’s Bill Notification 2025-14 (Connecticut Office of the Governor)
• SB 1295 status and roll calls (LegiScan)
• Connecticut amends the Connecticut Data Privacy Act (Hunton Andrews Kurth)
• Connecticut Pierces GLBA Veil, Overhauling Its Omnibus Privacy Law (Perkins Coie)
• The Connecticut Data Privacy Act gets an overhaul, again (Future of Privacy Forum)
• The neural data Goldilocks problem (Future of Privacy Forum)
• Connecticut enacts significant amendments to state’s data privacy law (Husch Blackwell, Byte Back Law)
• Colorado HB 24-1058 enrolled (Colorado General Assembly)
• Vermont Act 101 as enacted (Vermont General Assembly)
• Emerging trends as neural data legislation gains momentum (Morrison Foerster)