Next week, Coloradans will vote on a ballot initiative that, if approved, would create a regulated market for psilocybin in the state. Under this initiative, called Proposition 122, or the Natural Medicine Health Act, psilocybin would be produced in Colorado and administered under supervision at licensed “healing centers.” (Other substances could be added in a few years.) The state would also reduce criminal penalties associated with plants and fungi that produce five psychedelics, allowing them to be cultivated, shared, and consumed at home.
This proposal is arguably the most controversial law in an expanding patchwork of state psychedelic legislation. It has fractured communities in Colorado and beyond, and independent polling suggests voters may be equally divided.
The Prop. 122 campaign says that the initiative will improve the mental health of Coloradans. Research suggests psychedelics could be effective treatments for depression, post-traumatic stress disorder, and substance use conditions. However, therapies approved by the US Food and Drug Administration (FDA) remain years away, and Proposition 122 supporters want to make psychedelics available sooner.
Meanwhile, critics say the campaign is moving too fast. People like Martha Hartney, a Colorado attorney who supports Proposition 122, worry it will produce corporate monopolies like those of state cannabis industries. Denver activists Matthew Duffy and Melanie Rose Rodgers claim out-of-state interests shaped the proposal and funded its campaign without including many Colorado residents, including Black and Indigenous people who were shut out of state cannabis industries. Black and multiracial voters strongly oppose Proposition 122, with over 60 percent saying they’ll reject it, potentially indicating they were not adequately involved in its development.
Vocal debates over Proposition 122 have raised important points on both sides. However, one concern has flown under the radar: the privacy and the surveillance of those who receive psychedelics. And because Colorado’s psychedelic law could become a template for other states, it’s even more important to get psychedelic privacy right.
Federal research and health privacy laws set standards for safety, ethics, and privacy. Some state psychedelic programs, such as those in Texas and Connecticut, dovetail with existing federal policies. Consequently, participants are covered by the Health Insurance Portability and Accountability Act (HIPAA), which safeguards patient information, or the federal Common Rule, which protects people participating in FDA-sanctioned or federally funded research. Published in 1991, the Common Rule outlines basic requirements for obtaining informed consent and ensuring that research proposals comply with ethical standards.
Brett Waters, executive director of Reason for Hope, helped develop the Connecticut law and says its focus on federally sanctioned research was intentional. The bill leverages an existing FDA pathway called expanded access to provide psilocybin and 3,4-Methylenedioxymethamphetamine (MDMA) to veterans, first responders, and health care workers.
In contrast, under Proposition 122, Colorado healing centers will likely fall outside the health care system and skirt federal drug policies and research practices, according to Kayte Spector-Bagdady, a bioethicist, lawyer, and associate director of the Center for Bioethics and Social Sciences in Medicine at the University of Michigan. Spector-Bagdady adds that Proposition 122’s data collection mandate may have more in common with commercial data practices—think Google, Facebook, or 23andMe—which are generally governed by corporate terms of service, privacy policies, and contracts between companies and consumers. Because companies make the rules, they often provide fewer privacy protections.
This is especially concerning given the enormous amount of data Colorado will collect under Proposition 122. The initiative requires the Department of Regulatory Agencies (DORA) to gather sensitive information about clients’ psychedelic experiences at healing centers, which would be a gold mine of psychological data unavailable elsewhere, and a tantalizing prize for advertisers and pharmaceutical companies.
Colorado’s cache of psychedelic data could expose participants to social, legal, and financial risks. Because Proposition 122 does not protect employees who use psychedelics from being fired, clients could lose their jobs if employers learn of their participation. Client information could be hacked or sold and exploited for commercial purposes. Even organizations that claim to help people in crisis have cashed in on their sensitive information. Crisis Text Line, a help line for teens, circumvented a board of medical experts before profiting from client data, landing the company in a highly publicized privacy debacle.
A state-run database of psychedelic client information could easily be accessed by federal agencies such as the Drug Enforcement Administration (DEA) due to a case earlier this year, in which the federal First Circuit Court of Appeals held that the DEA could search a state prescription database without a warrant. The DEA and other agencies likely have more leeway regarding psychedelics because, unlike prescription medications, psychedelics will remain federally illegal if Proposition 122 passes.
“I think it’s really concerning,” said Holly Fernandez Lynch, assistant professor of medical ethics and health policy at the University of Pennsylvania. “I mean, why would you give your information about taking a federally prohibited substance to the government?” she asked.
Psilocybin providers at Colorado healing centers might also face legal and privacy risks. According to Spector-Bagdady and Fernandez Lynch, when researchers contribute to federally funded research, they obtain certificates of confidentiality that protect data they collect from being used as evidence in legal proceedings. However, practitioners in Colorado will likely be ineligible. After they collect client data and share it with DORA, they could be compelled to disclose it in court.
If collecting psychedelic client data poses so many risks, then why do it? A Washington, DC-based political action committee (PAC) called New Approach has spent over $3 million in support of Proposition 122. According to chief of staff Taylor West, New Approach also funds psychedelic campaigns in Oregon, California, New Mexico, New Jersey, Missouri, Indiana, and Washington state.
Representatives of New Approach told me that Colorado’s client data could be used to evaluate the safety and effectiveness of psilocybin. They claimed the data might also persuade insurance companies to cover psilocybin services in Colorado.
However, health policy experts doubt client surveillance could achieve either purpose. Robert Mikos, a law professor and marijuana policy expert at Vanderbilt University, finds the insurance justification “somewhat flimsy.” He said, “no state will cover this under its Medicaid program precisely because they’d be running directly afoul of federal law.”
Daniel Schwarcz, a law professor and insurance expert at the University of Minnesota, agreed with these assessments. “I cannot imagine that any insurer would cover psilocybin in the near future without some considerable peer-reviewed literature demonstrating its effectiveness in a double-blind trial,” said Schwarcz. Data collected from healing center clients in Colorado would not come close to meeting this standard.
Some experts I consulted said data collection could help identify adverse events associated with psilocybin. However, they acknowledged that systems already exist for reporting adverse events, including Colorado Poison Control and the FDA’s MedWatch Program. Both are available to the public and can be used anonymously. Emergency room visits can also be used to track adverse events.
If the purpose of sending psilocybin client data to DORA is to identify adverse events, the system would be redundant. Overall, “the risks outweigh the potential remote benefits,” said Leo Beletsky, professor of law and health sciences at Northeastern University.
New Approach’s Tamar Todd assured me that privacy would be protected by DORA because client data would be de-identified. During de-identification, or “data anonymization,” pieces of information such as name and address are removed to reduce the likelihood of identifying individuals. However, privacy experts agree that de-identified data poses risks because one’s identity can be reattached. According to the American Civil Liberties Union (ACLU), “it is often trivial to re-identify data that has supposedly been de-identified.” And Ari Waldman, a law professor and privacy expert at Northeastern University, has described de-identification as a “rhetorical and marketing tool for tech companies to use when talking about privacy.” Waldman said that de-identification “sounds really good to nonexpert and expert ears alike,” making it “a convenient way for data collectors to say they've done enough to protect our data without actually doing much at all.”
I asked New Approach’s West and Todd whether they would support allowing psilocybin clients in Colorado to opt out of data collection, which would prevent their information from leaving healing centers and being stored in a government database. West declined to comment. Todd said “opting out would undermine the value of the data,” and New Approach cannot pass up the opportunity to collect it. Nevertheless, campaign manager Kevin Matthews told me an opt-out provision could conceivably be created during Proposition 122’s 18-month implementation period. However, that would be up to DORA, the governing agency in Colorado.
The people and organizations that draft psychedelic laws, and state agencies that implement them, should put client privacy first. However, DORA’s counterpart in Oregon, the state health authority, has failed to do so, even though voters passed a psychedelic law that requires client confidentiality.
In 2020, Oregon voters approved Measure 109, which allows for supervised recreational use of psilocybin, called supported adult use. But the state health authority turned Measure 109’s confidentiality requirement on its head. The law voters approved said that no information provided by clients can leave psilocybin centers unless clients provide their consent. However, the agency created a rule requiring clients to share their data as a condition of participating in the psilocybin program. That’s not what the law requires, and it’s not what voters likely envisioned when approving Measure 109. Furthermore, like Crisis Text Line’s use of client information for profit, the Oregon Health Authority’s rule circumvented its expert advisory board.
The Oregon Psilocybin Advisory board makes recommendations to the health authority on rules for implementing Measure 109. In May, the advisory board approved a Client Bill of Rights, which gave clients the ability “to control how their information is processed and used” and a right “to decline participating in research or sharing information with third parties.” The board also created an informed consent document for psilocybin clients. It provided a Statement on Data Collection, which told clients that sharing information, including de-identified data, could reveal their identities and their participation in Oregon’s psilocybin program. In other words, the board recognized that de-identification is not foolproof, and clients should be warned of the risk. The Statement on Data Collection specified that if clients declined to share data, their decision would not affect their ability to receive psilocybin.
However, the health authority overruled the board and deleted data protections in the Client Bill of Rights without explanation. The agency also struck the Statement on Data Collection, suggesting it believes clients should be less informed and have fewer rights than its advisory board recommended. Instead of honoring the voters’ will and its advisory board’s recommendations, the agency added a checkbox to the informed consent document requiring clients to share their data outside the service center for research “and other purposes.” This broad language could allow client data to be used for anything, including commercial exploitation.
David Champion, CEO of Maya Health, a Denver psychedelic software company, told me clients should be allowed to participate in state psychedelic programs without sharing their information. Nevertheless, he felt strongly that data collection was valuable and could help pharmaceutical companies improve their products and services. But he said contributing data should be optional and completely transparent. Moreover, there should be mechanisms to ensure that the results benefit people who contributed the information.
I asked the Oregon Health Authority what would happen if clients declined to share their data. Could they still participate in psilocybin services as recommended by the Oregon advisory board? Communications Officer Erica Heartquist declined to answer that question. She said a new set of rules would be published on November 1, which she would not share before press time.
Heartquist also declined to comment on a secretive data analytics program at Oregon Health Sciences University (OHSU), paradoxically titled the OPEN Project. Several sources said the project is being developed with input from the National Psychedelics Association and Aide Rae, a researcher with Portland’s Legacy Research Institute. Rae, OHSU, and the Legacy Research Institute declined to confirm the program’s existence. Nevertheless, sources familiar with the program said it will administer psychological tests to Oregon clients prior to collecting their data to determine how psilocybin affects them.
There is a sordid history of exploiting people by administering psychedelics and recording the effects. During the infamous MK-ULTRA project, the Central Intelligence Agency (CIA) gave lysergic acid diethylamide (LSD) to college students and observed their performance on psychological tests. In Operation Midnight Climax, the CIA reportedly ran brothels in agency safehouses and surreptitiously dosed the patrons. Agents observed through one-way mirrors.
The Oregon Health Authority may be no intelligence agency, but in collaboration with New Approach and OHSU, it could set the bar for clandestine psychedelic political operations. Unless light is shed on their plans for client surveillance, psilocybin clients in Oregon and Colorado could become unwitting participants in psychological experiments while researchers and corporations watch through figurative one-way mirrors.
Oregon and Colorado's psychedelic laws serve as case studies in client privacy, illustrating why future laws must include stronger protections. For instance, they should incorporate the Oregon advisory board’s recommendations regarding informed consent. Agreeing to share one’s data with outside parties should not be a requirement for participating in state psychedelic programs.
Requests for clients to share data should be made using separate documents that state exactly who the data would be shared with and how it would be used. Vague descriptions like “research and other purposes” do not adequately inform people and are unacceptable. Blanket requests to share all information, de-identified or not, should be avoided. Instead, clients should be asked to renew their permissions every time data might be shared with someone else or used for a different purpose. Importantly, clients must be warned that sharing even de-identified data poses risks. Third parties might learn of their participation in psychedelic programs and there could be social, professional, and legal consequences.
Oregonians must decide whether they’ll participate in the state’s psilocybin program without knowing where their data might go and how it might be used. Members of the public can write to the Oregon Health Authority and urge it to follow the advisory board’s recommendations and return data rights to clients. The agency will publish final rules by year’s end.
Meanwhile, on November 8, Colorado voters must decide whether to approve or reject Proposition 122. They could approve the initiative and demand that data collection be voluntary, meaning clients would elect to share their information and would not be penalized for declining. Voters can write to DORA and make this request. Alternatively, they could reject Proposition 122 and request a law that includes strong privacy protections from the start.
Given the history of abuses in psychedelics research, and their illegal federal status, those who draft psychedelic laws must resist the temptation to monitor and monetize everything.
Because psychedelics reduce inhibitions, the data collected during psychedelic experiences could be more sensitive than typical health information, and Colorado’s and Oregon’s databases could be more valuable than medical records. But clients in Oregon and Colorado might not benefit from the resulting knowledge, which could instead flow only to unnamed businesses, government agencies, and research institutions. Without more transparency and accountability, it’s difficult to know where one’s information will end up.
The risks of psychedelic surveillance outweigh the alleged benefits. If political campaigns want to prove the safety and efficacy of psychedelics, or convince insurance companies to pay for them, there are more responsible and effective ways to achieve those goals. They should invest in FDA-sanctioned research instead of forcing people in states across the country to be guinea pigs in secretive experiments.