Enter to open, tab to navigate, enter to select
Connecticut Amends Consumer Privacy Law to Protect Health Data and Child Online Safety
Practical Law Legal Update w-039-7676 (Approx. 6 pages)
Connecticut Amends Consumer Privacy Law to Protect Health Data and Child Online Safety
by Practical Law Data Privacy & Cybersecurity
| Published on 13 Jun 2023 • Connecticut |
Connecticut has enacted a new law amending the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) to protect Connecticut residents' health data. It also imposes new requirements to improve child online safety.
On June 12, 2023, Connecticut Government Ned Lamont signed SB 3, which amends the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) to add privacy protections for Connecticut consumers' health data. It also contains new requirements concerning child online safety and social media profiles.
CTDPA Health Data Amendments
SB 3 amends the CTDPA to cover consumer health data, defined as personal information that is linked or reasonably linkable to an identified or identifiable individual and identifies a consumer's physical or mental health condition or diagnosis. The term includes but is not limited to gender-affirming health data and reproductive or sexual health data. It does not include deidentified data or publicly available information.
SB 3 also amends the CTDPA to apply to consumer health data controllers, defined as any controller that determines the purpose and means of processing consumer health data, whether alone or jointly with others. As a result, consumer health data controllers will be subject to the same statutory obligations as other data controllers and processors under the CTDPA, even if they would otherwise be excluded by the jurisdictional thresholds set out in Conn. Gen. Stat. Ann. § 42-516. For more information about the CTDPA's application and statutory obligations, see Practice Note, Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) Quick Facts: Overview and Legal Update, Connecticut Enacts Consumer Privacy Act.
SB 3 imposes new requirements designed to protect consumer health data. Specifically, it prohibits regulated individuals and entities from:
- Providing employees or contractors access to consumer health data unless they are subject to a contractual or statutory duty of confidentiality.
- Providing processors with access to consumer health data unless both the regulated entity and processor comply with the CTDPA.
- Selling or offering to sell consumer health data without first obtaining consumers' consent.
- Geofencing around any health facility or reproductive or sexual health facility to:
- identify or track consumers seeking health care services;
- collect consumer health data; or
- send consumers health data or health care service-related notifications, messages, or advertisements.
SB 3 also amends the CTDPA's definition of sensitive data to include consumer health data and data concerning an individual's status as a crime victim and prohibits processing this data without obtaining consumers' prior consent.
SB 3's amendments do not apply to:
- Data collection, processing, sale, or disclosure activity regulated by certain laws, including:
- the Children's Online Privacy Protection Act of 1998 (15 U.S.C. §§ 6501 to 6506);
- the Health Insurance Portability and Accountability Act (HIPAA) (Pub. L. No. 104-191 (1996));
- the Health Care Quality Improvement Act of 1986 (42 U.S.C. §§ 11101 to 11152);
- the Fair Credit Reporting Act (15 U.S.C. §§ 1681 to 1681x);
- the Driver's Privacy Protection Act of 1994 (18 U.S.C. §§ 2721 to 2725); and
- the Airline Deregulation Act (49 U.S.C. § 41713).
- Any Connecticut body, authority, board, bureau, commission, district, or agency, or any political subdivision. This includes anyone contracted to process consumer health data on the government's behalf.
- Institutions of higher education.
- National securities associations registered under 15 U.S.C. §78o-3 of the Securities Exchange Act of 1934.
- Financial institutions or data subject to Title V of the Gramm-Leach-Bliley Act.
- Covered entities or business associates as defined in HIPAA regulations.
- Tribal nation government organizations.
- Air carriers, as defined by the Federal Aviation Act of 1958 and Airline Deregulation Act (49 U.S.C. 40101; 49 U.S.C. § 41713).
SB 3's amendments take effect on July 1, 2023, the same day as the CTDPA.
Child Online Safety Requirements
In addition to its CTDPA amendments, SB 3 contains several new restrictions on controllers that have actual knowledge or willfully disregard that they offer online services, products, or features to Connecticut minors under 18 years old. Specifically, these online controllers must use reasonable care to avoid any heightened risk of harm to minors and must not:
- Process minors' personal data without the appropriate consent for:
- targeted advertising;
- the sale of personal data; or
- profiling in furtherance of any fully automated decision that produces a legal or significant effect regarding certain services.
- Process:
- minors' personal data unless doing so is necessary to provide the relevant online service, product, or feature; or
- minors' personal data for longer than necessary to provide the relevant online service, product, or feature.
- Use system design features to increase, sustain, or extend any minor's use of such online service, product, or feature.
- Use any consent mechanism that is designed or manipulated to substantially subvert or impair user autonomy, decision-making, or choice.
- Collect minors' precise geolocation data without the appropriate consent, unless they meet specific requirements.
- Offer direct messaging systems for minors without providing readily accessible and easy-to-use safeguards that limit adults' ability to send minors unsolicited communications.
SB 3 also requires online controllers to conduct data protection assessments consistent with statutory requirements that address:
- The purpose of their service, product, or feature.
- The categories of minors' personal data they process and the purpose for the collection.
- Any heightened risk of harm to minors that is a reasonably foreseeable result of their service, product, or feature.
SB 3's provisions about child online safety contain the same exemptions as its CTDPA amendments, except for the exemption for government contractors that process consumer health data on its behalf.
SB 3 provides the Connecticut attorney general with exclusive authority to enforce its child online safety provisions, which take effect on October 1, 2024 and do not contain a private right of action. From October 1, 2024 to December 31, 2025, before initiating any action for a violation, the attorney general must issue a notice of violation to the controller if they determine a cure is possible. If the controller fails to cure the violation within 30 days of receiving notice, the attorney general may bring an action against them. Beginning January 1, 2026, the attorney general has discretion as to providing the opportunity to cure an alleged violation, taking into consideration:
- The number of violations alleged.
- The controller's or processor's size and complexity.
- The nature and extent of the processing activities.
- The substantial likelihood of injury to the public.
- The safety of individuals or property.
- Whether human or technical error likely caused the alleged violation.
- The sensitivity of the data.
Social Media Profile Requirements
SB 3 also contains a provision requiring social media platforms to comply with minors' and parents' requests to unpublish or delete their social media accounts. They must also clearly describe a reliable means of making the requests in a privacy notice. SB 3 provides the Connecticut attorney general with exclusive authority to enforce this provision, which takes effect on July 1, 2024 and does not contain a private right of action.