Covered companies will need to take additional steps to comply with the law in light of the new obligations relating to consumer health data and minors under 18 years old.
On June 6, 2023, the Connecticut legislature passed Substitute Senate Bill No. 3 (SB3), which significantly amends the Connecticut Data Privacy Act (CTDPA), thereby broadening its reach. While the CTDPA took effect on July 1, 2023, the amendments do not yet apply.
The provisions in SB3 concerning consumer health data were originally drafted to take effect on July 1, 2023, alongside the rest of the CTDPA. However, a day after SB3 passed, the state budget bill amended the provisions related to consumer health data. The provisions will now take effect on October 1, 2023.
Separately, the requirements for dating app operators will take effect on January 1, 2024; the requirements for social media platforms will take effect on July 1, 2024; and the requirements for online providers of services, products, or features used by minors under 18 will take effect on October 1, 2024.
The amendments to the CTDPA follow in the footsteps of recently enacted legislation in other US states related to health data, social media usage, and the data of minors. SB3 affects not only companies that meet the threshold of the CTDPA, but also any company that processes personal data of Connecticut residents under 18 and/or health data about Connecticut residents — meaning the amended CTDPA will apply more broadly than the original CTDPA (and many other state privacy laws).
Companies that previously did not meet the CTDPA’s applicability thresholds but collect health data or the data of minors under 18 should review SB3 and, if subject to the new requirements, take the steps necessary to comply. This will involve:
- For companies already subject to the CTDPA: Extending or creating affirmative consent mechanisms to cover the new categories of “sensitive data.”
- For companies that collect health data about Connecticut residents: Determining whether they collect or process “consumer health data” and, if so, ensuring permissible processing of such data and including specific restrictions in contracts with third parties with whom they share such data.
- For companies that knowingly (or with willful disregard) collect personal data from minors under 18: Ensuring permissible processing of minors’ data and conducting data protection assessment(s) related to the processing of such data.
- For social media platforms with minors under 18 as users: Ensuring sufficient mechanisms are in place to promptly unpublish or delete accounts upon request.
Consumer Health Data
SB3 expands the existing concept of “sensitive data” to include “consumer health data,” which is broadly defined as “personal data that a controller uses to identify a consumer’s physical or mental health condition or diagnosis.” Notably, this definition is narrower than that of Washington State’s My Health, My Data Act, which defines “consumer health data” to include any “personal information” that is “linked or reasonably linkable to a consumer” and that “identifies the consumer’s past, present or future physical or mental health status.” In contrast, under SB3, the data must be used to identify a health condition or diagnosis. Therefore, data that could be used for that purpose, but is not, would arguably fall outside of the Connecticut definition. The Connecticut definition also specifically includes “gender-affirming health data” and “reproductive or sexual health data,” with these terms defined as follows:
- Gender-affirming health data is any personal data related to a consumer’s effort to seek, or a consumer’s receipt of, any gender-affirming health care services (including any medical care related to the treatment of gender dysphoria).
- Reproductive or sexual health data is any personal data related to a consumer’s effort to seek, or a consumer’s receipt of, any health care-related services or products concerning a consumer’s reproductive systems or sexual well-being. This includes any service rendered or product provided relating to health conditions, medical history, test results, social or medical interventions, surgery or procedures, the use or purchase of a medication, vital signs or symptoms, or abortions (including medical and nonmedical services, products, diagnostics, counseling, or follow-up services for an abortion).
The above definitions expand the scope of consumer health data (and consequentially, sensitive data) with respect to gender-affirming, reproductive, or sexual health data as they do not require data to be used to identify a health condition or diagnosis. The CTDPA as amended continues to exempt protected health information subject to the Health Insurance Portability and Accountability Act.
Notably, unlike other obligations under the CTDPA, the consumer health data requirements apply to all consumer health data controllers, regardless of whether they meet the CTDPA’s applicability threshold. A “consumer health data controller” is any controller that processes consumer health data about a Connecticut resident and either conducts business in Connecticut or produces products or services targeting Connecticut residents. These requirements prohibit consumer health data controllers from:
- providing employees/contractors with access to consumer health data unless they are subject to a contractual or statutory duty of confidentiality;
- providing any processor with access to consumer health data unless the parties enter a contract that meets the CTDPA’s existing requirements;
- using geofencing to create a virtual boundary that is within 1,750 feet of any healthcare facility (defined as a facility in which at least 70% of products or services provided are mental health services or reproductive or sexual health care services) for the purpose of identifying, tracking, collecting data from, or sending notifications to a consumer regarding their consumer health data; or
- selling, or offering to sell, consumer health data without first obtaining opt-in consent that meets the CTDPA standard.
Since SB3 expands the scope of “sensitive data” to include consumer health data, companies that meet the CTDPA’s existing thresholds and that must comply with the CTDPA’s obligations related to sensitive data must now understand that those obligations extend to consumer health data. These obligations include requirements such as obtaining consent prior to processing sensitive data, providing an effective mechanism to revoke consent, and ceasing processing of such data as soon as possible (and no later than 15 days) upon receipt of the request.
SB3 expands the definition of “sensitive data” to include data concerning an individual’s status as a victim of a crime. Under existing Connecticut law, a “victim of a crime” is an individual who suffers direct or threatened physical, emotional, or financial harm as a result of a crime and includes (i) immediate family members of a minor, incompetent individual, or homicide victim and (ii) a homicide victim’s designated decision maker. This aspect of the definition is unlikely to significantly impact the regular operations of many companies.
Personal Data of Minors
SB3 imposes obligations on the processing of data regarding “minors,” who are defined as consumers under 18 years old.
For social media platforms (effective July 1, 2024):
Social media platforms that are used by Connecticut minors under 18 will be required to provide the below rights to such minors (or the minor’s parent or legal guardian for minors under 16 years old).
- Right to unpublish: The right to request that the minor’s social media platform account be “unpublished” (i.e., removed from public visibility). An operator that receives such a request must unpublish the account within 15 days of receipt of the request.
- Right to delete: The right to request deletion of the minor’s social media account. An operator that receives such a request must delete and cease processing the minor’s personal data within 45 days. Social media platform providers may extend the period to comply with such a request by another 45 days if reasonably necessary given the complexity and number of requests they have received and if they inform the minor (or parent / legal guardian if under 16 years old).
For any provider of online services, products, or features (effective October 1, 2024):
Controllers offering an online service, product, or feature to Connecticut consumers whom the controller has actual knowledge are minors, or whose minor status the controller willfully disregards, are subject to the following restrictions:
- Restrictions on processing minors’ personal data: SB3 imposes a duty to use reasonable care to avoid a heightened risk of harm to minors related to the use of such online service, product, or feature. There is a rebuttable presumption of reasonable care if a controller complies with SB3’s data protection assessment (DPA) requirements, described below.
Additionally, SB3 prohibits the following activities unless the controller has first obtained opt-in consent from the minor (or the minor’s parent / legal guardian if under 13 years old):
- processing a minor’s personal data that is not reasonably necessary to provide the online service, product, or feature (including the length of processing);
- processing a minor’s personal data for:
- any purpose other than the purpose disclosed by the controller at the time of collection, or a purpose reasonably necessary and compatible with such disclosed purpose;
- the purpose of target advertising;
- any sale (as defined in the CTDPA) of personal data; or
- profiling in furtherance of any fully automated decisionmaking that produces any legal or similarly significant effect; and
- using any system design feature to significantly increase, sustain, or extend any minor’s use of an online service, product, or feature.
- Restrictions on collecting minors’ precise geolocation data: SB3 prohibits the collection of a Connecticut minor’s precise geolocation data without consent from the minor (or the minor’s parent or legal guardian for minors under 13 years old) unless the geolocation data is reasonably necessary to provide the online service, product, or feature and only if the controller provides a signal to the minor for the duration of such precise geolocation data collection indicating that such data is being collected.
Additionally, covered controllers will be required to conduct DPAs of their online service, product, or feature, addressing (i) the purpose of such service, product, or feature, (ii) the categories of minors’ personal data processed, (iii) the purposes for such processing, and (iv) any foreseeable heightened risks to minors. Covered controllers with an existing DPA process should conduct a gap analysis to see if they already satisfy this requirement, whether updates are needed, or whether a separate DPA will be required.
Online Dating Site Requirements
In addition to amending the CTDPA, SB3 amends a separate Connecticut law regarding operators of online dating platforms (i.e., operators of a software application designed to facilitate online dating) that offer services to Connecticut residents, taking effect on January 1, 2024. Operators of such online dating platforms will be required to establish and maintain an online safety center and a policy for handling harassment reports.
 I.e., processing personal data of at least (i) 100,000 Connecticut consumers or (ii) 25,000 or more consumers while deriving more than 25% of gross revenue from the sale of personal data.
 CGS §§ 1-1k.