Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Connecticut: Bill on online privacy, data, and safety protections signed by Governor and becomes law

On June 12, 2023, Senate Bill 3, for An act concerning online privacy, data, and safety protections became law after being signed by the Governor of Connecticut, Ned Lamont, on June 7, 2023. In particular, the Connecticut Act Concerning Online Privacy, Data, and Safety Protections (Online Privacy Act) makes amendments to the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA).

Entry into effect

Sections 1 to 6 and 17 of the Online Privacy Act shall take effect from July 1, 2023, Sections 14 to 15 of the Act from January 1, 2024, Section 7 of the Online Privacy Act from July 1, 2024, and Sections 8 to 13 from October 1, 2024.

Definitions

The Online Privacy Act amends the CTDPA, including definitions for new terms, including 'abortion,' 'adult,' 'consumer,' 'gender-affirming health care services,' 'gender-affirming health data,' 'geofence,' 'mental health facility,' 'person,' 'reproductive or sexual health care,' 'reproductive or sexual health data,' 'reproductive or sexual health facility,' and 'social media platform.' Among the notable definitions are those of 'consumer health data,' which means any personal data that a controller uses to identify a consumer's physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data.

The Online Privacy Act also defines 'consumer health data controller' as any controller that, alone or jointly with others, determines the purpose and means of processing consumer health data.

In addition, the Online Privacy Act amends the meaning of 'controller' to an individual a person who, or a legal entity that, alone or jointly with others, determines the purpose and means of processing personal data. The Act also amends the definition of 'sensitive data' as personal data that includes:

  • data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship, or immigration status;
  • consumer health data;
  • the processing of genetic or biometric data for the purpose of uniquely identifying an individual;
  • personal data collected from a known child;
  • data concerning an individual's status as a victim of crime; or
  • precise geolocation data.

Furthermore, the Online Privacy Act also amends the definition of 'third party' as a person, such as a public authority, agency, or body, other than the consumer, controller, or processor, or an affiliate of the processor or the controller.

Moreover, the Online Privacy Act defines 'minor' as any consumer who is younger than 18 years of age.

Health data

The Online Privacy Act amends the CTDPA to provide that no person shall:

  • provide any employee or contractor with access to consumer health data unless the employee or contractor is subject to a contractual or statutory duty of confidentiality;
  • provide any processor with access to consumer health data unless such person and processor comply with Section 42-521 of the general statutes;
  • use a geofence to establish a virtual boundary that is within one thousand seven hundred fifty feet of any mental health facility or reproductive or sexual health facility for the purpose of identifying, tracking, collecting data from, or sending any notification to, a consumer regarding the consumer's consumer health data; or
  • sell, or offer to sell, consumer health data without first obtaining the consumer's consent.

In addition, the Online Privacy Act amends the CTDPA to provide that concerning consumer health data and consumer health data controllers, apply to persons that conduct business in this state and persons that produce products or services that are targeted to residents of Connecticut.

Children's data

The Online Privacy Act also amends the CTDPA to impose requirements on social media platforms to comply with minors' requests to unpublish or delete such minors' social media accounts. In addition, the Online Privacy Act amends the CTDPA imposing requirements on controllers that offer online services, products, or features to consumers whom such controller has actual knowledge, or wilfully disregards, are minors.

You can read the Online Privacy Act here, the bill notifications here, and view its history here.

Update: July 18, 2023

Bill amending Online Privacy Act's becomes law upon Governor's signature

On June 12, 2023, House Bill 6941 for an act concerning the state budget became law after being signed by the Governor of Connecticut, Ned Lamont, on the same day. In particular, the Act makes amendments to the Online Privacy Act specifically regarding its enforcement dates. Pursuant to §207 of the Act, §§1 to 5 of the Online Privacy Act will take effect from October 1, 2023.

In addition, the Act repeals §42-525 of the CTDPA providing that the Connecticut Attorney General shall have exclusive authority to enforce violations of §§42-515 to 42-524 of the CTDPA, and §2 of the Online Privacy Act, from October 1, 2023.

You can read the Act here and view its history here.

 

Feedback