Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Connecticut: Online Privacy Act enters into force

On October 1, 2023, provisions of the Connecticut Act Concerning Online Privacy, Data, and Safety Protections (Online Privacy Act) which makes amendments to the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA) entered into force, pursuant to §207 of An Act Concerning the State Budget (the State Budget Act). The State Budget Act also repeals §42-525 of the CTDPA providing that the Connecticut Attorney General shall have exclusive authority to enforce violations of §§42-515 to 42-524 of the CTDPA, and §2 of the Online Privacy Act, from October 1, 2023.

Effective dates

The Online Privacy Act will take effect as follows:

  • §§6 and 17 entered into effect on July 1, 2023;
  • §§1 to 5 entered into effect from October 1, 2023;
  • §§14 to 16 will take effect from January 1, 2024;
  • §7 will take effect from July 1, 2024; and
  • §§8 to 13 will take effect from October 1, 2024.

New requirements

§§1 to 5 of the Online Privacy Act addresses, among other things, the expanded scope of the CTDPA, restrictions on the disclosure of health information, as well as new definitions including consumer health data controller. Specifically, the Online Privacy Act amends the CTDPA to provide that no person shall:

  • provide any employee or contractor with access to consumer health data unless the employee or contractor is subject to a contractual or statutory duty of confidentiality;
  • provide any processor with access to consumer health data unless such person and processor comply with Section 42-521 of the general statutes;
  • use a geofence to establish a virtual boundary that is within one thousand seven hundred fifty feet of any mental health facility or reproductive or sexual health facility for the purpose of identifying, tracking, collecting data from, or sending any notification to, a consumer regarding the consumer's consumer health data; or
  • sell, or offer to sell, consumer health data without first obtaining the consumer's consent.

In addition, the Online Privacy Act amends the CTDPA to provide that concerning consumer health data and consumer health data controllers, apply to persons that conduct business in this state and persons that produce products or services that are targeted to residents of Connecticut.

OneTrust DataGuidance has released a number of resources to assist with your CTDPA compliance:

For further information and resources on Connecticut, see our Connecticut homepage.