Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Connecticut - Sectoral Privacy Overview
May 2024
1. Right To Privacy / Constitutional Protection
Although Connecticut does not have an explicit constitutional right to data privacy, the state has enacted a variety of key privacy laws that are intended to protect a residents' privacy with respect to their personal information. Thus, despite the state's lack of an explicit constitutional right to data privacy, the following key privacy laws demonstrate the state's commitment to addressing and protecting its resident’s individual privacy concerns.
2. Key Privacy Laws
The key privacy laws include:
- §36a-701b of Chapter 669 of Title 36a the General Statutes of Connecticut (Conn. Gen. Stat.) (the Data Breach Notification Law);
- §42-470 et seq. of Chapter 743dd of Title 42 of the Conn. Gen. Stat., specifically:
- Conn. Gen. Stat. §42-470 (the Social Security Number Protection Law); and
- Conn. Gen. Stat. §42-471 (the Personal Information Safeguarding Law).
- Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA) as amended by the Connecticut Act Concerning Online Privacy, Data, and Safety Protections (the Online Privacy Act) (Collectively, the CTDPA as amended)
Moreover, the Online Privacy Act became law and will enter into effect across 2023 and 2024. In particular, the Online Privacy Act makes amendments to the CTDPA to provide specific protections over the personal data of minors' and newly defined, 'consumer health data'.
Additional Sections provide specific rules for state contractors and insurance companies:
- §4e-70 of Chapter 62a of Title 4e of the Conn. Gen. Stat. (the State Contractors Law);
- §4e-71 of Chapter 62a of Title 4e of the Conn. Gen. Stat. (the Confidential Information Sharing Law); and
- §38a-38 of Chapter 697 of Title 38a of the Conn. Gen. Stat. (the Insurance Data Security Law).
Scope of Application and Key Definitions
Data Breach Notification Law
Under the Data Breach Notification Law, electronic personal information is protected. 'Personal information' is defined as an individual's first name or first initial and last name in combination with one, or more, of the following data:
- social security number;
- driver's license number or state identification card number;
- account number, credit, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account;
- individual taxpayer identification numbers, such as social security numbers, or identity protection personal identification numbers issued by the Internal Revenue Service (IRS);
- passport numbers, military identification numbers, or other identification numbers used by the government to verify an individual's identity;
- medical information regarding an individual's medical history, including their mental or physical condition, treatment, or diagnoses;
- health insurance policy information, including policy numbers, subscriber identification numbers, and any other unique identifiers issued by the insurer; and
- biometric information consisting of data generated by electronic measurements of an individual's unique physical characteristics used to authenticate or ascertain an individual's identity, such as fingerprints, voiceprints, and retina or iris images.
The Data Breach Notification Law further defines personal information to include an individual's username or e-mail address when combined with a password or security question and answer that would make an online account accessible.
However, the Data Breach Notification Law explicitly states that information that is otherwise lawfully made available to the public through federal, state, or local government records, or widely distributed media is excluded from the definition of personal information under the law. Under the Data Breach Notification Law, a 'breach of security' is defined as unauthorized access to, or acquisition of:
- electronic files;
- media;
- databases; or
- computerized data which contains personal information.
Particularly, the Data Breach Notification Law extends to breaches of security involving computerized data when access to personal information has not been secured by encryption, or a technological method that would ensure that the personal information is unreadable or otherwise usable.
In the event of a breach of security, those who are subject to compliance with the statute are statutorily required to notify the Connecticut Attorney General (AG) and the affected resident(s) without 'unreasonable delay.' However, the AG and any affected resident(s) must be notified no later than 60 days after the breach was initially discovered. If additional residents are identified whose personal information was breached, or reasonably believed to have been breached after that initial 60-day period, those subject to compliance must notify the affected resident(s) as soon as possible. If an entity subject to compliance with the statute reasonably determines that a breach of security is unlikely to result in harm to the affected individual(s) after engaging in an appropriate investigation, then notification is not required.
Under certain circumstances, such as when a breach of security involves an individual's social security and/or tax identification numbers, entities are required to provide each affected individual with at least 24 months of identity theft prevention and mitigation services at no cost to the affected individual(s). Entities must also provide the affected individual(s) with all the necessary information required for the individual to enroll in the services being offered and to place a credit freeze on their affected file.
Further, if a breach of security involves an individual's username or e-mail address, in combination with a password or security question and answer that would allow access to the individual’s online account, the entity must instruct the affected individual(s) to change any password(s), security question(s), and answer(s) used to access the affected online account and any other accounts in which the individual uses the same information to access.
Social Security Number Protection Law
Under the Social Security Number Protection Law, those parties who collect social security numbers are prohibited from intentionally displaying an individual's social security number publicly, or otherwise requiring an individual to:
- print their social security number on any card required to access products and/or services;
- send their social security number over the Internet, unless a secure connection is being used or the social security number is encrypted; or
- use their social security number to access a website, unless a password, unique identification number or other form of authentication is also required.
Personal Information Safeguarding Law
Under the Personal Information Safeguarding Law, paper or electronic personal information is protected. 'Personal information' under the Personal Information Safeguarding Law statute is defined in a slightly different manner than it is under the Data Breach Notification Law as it relates to information that can be associated with a specific individual through one or more identifiers, such as a:
- social security number;
- driver's license number;
- state identification card number;
- account number;
- credit or debit card number;
- passport number;
- alien registration number;
- health insurance identification number; or
- any military identification information.
However, like the Data Privacy Notification Law, the definition of 'personal information' under the Personal Information Safeguarding Law also excludes information that has been made lawfully available to the public through federal, state, or local government records, or such information that has otherwise been made available by widely distributed media.
CTDPA as amended
On May 10, 2022, the CTDPA was signed into law, making Connecticut the fifth U.S. state to enact a state-level privacy law. The CTDPA as amended is intended to protect consumer's privacy by providing them with rights over their personal information and establishing a framework for controlling and processing personal data.
Like similar consumer privacy laws effective in other states, the CTDPA as amended provides consumers with a variety of rights over their 'personal' and 'sensitive data,' such as:
- the right to access and confirm whether such data is being processed by a 'controller';
- the ability to correct any false or inaccurate data;
- the right to delete such data that has been 'provided by, or obtained about' the consumer;
- the right to obtain a 'portable copy' of the data in which a controller has processed; and
- the right to opt-out of the processing of data being obtained for the purpose of targeted advertisements, the sale of data, or 'profiling in connection with automated decisions that produce legal or similarly significant effects concerning the consumer.'
The CTDPA as amended limits the definition of a 'consumer' to individuals who reside in the State of Connecticut and does not extend to individuals acting in a 'commercial or employment context' or those who are employees, owners, directors, officers, or contractors of an entity. However, the CTDPA as amended broadly defines 'personal data' to include any information that is or can be reasonably linked to an 'identifiable individual.'
Despite the broad definition of 'personal data,' the CTDPA as amended has separately categorized certain personal data as ‘sensitive data’, which is defined as personal data that includes:
- an individual's racial or ethnic origin, religious beliefs, mental or physical conditions, sexual orientation, or immigration status;
- 'consumer health data';
- genetic or biometric data being processed for the purpose of 'uniquely identifying an individual';
- personal data that belongs to a 'known child';
- data relating to an individual's status a crime victim; or
- precise geolocation data.
Furthermore, the Online Privacy Act expanded the definition of 'sensitive data' to include the protection of 'consumer health data' when it was signed into law on June 26, 2023, days before the CTDPA became effective on July 1, 2023. 'Consumer health data' is defined as any personal data that a controller uses to identify 'a consumer's physical or mental health condition or diagnosis.' This newly defined term is inclusive of, but is not limited to, data that relates to gender-affirming, reproductive, or sexual health care.
While consumer's have a variety of rights with respect to their 'personal data' under the CTDPA as amended, protections over 'sensitive data' are greater, as the CTDPA as amended prohibits controllers from processing such data without first obtaining the consumer's consent. Additionally, with respect to 'consumer health data', the Online Privacy Act amended the CTDPA to prohibit the disclosure of or access to consumer health data by any employees or contractors, unless such individual is subject to a contractual or statutory duty of confidentiality.
As with the Data Privacy Notification Law and Personal Information Safeguarding Law, the CTDPA as amended's definition of 'personal data' excludes information that has been made lawfully available to the public through federal, state, or local government records, or such information that has otherwise been made available by widely distributed media.
It should be noted that under the CTDPA as amended, the 'sale of personal data' is limited to exchanging a consumer's personal data for money or 'other valuable consideration.' It does not include:
- a controller's disclosure of personal data to a processer that is processing data on the controller's behalf;
- disclosing personal data to a third party in relation to a product or service that was requested by the consumer;
- a controller's disclosure of personal data to one of its affiliates;
- a controller's disclosure of personal data when the consumer has instructed the controller to disclose the personal data or intentionally utilizes the controller to interact with a third party;
- personal data that a consumer has intentionally made available to the public without restriction to a limited audience; or
- personal data that has been disclosed or transferred as an asset to a transaction in which a third party takes control of the original controller's assets.
Further, the Online Privacy Act introduced a new provision prohibiting against the use of 'geofences' for establishing virtual boundaries within 1,750 feet of any mental health, reproductive, or sexual health facilities. The CTDPA as amended defines a 'geofence' as technology that uses global positioning coordinates, cellular data, or 'any other form of location detection' to establish a virtual boundary. Particularly, the amendment prohibits the use of geofences for purposes of identifying, tracking collecting data from, or sending notifications to a consumer with respect to their health data.
The CTDPA as amended relating to consumer health data became effective on July 1, 2023. While certain exemptions pertaining to information that is otherwise protected under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) remain in place under the CTDPA as amended, it should be noted that requirements pertaining to the processing of consumer health data are not solely applicable to those entities that must comply with HIPAA.
Who Must Comply?
Data Breach Notification Law
Under the Data Breach Notification Law, any person who conducts business in the State of Connecticut, and who, in the ordinary course of such person's business, owns, licenses, or maintains computerized data, that includes personal information, must comply with the obligations outlined in the statute.
However, despite the statutory timeframe provided for notifying individuals affected by a breach of security, those who are subject to compliance with other federal laws such as the HIPAA or the Health Information Technology for Economic and Clinical Health Act (HITECH) should be aware that there may be a shorter window for providing affected individuals with notice. Nonetheless, entities that are required to comply with the notification requirements under HIPAA and/or HITECH are still required to notify the AG and provide individuals with appropriate identity theft prevention and/or mitigation services in accordance with the Data Breach Notification Law.
Social Security Number Law
Despite the statutes reference to 'person[s]' subject to compliance, for purposes of this law, a 'person' is broadly defined to include both individuals and entities. However, it should be noted that the statute’s definition of a 'person' does not extend to the state or any of its political subdivisions or agencies. Further, the statute is not intended to prevent a person from using or otherwise releasing a social security number when required by state or federal law for 'internal verification or administrative purposes.'
Personal Information Safeguarding Law
Under the Personal Information Safeguarding Law, any person who possesses personal information must safeguard any data, computer files, and documents containing personal information from being misused by third parties. The person possessing personal information is required to destroy, erase, or make any data unreadable prior to disposing of data, computer files, and documents. Additionally, those who engage in the collection of social security numbers in the ordinary course of business are subject to both the Social Security Number Law and Personal Information Safeguarding Law.
CTDPA as amended
The CTDPA as amended is specifically intended to regulate 'controllers' and 'processors' of data. A 'controller' is defined as an individual or legal entity that determines the purpose in which and the method of processing an individual’s personal data. A 'processor' refers to the legal entity or individual that processes personal data on a controller's behalf. Specifically, those conducting business or engaging in product production in Connecticut or otherwise targeting their services towards Connecticut residents are subject to compliance if:
- an individual or entity annually controlled or processed 100,000 or more consumers' personal data in the past year, unless such data was controlled or processed for the sole purpose of finalizing payment for a transaction; or
- 25% or more of the controller's or processor's gross revenue was received from the sale of personal data and involved 25,000 or more consumers' personal data.
Despite the CTDPA as amended's limited applicability to controllers and processors, those entities and individuals who have controlled and processed significant amounts of consumers' personal data within the year prior to the CTDPA as amended's effective date are nonetheless subject to compliance.
Data controllers have a variety of obligations under the CTDPA as amended, such as:
- to provide consumers with notice regarding the categories of personal data being processed, any purpose(s) for which the data is being used, and inform consumers regarding the methods they may exercise their rights under the CTDPA as amended;
- to limit the personal data they collect to only what is 'reasonably necessary' and adequately related to the 'specific purpose' for which the data is processed;
- to ensure their methods for collection and agreements for processing data are compliant and reasonably safeguard personal data in a secure manner;
- to conduct assessments over their processing methods to ensure consumers are not at a heightened risk for having their rights discriminated against; and
- respond to consumers' requests when exercising their rights under the CTDPA as amended.
Among other obligations, the requirements under the CTDPA as amended will require data controllers to utilize a variety of safeguards and response mechanisms to maintain compliance. Data processors must abide by controllers' instructions and also consider the nature in which the personal data is being processed, including accessibility to the data. Processors must take 'reasonably practicable' steps to ensure that the controller can respond to consumer requests and conduct necessary data protection assessments.
Enforcement
The Privacy and Data Security Department of the AG enforces the state laws governing notification of data breaches, safeguarding of personal information, and protection of social security numbers and other sensitive information. This department is also responsible for the enforcement of federal laws under which the AG has enforcement authority, including HIPAA, the Children's Online Privacy Protection Act of 1998 (COPPA), and the Fair Credit Reporting Act of 1970 (FCRA). This office can investigate data breaches and bring claims under the Connecticut Unfair Trade Practices Act (CUTPA), under Chapter 735a of Title 42 of the Conn. Gen. Stat. or seek settlements with offending parties. There are separate penalties for violations of the Social Security Number Law and the Personal Information Safeguarding Law.
The CTDPA as amended does not allow for a private right of action for consumers. The AG has exclusive authority to enforce any CTDPA as amended violations. Entities that intentionally violate the CTDPA as amended may be subject to up to $5,000 in civil penalties per violation.
Social Security Number Law/Personal Information Safeguarding Law
Under both the Social Security Number Law and the Personal Information Safeguarding Law, a person who intentionally violates any provision is subject to a $500 civil penalty for each violation. All civil penalties received pursuant to a violation of the statute are to be deposited into the Privacy Protection Guaranty and Enforcement Account.
The Commissioner of Consumer Protection (the Commissioner) is responsible for maintaining and utilizing the Privacy Protection Guaranty and Enforcement Account to reimburse affected individuals for losses sustained due to another person's violation of the statute. The Commissioner may also utilize the account funds for enforcement of the statutory regulations, such as for conducting investigations and holding hearings for any violating person(s).
If a person who is alleged to be in violation of the statute refuses to appear or otherwise cooperate with the Commissioner's request(s), the Superior Court may order the violating person to comply to further aid in enforcement. Additionally, the Commissioner may request the AG to apply to the Superior Court for a temporary or permanent restraining order to prevent any person from further violating the statutory requirements.
3. Health Data
Connecticut has, in its evidentiary rules, in Chapter 889 of Title 52 of the Conn. Gen. Stat., a series of laws that protect communications and records disclosed between a patient and their mental health provider. Depending on the provider type (e.g., psychiatrist, physician, psychologist, social worker, marital and family therapist, etc.), these statutes differ slightly in how each defines terms like 'communication' and 'record,' as well as the circumstances where the patient's consent is not required prior to disclosure of such communications and records. While these statutes are in the evidentiary rules, healthcare providers in Connecticut afford greater protection to mental health records due to these laws, as the protections offered in the statutes are stricter than HIPAA. If violated, it is unclear at present how Connecticut would enforce these laws outside of permitting or excluding evidence in a case.
§20-7c of Chapter 369 of Title 20 of the Conn. Gen. Stat. governs patients' right to access their health records, and provides limited exceptions pursuant to which a provider may withhold information from the health record if such provider determines the information would be detrimental to the physical or mental health of the patient or is likely to cause the patient to harm themselves or another individual.
There are also Connecticut laws that allow minors to consent to certain medical treatments, and to keep such medical treatment confidential, subject to certain restrictions:
- §19a-216 of Chapter 368e of Title 19a of the Conn. Gen. Stat. regarding examination or treatment of minors for sexually transmitted diseases;
- §17a-688 of Chapter 319j of Title 17a of the Conn. Gen. Stat. regarding treatment for drug and alcohol dependence;
- §19a-582 of Chapter 368x of Title 19a of the Conn. Gen. Stat. regarding general consent for HIV-related testing;
- §19a-116 of Chapter 368a of Title 19a of the Conn. Gen. Stat. regarding the regulation of facilities which offer abortion services; and
- §19a-14c of Chapter 368a of Title 19a of the Conn. Gen. Stat. regarding the provision of outpatient mental health treatment to minors without parental consent.
§19a-550 of Chapter 368v of Title 19a of the Conn. Gen. Stat. is the State of Connecticut patients' bill of rights for those individuals who are patients of a nursing home, residential care home, or chronic disease hospital. This statute assures confidential treatment of personal and medical records and certain rights regarding the release of records to individuals outside of the facility.
Further, note that 'covered entities' and 'business associates' as defined under HIPAA are exempt from the CTDPA as amended and are not otherwise subject to the new requirements.
4. Financial Data
The key law governing financial privacy in the State of Connecticut is the Banking Law of Connecticut under Title 36a of the Conn. Gen. Stat. ('the Banking Law').
Key Definitions
§36a-41 of the Banking Law defines a financial institution as a bank, Connecticut credit union, federal credit union, an out-of-state bank that maintains a branch in Connecticut, and an out-of-state credit union that maintains an office in Connecticut.
Financial records are defined as any original or any copy, whether physically or electronically retained, of (§36a-41 of the Banking Law):
- a document providing signature authority over a deposit account or a share account with a financial institution;
- a statement, ledger card, or other record on any deposit account or shared account with a financial institution showing each transaction in or with respect to that account;
- any check, draft, or money order drawn on a financial institution or issued and payable by such an institution; or
- any item, other than an institutional or periodic charge, made pursuant to any agreement by a financial institution and a customer which constitutes a debit or credit to that person's account with that financial institution, if the information does not consist of a check, draft, or money order payable by the financial institutions.
Financial Institution Requirements
Connecticut law requires financial institutions (i.e., banks, state and federal credit unions, out-of-state banks, trusts, and credit unions that have a branch/office in Connecticut, Connecticut banking law licensees or other entity subject to the Banking Commissioner's jurisdiction) to comply with the Gramm-Leach-Bliley Act of 1999 (Gramm-Leach-Bliley Act) provisions with respect to customer privacy and protection of non-public information under §36a-44a of the Banking Law on customer protections.
With certain exceptions, this prohibits financial institutions from disclosing customer financial records without the customer's prior authorization. §36a-42 of the Banking Law enumerates eight such exceptions; §36a-43 of the Banking Law discusses the requirements to disclose financial records pursuant to lawful authority; and §36a-44 of the Banking Law sets forth 18 additional exceptions regarding the confidential treatment of customer records.
Further, note that 'banking and account information' is part of the definition of 'personal information' under the Data Breach Notification Law.
Note also that those financial institutions subject to the Gramm-Leach-Bliley Act are exempted from compliance with the CTDPA as amended.
Violations
Known and willful violations of the abovementioned statutes may result in a Class C misdemeanor under Connecticut law.
§53a-36 of Chapter 952 of Title 53a of the Conn. Gen. Stat. defines penalties for a Class C misdemeanor as imprisonment that cannot exceed three months, which is exclusive of any monetary penalties that may also be imposed.
§53a-42 of Chapter 952 of Title 53a of the Conn. Gen. Stat. defines penalties for a Class C as a fine of an amount not to exceed $500.
5. Employment Data
Key Laws
Under §31-40x(b) of Chapter 557 of Title 31 of the Conn. Gen. Stat., employers may not:
- request or require that an applicant or employee give an employer their username and password, password, or any other means of authentication to access a personal online account;
- request or require that an applicant or employee access or authenticate a personal online account in the employer's presence; or
- require an applicant or employee to invite the employer or accept an invitation from the employer to join a group affiliated with any of the applicant's or employee's personal online accounts.
An employer may not retaliate against an applicant or employee because they refuse any of the above prohibited requests, or because they file (or cause to be filed) any complaint with a court concerning the employer's violation of this statute.
There are certain exceptions to these prohibitions:
- an employer is not precluded from complying with applicable law;
- an employer is not prohibited from conducting an investigation to ensure compliance with applicable laws or prohibitions against work-related conduct when it receives specific information about activity on an employee's or applicant's personal online account;
- an employer may conduct an investigation accessing a personal online account about an employee's or applicant's unauthorized transfer of such employer's proprietary information, confidential information, or financial data to or from a personal online account operated by an employee, applicant, or other source; and
- monitoring, reviewing, accessing, or blocking electronic data stored on an electronic communications device paid for, in whole or in part, by an employer, or traveling through or stored on an employer's network, in compliance with state and federal law.
Any employer conducting an investigation pursuant to this statute may require an employee or applicant to allow the employer to access their personal online account for the purpose of conducting such investigation, provided the employer shall not require such employee or applicant to disclose the username and password, password, or other authentication means for accessing such personal online account.
Under Conn. Gen. Stat. §31-40x(a)(5), a 'personal online account' is defined as any online account that is used by an employee or applicant exclusively for personal purposes and unrelated to any business purpose of such employee's or applicant's employer or prospective employer, including, but not limited to, electronic mail, social media, and retail-based internet websites. A personal online account does not include any account created, maintained, used, or accessed by an employee or applicant for a business purpose of such employee's or applicant's employer or prospective employer.
Under §31-48d(a)(3) of Chapter 557 of Title 31 of Conn. Gen. Stat., 'electronic monitoring' is defined as the collection of information on an employer's premises concerning employees' activities or communications by any means other than direct observation, including the use of a computer, telephone, wire, radio, camera, electromagnetic, photoelectronic or photo-optical systems. However, it does not include the collection of information for security purposes in common areas of the employer's premises which are held out for use by the public, or which is prohibited under state or federal law.
Enforcement
The Connecticut Labor Commissioner (the Labor Commissioner) may investigate violations of Conn. Gen. Stat. §31-40x. If the Labor Commissioner finds that an employee has been aggrieved by an employer's violation of this statute, the Labor Commissioner may impose on the employer a civil penalty of up to $500 for the first violation and $1,000 for each subsequent violation, and may award the employee all appropriate relief including rehiring or reinstatement to their previous job, payment of back wages, reestablishment of employee benefits or any other remedies that the Labor Commissioner may deem appropriate. If the Labor Commissioner finds that an applicant has been aggrieved by an employer’s violation of this statute, the Labor Commissioner may impose on the employer a civil penalty of up to $25 for the first violation and $500 for each subsequent violation. There is no private right of action.
Pursuant to Conn. Gen. Stat. §31-48d, employers must provide written notice to employees before engaging in electronic monitoring. The notice must inform employees of any type of monitoring the employer may utilize. Employers must also post in a conspicuous place a notice detailing such information. The posting may constitute prior notice.
When an employer has reasonable grounds to believe that employees are engaged in conduct which violates the law, the legal rights of the employer, or the legal rights of other employees, or creates a hostile workplace environment—and such electronic monitoring may produce evidence of this misconduct—the employer may conduct monitoring without giving prior written notice.
The Labor Commissioner may impose civil penalties under Conn. Gen. Stat. §31-48d. The maximum civil penalty is $500 for the first offense, $1,000 for the second offense, and $3,000 for the third and each subsequent offense. There is no private right of action.
The CTDPA does not apply to personal data that is collected within an employment or other business relationship and those 'acting in a commercial or employment context' do not qualify as 'consumers' under its definition.
6. Online Privacy
The overall purpose of the CTDPA as amended is to regulate the processing of consumer's personal and sensitive data online. Those entities subject to compliance must also ensure there are various online mechanisms in place to permit consumers to exercise their rights. Further, consumers will be permitted to access, opt-out of, and safeguard their personal data being collected through online monitoring and targeted advertisement technologies.
Notwithstanding the amendments pertaining to consumer health data, the Online Privacy Act also introduced various new provisions intended to protect the online privacy of children. The CTDPA as amended now imposes a variety of restrictions with respect to the processing of a minor’s personal data, echoing protections set forth under COPPA, by requiring those data controllers and processors falling under the ambit of the CTDPA as amended to provide minors with a 'right to unpublish' and delete their social media accounts.
Under the CTDPA as amended, a 'social media platform' is defined as a 'public or semi-public Internet-based service or application' that:
- is used by a consumer located in the State of Connecticut;
- is 'primarily intended' to connect users and allow them to socially interact using the platform; and
- allows users to create a 'public or semi-public' profile, create a public list of users in which they are connected with, and 'create or post content that is viewable by other users.'
However, the definition explicitly excludes services that:
- 'exclusively' provide e-mail or direct messaging services;
- 'primarily consist of news, sports, entertainment, interactive video games, electronic commerce or content that is preselected by the provider' or otherwise contain an interactive function that is incidental, directly related to or dependent on such content; or
- is used by and 'under the direction of an educational entity,' including by not limited to learning management systems or student engagement programs.
Despite the definition's exclusion of direct messaging services, the Online Privacy Act specifies that 'easily accessible safeguards' must nonetheless be used to limit the ability of unsolicited communications between minors and adults.
Starting on July 1, 2024, consumers under the age of 18 may exercise their right to unpublish and/or delete their social media account(s). While consumers over the age of 16 must exercise this right themselves, consumers under the age of 16 may have this right exercised on their behalf by a parent or legal guardian. Thus, social media platforms that meet the criteria of the definition above will be required to update their privacy notices in compliance with the CTDPA as amended, outlining the procedures for making such requests.
Once this provision becomes effective, social media platforms will have 15 business days following receipt of a request to 'unpublish' the minor's account and 45 business days to delete the minor's account upon request. Once that timeframe concludes, the social media platform must stop processing any of that minor's personal data unless preservation is otherwise required by applicable law.
Failure to comply with the above after July 1, 2024, will be considered an unfair trade practice under §42-110b of the CUTPAthus making compliance crucial. If a social media platform is unable to 'authenticate' a request using 'commercially reasonable efforts' to determine that such a request was submitted by a minor or on behalf of a minor, the social media platform will not be required to comply with the request.
Furthermore, the Online Privacy Act subject's certain data controllers that provide an 'online service, product or feature' to consumers under the age of 18 to additional obligations not initially set forth under the CTDPA as amended. CTDPA as amended defines an 'online service, product or feature' as any service, product or feature that is offered to consumers online. However, the definition excludes telecommunication and Internet providers and 'the delivery or use of a physical product.'
Starting October 1, 2024, a data controller that provides an online service, product, or feature to a consumer whom it has 'actual knowledge or willfully disregards'’ to be a minor must use 'reasonable care to avoid any heightened risk of harm to minors. The Online Privacy Act defines a 'heightened risk of harm to minors' as 'processing minors' personal data in a manner that presents any reasonably foreseeable risk' of:
- 'unfair or deceptive treatment' that could have 'any unlawful disparate impact on minors';
- injury to a minor, either financially, physically, or reputationally; or
- 'any physical or other intrusion of solitude or seclusion' of the minor's private affairs or concerns, 'if such intrusion would be offensive to a reasonable person.'
Moreover, controllers that offer such online services, products, or features and have actual knowledge of the use of such services by minors are prohibited from engaging in any of the following activities without the minor's consent if they are over the age of 13 (parental consent (or that of a legal guardian) is required for minors under the age of 13):
- engage in the processing of a minor's personal data for purposes of targeted advertisements;
- engage in the processing of a minor's personal data for any other purpose for longer than reasonably necessary to provide such online services, products or features;
- engage in the processing of a minor's personal data for any other purpose outside of what was initially disclosed at the time in which the data was collected;
- utilize a feature that is designed to 'significantly increase, sustain or extend' a minor's use of such online services, products, or features; or
- collect geolocation data from a minor, unless it is necessary for the data controller to provide such online services, products, or features.
The AG will have exclusive enforcement authority commencing from the time these provisions become effective on October 1, 2024, through December 31, 2025. However, the AG must allow controllers and processors 30 days to cure any alleged violations before enforcing the amended law. After January 1, 2026, opportunities to cure a violation may be provided at the AG's discretion in consideration of the following factors:
- the number of violations alleged against the controller or processor;
- the size and complexity of the controller or processor;
- the nature and extent of the controller or processor's activities;
- the substantial likelihood that the alleged violation has or would result in a public injury;
- the risk of safety to a person or their property;
- likelihood that the alleged violation was caused by human or technical error; and
- the sensitivity of the data in question.
The amendments set forth under the Privacy Online Act make clear that online privacy with respect to minors is a subject of heightened concern and data processors and controllers should be prepared to implement additional safeguards to ensure compliance with the new provisions.
7. Unsolicited Commercial Communications
§52-570c of Chapter 925 of Title 52 of the Conn. Gen. Stat. prohibits unsolicited advertising material disseminated via email unless there is an unsubscribe option and the subject line of the message begins with the letters, 'ADV.' This applies to all for-profit businesses if the business does not have an established business relationship with the recipient.
Any individual aggrieved by a violation of the statute may, within two years of the alleged violation, bring a civil action in Connecticut Superior Court to enjoin further violations and seek $500 per violation (each such unsolicited email constituting a violation), together with costs and reasonable attorneys' fees.
8. Privacy Policies Policies
The CTDPA as amended requires data controllers to provide a 'reasonably accessible and clear' privacy notice. Data controllers must also implement reasonable safeguards to ensure the information being processed is accurate and provide consumers with a method for accessing and correcting their personal data.
The CTDPA as amended requires each privacy notice to set forth:
- the categories of personal data that the controller processes;
- the controller's purpose for processing the consumer's personal data;
- the method in which consumers may exercise their rights under the CTDPA as amended and/or appeal a controller's determination of a consumer's request;
- if the controller shares personal data with any third parties, the controller must disclose the categories of personal data being shared and the categories of third parties with whom the controller shares the personal data; and
- an online method or e-mail address through which the consumer may communicate with the controller.
9. Data Disposal/Cybersecurity /Data Security
Under Public Act No. 21-119, an act incentivizing the adoption of cybersecurity standards for businesses (the Safe Harbor Law), Connecticut state courts are prohibited from assessing punitive damages in a data breach litigation where the defendant 'created, maintained, and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognized cybersecurity framework'. The cybersecurity program must also be designed to protect:
- the confidentiality and security of personal and restricted information;
- against threats or hazards to the security or integrity of such information; and
- against unauthorized access to and acquisition of information that would result in a material risk of identity theft or other fraud to the individual.
An acceptable cybersecurity program may also be measured by various factors, including the covered entity's:
- size and complexity;
- the nature and scope of its activities;
- the sensitivity of the information to be protected; and
- the cost and availability of tools to improve information security and reduce risks.
The law applies to 'covered entities' which are defined as any business that 'accesses, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside [the] state.'
'Personal information' follows the same definition as used under the Data Breach Notification Law. However, it is important to note that 'restricted information' is separately defined as 'any information about an individual, other than personal information or publicly available information, that, alone or in combination with other information, including personal information, can be used to distinguish or trace the individual's identity or that is reasonably linked or linkable to an individual, if the information is not encrypted, redacted or altered by any method or technology in such a manner that the information is unreadable, and the breach of which is likely to result in a material risk of identity theft or other fraud to a person or property.'
10. Other Specific Jurisdictional Requirements
Not applicable at this time.