Connecticut: Expanding online privacy and safety protections
On June 2, 2023, the Connecticut legislature passed Senate Bill 3, An Act Concerning Online Privacy, Data and Safety Protections, which was later issued as Public Act 23-56 (the Act). This wide-ranging new bill imposes an array of new requirements concerning access to and sharing of health data, geo-fencing, social media platforms, and online dating operators. The Act also makes revisions to the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA), the state's new comprehensive consumer data privacy law that comes into effect July 1, 2023. William J. Roberts, Stephanie M. Gomes-Ganhão, and Colton J. Kopcik, from Day Pitney LLP, summarize the Act's key points relating to consumer healthcare data, children's online safety, and online dating operators.
Consumer health data
By way of background, on May 10, 2022, Connecticut became the fifth state to pass a comprehensive consumer privacy law, joining California, Colorado, Utah, and Virginia. The CTDPA applies to persons who conduct business in Connecticut or persons who produce products or services that are targeted to Connecticut residents (i.e., sell products to Connecticut residents via their websites, mobile apps, etc.) and that during the preceding calendar year either: (i) controlled or processed the personal data of at least 100,000 consumers; or (ii) controlled or processed the personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data. Like other similar laws, the CTDPA exempts several types of entities from having to comply with its requirements, including but not limited to state agencies, nonprofit organizations, higher education institutions, financial institutions subject to Title V of the Gramm-Leach-Bliley Act (GLBA), and covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA). Moreover, the CTDPA includes a provision exempting 16 categories of data from its application, such as protected health information as defined in HIPAA, information collected or used for research purposes, and patient safety work product conducted in accordance with applicable law, among others.
The Act amends the CTDPA to introduce the concept of 'consumer health data' and to impose new obligations on 'consumer health data controllers.' For purposes of the Act, 'consumer health data' means any personal data that a controller uses to identify a consumer's physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data. 'Consumer health data controller' means any controller that, alone or jointly with others, determines the purpose and means of processing consumer health data.
The Act imposes new restrictions on the use and disclosure of 'consumer health data' for those organizations that conduct business in Connecticut and that produce products or services that are targeted to Connecticut residents. Specifically, the Act prescribes that no person shall:
- provide any employee or contractor with access to consumer health data unless the employee or contractor is subject to a contractual or statutory duty of confidentiality;
- provide any processor with access to consumer health data unless such person and processor comply with Section 42-521 of the Connecticut General Statutes;
- use a geofence to establish a virtual boundary that is within 1750ft of any mental health facility1 or reproductive or sexual health facility2 for the purpose of identifying, tracking, collecting data from, or sending any notification to a consumer regarding the consumer's consumer health data; or
- sell, or offer to sell, consumer health data without first obtaining the consumer's consent3.
Importantly, these restrictions on the use and disclosure of 'consumer health data' do not apply to:
- a body, authority, board, bureau, commission, district, or agency of Connecticut, or of any political subdivision of Connecticut;
- a person or entity who has entered into a contract with a body, authority, board, bureau, commission, district, or agency of Connecticut while processing consumer health data on behalf of such body, authority, board, bureau, commission, district, or agency;
- a college or university;
- a registered national securities association;
- a financial institution subject to Title V of GLBA;
- a covered entity or business associate, as defined by HIPAA;
- a tribal nation government organization; or
- certain regulated air carriers.
The use and disclosure of consumer health data is also subject to the CTDPA's 16 categories of exemption, such as protected health information as defined in HIPAA, information collected or used for research purposes, and patient safety work products. Moreover, the Act applies the CTDPA's Children's Online Privacy Protection Act (COPPA) exemption to consumer health data controllers as well (controllers that comply with the verifiable parental consent requirements of COPPA are deemed compliant with any obligation to obtain parental consent under the CTDPA or the Act).
Consumer health data controllers bear the burden of demonstrating that their processing of consumer health data qualifies for one or more of these exemptions.
Notably, the Act does not create a private right of action and instead grants the Connecticut Attorney General (AG) exclusive enforcement authority over the health data provisions, the same as with the remainder of the CTDPA. These amendments to the CTDPA take effect on July 1, 2023.
Minors and social media accounts
The Act grants minors (and in some cases their parents) new rights to request that social media platforms unpublish or delete the minor's account. For purposes of the Act and these new rights, a social media platform 'means a public or semi-public Internet-based service or application that (i) is used by a consumer in Connecticut, (ii) is primarily intended to connect and allow users to socially interact within such service or application, and (iii) enables a user to (I) construct a public or semi-public profile for the purposes of signing into and using such service or application, (II) populate a public list of other users with whom the user shares a social connection within such service or application, and (III) create or post content that is viewable by other users, including, but not limited to, on message boards, in chat rooms, or through a landing page or main feed that presents the user with content generated by other users.'4 A minor is anyone younger than 18 years of age.
The first new right is to request that a social media account be unpublished, meaning that the account is removed from public visibility. A minor or the minor's parent (if the minor is younger than 16) may make the request and a social media platform has 15 business days to fulfill the request. In the same way, minors and their parents may request the deletion of an account, but in this case, a social media platform has 45 business days to fulfill the request (and such period may be extended for certain reasons permitted by the Act). Instructions for how to make these requests must be described in a social media platform's privacy notice.
These provisions of the Act will take effect on July 1, 2024.
Protection of minors online
The Act also imposes new obligations on CTDPA controllers to protect minors from harm and safeguard their online experiences. Again, 'minors' here means anyone younger than 18 years old. Among these new obligations are the following:
- Each controller that offers any online service, product, or feature to consumers it knows or willfully disregards are minors shall use reasonable care to avoid any heightened risk of harm to minors.
- Controllers must not process any minor's personal data for targeted advertising or for the sale of personal data unless such processing is reasonably necessary to provide such online product or service and consent is obtained from the minor (or the minor's parent or legal guardian if the minor is younger than 13).
- Controllers must not collect a minor consumer's precise geolocation data unless such data is reasonably necessary for the controller to provide the product or service (and not collected for purposes beyond that product or service) and the controller provides the minor a signal indicating such data is being collected (which signal is available to the minor for the entire duration of such collection). As above, the controller must obtain consent from the minor (or the minor's parent or legal guardian if the minor is younger than 13).
- Controllers that have actual knowledge or willfully disregard that their products or services are being offered to minors must conduct a data protection assessment (DPA) that addresses the purpose of the online service, the categories of data processed, and any heightened risk of harm to minors that is reasonably foreseeable from the product or service. If such assessment determines that the online service, product, or feature that is the subject of such assessment poses a heightened risk of harm to minors, the controller shall establish and implement a plan to mitigate or eliminate such risk.
Regarding the DPA obligation, each controller that conducts such an assessment shall: (i) review such DPA as necessary to account for any material change to the processing operations of the online service, product, or feature that is the subject of such DPA; and (ii) maintain documentation concerning such DPA for the longer of: (a) the three-year period beginning on the date on which such processing operations cease; or (b) as long as such controller offers such online service, product, or feature.
The Act also places limitations on direct messaging apparatuses used by minors, including limitations on an adult's ability to send unsolicited communications to minors, and prohibits a controller from using 'any system design feature to significantly increase, sustain, or extend any minor's use of such online service, product or feature.'
These provisions of the Act will take effect on October 1, 2024 and exclusive enforcement authority lies with the Connecticut AG. However, from October 1, 2024 to December 31, 2025, the Connecticut AG must grant a 30-day cure period for entities alleged to have violated these provisions if the AG determines that the entity 'may cure such alleged violation.' Starting on January 1, 2026, the Connecticut AG will have discretion in determining whether to grant a cure period, as informed by a multi-factor framework.
Online dating services
The Act's last focus relates to adopting new obligations for operators of software applications designed to facilitate online dating (or using a digital service to initiate relationships with other individuals for the purpose of romance, sex, or marriage). The Act requires operators of such online dating applications to maintain an online safety center reasonably designed to provide Connecticut users with resources concerning safe dating. Each online safety center must include: (i) an explanation of the online dating operator's reporting mechanism for harmful or unwanted behavior; (ii) safety advice for use when communicating online and meeting in person; (iii) a link to an internet website or a telephone number where a Connecticut user may access resources concerning domestic violence and sexual harassment; and (iv) educational information concerning romance scams. Operators must also adopt a policy for how they will handle harassment reports by or between users.
These provisions of the Act will take effect on January 1, 2024.
The Act comes at a time of significant state and federal interest in both companies that collect minors' data and healthcare data companies that fall outside of the purview of HIPAA. Companies operating in these sectors must continue to closely monitor Connecticut's roll-out of both the Act and the CTDPA, as well as similar (and perhaps inconsistent or more aggressive) action in other states or in Congress.
1. The Act defines '[m]ental health facility' as 'any health care facility in which at least seventy per cent of the health care services provided in such facility are mental health services.'
2. The Act defines '[r]eproductive or sexual health facility' as 'any health care facility in which at least seventy per cent of the health care-related services or products rendered or provided in such facility are reproductive or sexual health care.' The Act further defines '[r]eproductive or sexual health care' as 'any health care related services or products rendered or provided concerning a consumer's reproductive system or sexual well-being, including, but not limited to, any such service or product rendered or provided concerning (A) an individual health condition, status, disease, diagnosis, diagnostic test or treatment, (B) a social, psychological, behavioral or medical intervention, (C) a surgery or procedure, including, but not limited to, an abortion, (D) a use or purchase of a medication, including, but not limited to, a medication used or purchased for the purposes of an abortion, (E) a bodily function, vital sign or symptom, (F) a measurement of a bodily function, vital sign or symptom, or (G) an abortion, including, but not limited to, medical or nonmedical services, products, diagnostics, counseling or follow-up services for an abortion.'
4. Readers should note that the Act excludes from the definition of social media platforms any 'public or semi-public Internet-based service or application that (i) exclusively provides electronic mail or direct messaging services, (ii) primarily consists of news, sports, entertainment, interactive video games, electronic commerce or content that is preselected by the provider or for which any chat, comments or interactive functionality is incidental to, directly related to, or dependent on the provision of such content, or (iii) is used by and under the direction of an educational entity, including, but not limited to, a learning management system or a student engagement program.'