On June 2, the Connecticut state legislature passed an amended version of Senate Bill 3 (“SB 3”), a bill containing provisions imposing new requirements related to consumer health data and children’s online protection. The bill now moves to Governor Ned Lamont’s desk for signature. If signed into law, SB 3’s consumer health data provisions will amend the relevant portions of the Connecticut Data Privacy Act (CTDPA). Because these new provisions are included as an amendment to the CTDPA, it is critical for affected businesses to understand that the new provisions related to consumer health data will go into effect on July 1, 2023, the same date as the rest of the CTDPA.
SB 3’s most notable provisions pertain to consumer health data and children’s online safety. The consumer health data provisions will, among other things, prohibit entities from selling or processing consumer health data without obtaining consumer consent. Though SB 3’s consumer health data provisions are narrower in scope than those of the recently enacted Washington My Health My Data Act, they are reflective of a growing interest among legislatures and regulators at the federal and state levels in strengthening protections for health data. Meanwhile, SB 3’s child online safety provisions — which similarly echo ongoing federal and state legislative efforts — would place restrictions on companies’ processing of children’s data on online platforms, such as by limiting their ability to process children’s precise geolocation data and use children’s personal data for purposes of targeted advertising.
SB 3 arrives at a critical juncture in Connecticut privacy law. As noted above, the CTDPA, a comprehensive privacy law enacted in May 2022, will take effect on July 1 and will now include the consumer health data provisions added by SB 3. Thus, SB 3 will impose further compliance obligations on companies already scrambling to adhere to the CTDPA’s requirements. Indeed, the Connecticut Attorney General recently released guidance on the new privacy rights that the CTDPA creates for Connecticut consumers, potentially indicating that the agency will be paying close attention to compliance efforts.
In this post, we highlight key takeaways from SB 3 and summarize its key provisions. We are happy to answer any questions you have about how this bill will affect your company’s privacy compliance obligations. To keep updated on the ever-evolving state privacy legal landscape, be sure to subscribe to the WilmerHale Privacy and Cybersecurity Law blog.
Businesses that are subject to the CTDPA should pay attention to the following as the key issues arising from the passage of SB 3:
- Limitations on Sale and Processing of Consumer Health Data: SB 3 amends the CTDPA to include new provisions specific to consumer health data and to amend the CTDPA’s definition of “sensitive data” to include consumer health data. As a result of these amendments, entities will have new obligations to obtain consumer consent before selling or processing consumer health data.
- Restrictions on Processing of Children’s Online Data: SB 3 imposes a series of requirements on controllers that offer online services, products, or features to consumers they know to be minors. These requirements include prohibitions on processing a minor’s personal data for purposes of targeted advertising, sale of personal data, and certain types of profiling; collecting minors’ precise geolocation data; and using system design features to “significantly increase” a minor’s use of an online offering. Controllers subject to these provisions are further required to conduct data protection assessments pertaining to their processing of minors’ personal data.
- Effective Dates: Companies should take note of the consumer health data provisions’ effective date, in particular. Those provisions will go into effect on July 1, 2023, along with the rest of the CTDPA. Most of the children’s online safety provisions will not take effect until October 1, 2024 (with the exception of Section 7, which applies specifically to social media platforms). But given the substantial requirements imposed by those provisions, companies should begin evaluating their corresponding compliance obligations under these provisions sooner, rather than later.
- Enforcement: SB 3 does not create a private right of action for either the consumer health data or child online safety provisions. Instead, the Connecticut AG will have exclusive enforcement authority over these provisions (as it will over the CTDPA).
SUMMARY OF NOTABLE PROVISIONS
Health Data Amendments to Connecticut Data Privacy Act (Sections 1–6)
Sections 1–6 of SB 3 amend the Connecticut Data Privacy Act (CTDPA). These amendments will go into effect on July 1, 2023, along with the CTDPA. Key amendments include:
- Definition of Consumer Health Data: Defines “consumer health data” as “any personal data that a controller uses to identify a consumer's physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data.”
- Definition of Consumer Health Data Controller: Defines “consumer health data controller” as “any controller that, alone or jointly with others, determines the purpose and means of processing consumer health data.”
- Consumer Health Data as Sensitive Data: Amends the CTDPA’s definition of “sensitive data” to include consumer health data. As a result, consumer health data will be subject to the CTDPA’s requirement that controllers obtain consumer consent before processing sensitive data.
- Requirements on Processing Consumer Health Data: Adds a new section (Section 2) outlining requirements specific to consumer health data, including: (1) prohibiting the provision of consumer health data to employees or contractors unless they are subject to a contractual or statutory duty of confidentiality; (2) prohibiting the use of geofences near mental, reproductive, and sexual health facilities “for the purpose of identifying, tracking, collecting data from or sending any notification to a consumer regarding the consumer's consumer health data”; and (3) prohibiting the sale of consumer health data without consumer consent.
- Exemptions: Section 2 includes its own exemptions provision, specifically exempting, among other things, state and state political subdivision entities; institutions of higher education; specified national securities associations; financial institutions and data subject to GLBA; and HIPAA covered entities and business associates.
Social Media Account Deletion and Unpublishing (Section 7)
- Minors’ Requests to Unpublish or Delete Social Media Accounts: Requires social media platforms to comply with minors’ requests to unpublish (i.e., remove from public visibility) or delete social media accounts. These provisions take effect on July 1, 2024.
Children’s Online Safety (Sections 8–13)
Sections 8–13 impose requirements on controllers that offer online services, products, or features “to consumers whom such controller has actual knowledge, or wilfully disregards, are minors,” as outlined below. These provisions will take effect on October 1, 2024.
- Reasonable Care: Required to use reasonable care to avoid any heightened risk of harm to minors caused by their online service, product, or feature.
- Use of Children’s Data for Advertising, Sale, or Profiling: Prohibited from processing (without consent) minor’s personal data for purposes of targeted advertising, sale of personal data, or “profiling in furtherance of any fully automated decision … that produces any legal or similarly significant effect.”
- Necessity Limitation: Prohibited from processing minor’s personal data unless such processing is necessary to provide the relevant online service, product, or feature, subject to consent exception.
- Duration Limitation: Prohibited from processing minor’s personal data for longer than necessary to provide the relevant online service, product, or feature, subject to consent exception.
- Using System Design to Prolong Use: Prohibited from using “any system design feature to significantly increase, sustain or extend any minor's use of such online service, product or feature.”
- Precise Geolocation Data: Prohibited from collecting (without consent) minor’s precise geolocation data, unless specified requirements are satisfied (including necessity to provide the relevant feature, time limitation, and notice to the minor).
- Direct Messaging: Places limitations on direct messaging apparatuses used by minors, including limitations on an adult’s ability to send unsolicited communications to minors.
- Data Protection Assessments: Required to conduct data protection assessments pertaining to their processing of minors’ personal data.
- Exemptions: Exempts various entities and information types, including: state and state political subdivision entities; nonprofit entities; institutions of higher education; specified national securities associations; financial institutions or data subject to GLBA; covered entities, business associates, and protected health information subject to HIPAA; information subject to FCRA; personal data subject to FERPA; and certain employment-related data.
- Enforcement: Does not create a private right of action. Rather, exclusive enforcement authority lies with the state AG.
- Cure Period: From October 1, 2024 to December 31, 2025, state AG must grant a 30-day cure period for entities alleged to have violated these provisions if the AG determines that the entity “may cure such alleged violation.” Starting on January 1, 2026, the state AG will have discretion in determining whether to grant a cure period, as informed by a multi-factor framework.
- Online Dating Operators: Imposes safety requirements on online dating operators (Section 15).
- Internet Crimes Against Children Task Force: Establishes “Connecticut Internet Crimes Against Children Task Force” within the state government’s Division of Scientific Services (Section 17).