The Connecticut legislature passed Connecticut SB 3 on June 2, 2023.  If enacted by the governor, the bill would amend the Connecticut Data Privacy Act (“CTDPA”) to include a number of provisions related to health and minors’ data. Additional detail on the CTDPA can be found in our previous blog post here.

The health-related provisions would take effect on July 1, 2023.  Most provisions related to minors’ data would take effect on October 1, 2024.  However, requirements that social media platforms “unpublish” or delete certain minors’ accounts would come into effect on July 1, 2024.

As reflected in this bill, state legislatures appear increasingly focused on health privacy.  Connecticut’s bill comes on the heels of Nevada’s SB 370, which the Nevada legislature passed, and which, if enacted would impose requirements on consumer health data.  Both the Nevada and Connecticut bill resemble Washington’s My Health My Data Act, although they appear generally narrower in scope.  For additional detail on Washington’s My Health My Data Act, please review our blog post here

Health Data

The bill imposes a number of requirements related to health data. 

  • Consumer Health Data. The bill would introduce the concept of consumer health data.  It would define consumer health data as “any personal data that a controller uses to identify a consumer’s physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data.” The bill would amend the definition of sensitive personal information to include consumer health data. 
  • Consumer Health Data Requirements.  Entities would need consent to process or sell consumer health data.  Entities would also need to impose certain restrictions on employees, contractors, and processors with access to consumer health data.
  • Geofencing.  The bill would prohibit entities from using a geofence to establish a virtual boundary within 1,750 feet of a mental, reproductive, or sexual health facility for the purposes of identifying, tracking, collecting from or sending any notification to a consumer regarding his or her consumer health data.

Children’s Data

The bill also imposes a number of requirements related to children’s data.  

  • Social Media Platforms.  The bill would require social platforms to “unpublish” or delete social media accounts upon request of a minor or a minor’s legal guardian.  Social media platforms would, relatedly, be required to provide a mechanism for submitting such requests.  As mentioned above, these requirements would come into effect in July 2024.
  • Other.  The bill would also impose a number of requirements on controllers that offer online services, products or features to consumers, where the controller has actual knowledge (or willfully disregards) that the the consumer are minors.  For example, the controllers would be prohibited from processing personal data for targeted advertising or sales; profiling in furtherance of a “fully automated decision” that produces a legal or similarly significant effect; and collecting minors’ precise geolocation (subject to certain exceptions).  Such controllers would also be required to conduct data protection assessments.
  • Design Features.  The bill would also prohibit controllers from using “any system design feature to significantly increase, sustain or extend any minor’s use” of the online service.  

Other

The bill would also impose a few miscellaneous requirements. 

  • Online Dating.  The bill would impose requirements on online dating operators, including that the operators maintain online safety centers and adopt policies related to handling harassment reports. 
  • Task Force.  The bill would also establish a “Division of Scientific Services” in the current Department of Emergency Services and Public Protection.  Within the new division, the bill would establish the “Connecticut Internet Crimes Against Children Task Force.”
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Photo of Jayne Ponder Jayne Ponder

Jayne Ponder counsels national and multinational companies across industries on data privacy, cybersecurity, and emerging technologies, including Artificial Intelligence and Internet of Things.

In particular, Jayne advises clients on compliance with federal, state, and global privacy frameworks, and counsels clients on navigating the…

Jayne Ponder counsels national and multinational companies across industries on data privacy, cybersecurity, and emerging technologies, including Artificial Intelligence and Internet of Things.

In particular, Jayne advises clients on compliance with federal, state, and global privacy frameworks, and counsels clients on navigating the rapidly evolving legal landscape. Her practice includes partnering with clients on the design of new products and services, drafting and negotiating privacy terms with vendors and third parties, developing privacy notices and consent forms, and helping clients design governance programs for the development and deployment of Artificial Intelligence and Internet of Things technologies.

Jayne routinely represents clients in privacy and consumer protection enforcement actions brought by the Federal Trade Commission and state attorneys general, including related to data privacy and advertising topics. She also helps clients articulate their perspectives through the rulemaking processes led by state regulators and privacy agencies.

As part of her practice, Jayne advises companies on cybersecurity incident preparedness and response, including by drafting, revising, and testing incident response plans, conducting cybersecurity gap assessments, engaging vendors, and analyzing obligations under breach notification laws following an incident.

Photo of Ariel Dukes Ariel Dukes

Ariel Dukes is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group.

Ariel counsels clients on data privacy, cybersecurity, and artificial intelligence. Her practice includes partnering with clients on compliance with comprehensive privacy…

Ariel Dukes is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity Practice Group.

Ariel counsels clients on data privacy, cybersecurity, and artificial intelligence. Her practice includes partnering with clients on compliance with comprehensive privacy laws, FTC and consumer protection laws and guidance, and laws governing the handling of health-related data. Additionally, Ariel routinely counsels clients on drafting and negotiating privacy terms with vendors and third parties, developing privacy notices and consent forms, and responding to regulatory inquiries regarding privacy and cybersecurity topics. Ariel also advises clients on trends in artificial intelligence regulations and helps design governance programs for the development and deployment of artificial intelligence technologies across a number of industries.

Photo of Olivia Vega Olivia Vega

Olivia Vega provides strategic advice to global companies on a broad range of privacy, health care, and technology issues, including in technology transactions, mergers and acquisitions, and regulatory compliance. Within her practice, Olivia counsels clients on navigating the complex web of federal and…

Olivia Vega provides strategic advice to global companies on a broad range of privacy, health care, and technology issues, including in technology transactions, mergers and acquisitions, and regulatory compliance. Within her practice, Olivia counsels clients on navigating the complex web of federal and state privacy and data security laws and regulations, including on topics such as HIPAA, California’s Confidentiality of Medical Information Act, and the California Consumer Privacy Act. In addition, Olivia maintains an active pro bono practice.