Expanding the Scope: Connecticut Passes Amendments to CTDPA Ahead of July 1, 2023 Effective Date
The Connecticut Data Privacy Act (CTDPA) and the Colorado Privacy Act (CPA) enforcement date of July 1, 2023 is quickly approaching. As businesses work diligently to meet the compliance requirements of 2023 state privacy statutes, Connecticut’s Legislature has taken another step towards enhancing privacy protections for its consumers with Senate Bill 3 (SB 3), which was transferred to Governor Lamont for signature on June 14, 2023.
If signed, Connecticut will impose new requirements on businesses in two key areas of privacy: (i) the protection of consumer health data, with these provisions taking effect July 1, 2023, and (ii) the responsibilities on businesses handling the personal data of minors, which will come into effect on October 1, 2024.
Why SB 3’s Amendments on Consumer Health Data May Apply to Businesses Outside of Healthcare: Effective July 1, 2023 (Sections 1 through 6)
Broadening the scope of the CTDPA, SB 3 expands the definition of “sensitive data” to include “consumer health data”. “Consumer health data” encompasses any personal data used by a controller to identify a consumer’s physical or mental health condition or diagnosis, including gender-affirming health data and reproductive or sexual health data.
Controllers that handle consumer health data will be required to:
Obtain opt-in consent to collect or sell consumer health data;
Impose a duty of confidentiality on employees who handle consumer health data;
Prohibit the use of geofencing technology to track, collect data, or send health-related notifications to consumers who visit mental, reproductive, or sexual health facilities.
While the CTDPA’s 60-day cure period has been extended to apply to consumer health data, keep in mind that the cure period only applies from July 1, 2023, to December 31, 2024. Beginning January 1, 2025, the CT Attorney General will have complete discretion on whether to grant businesses an opportunity to cure a violation, which will be determined by the Attorney General based on the “sensitivity of data” implicated.
Is Your Business Prepared for Compliance Implications of SB 3 on July 1? While businesses outside of the healthcare sector may be quick to dismiss these amendments as inapplicable to their operations, SB 3’s reach can apply to businesses in any industry. To determine whether your business needs to take these additional measures, request detailed information from your business teams to learn more about their marketing and advertising practices. Determine whether your business collects any data that could be interpreted as being related to consumers’ mental health or physical conditions. This may include information such as fitness and wellness information, data related to lifestyle habits, or health-related purchases- all of which could bring you into scope of this amendment.
New Obligations Related to Minors (Anyone Younger than Age 18): Effective October 1, 2024 (Sections 8 through 13)
With the country moving towards an increased emphasis on protecting minors’ data and online safety, SB 3 introduces new requirements for controllers offering online services, products, or features to consumers whom the controller has actual knowledge, or willfully disregards, are minors. In line with California’s AADC (see our team’s deep dive here), SB 3 defines “minors” as any consumer younger than the age of 18.
Key Provisions Include:
Processing Minor’s Data: Controllers’ subject to these provisions are prohibited from processing a minors’ personal data that is not reasonably necessary for providing the online service, product, or feature, unless the controller meets the necessary consent requirements imposed by the statute.
Precise Geolocation: SB 3 prohibits controllers from collecting precise geolocation from minors unless that geolocation is necessary to provide the online service, product, or feature. If precise geolocation is in fact necessary, the controller must provide a signal to the minor that such precise geolocation data is being collected, for the entire duration of such collection.
Increase, Sustain, or Extend Usage: The amendment also prohibits controllers from using any system design feature to significantly increase, sustain, or extend a minor’s use of the controller’s online service, product, or feature.
Data Protection Assessments (DPAs): DPA requirements will be imposed on controllers who process minors’ personal data, which include an obligation on the controller to identify whether there is a reasonably foreseeable risk of heightened harm to minors resulting from the controller’s online service, product, or feature.
Cure Period: From October 1, 2024, to December 31, 2025, controllers will have a 30-day cure period to cure any violation of sections 8-12, shorter than the 60-day cure period noted for consumer health data above. Beginning January 1, 2026, it will be at the discretion of the Connecticut Attorney General to grant a cure period. A reminder that cure periods under the CTDPA are offered to businesses only if the Connecticut Attorney General determines the violation is able to be cured.
Overall Takeaways
Ahead of the July 1 effective date, re-evaluate your business practices to confirm whether SB 3 is applicable to your business. Start by determining whether your business practices trigger the new provisions on consumer health data, and if so, take the steps needed now to meet compliance requirements.
Next, turn to SB 3’s provisions on minors’ data and online safety. Consider whether your business meets SB 3’s knowledge threshold as a controller who offers online services, products, or features to minors. Taking proactive measures to prioritize the protection of minors’ data will help your business stay a step ahead in this evolving privacy landscape.
Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.