One year after Connecticut became the fifth state in the nation to adopt a consumer data privacy law, the state Legislature emerges again as a data privacy leader by adding protections for consumer health data and minors to the Connecticut Data Privacy Act (“CTDPA”). With unanimous votes in the state House and the Senate, An Act Concerning Online Privacy, Data and Safety Protections Public Act 23-56 (the “Act”) heads to the Governor’s desk. [Update: the Governor signed the Act on June 27, 2023.]
While the Act’s consumer health data provisions are not as extensive as those in Washington’s My Health, My Data Act, they apply more broadly than the CTDPA’s consumer data provisions. Under the Act, a for-profit or nonprofit business that collects or uses any consumer health data of Connecticut residents will need to meet specific requirements, including consent to collect or use such data, unless an exemption applies.
And there won’t be much time to assess and implement, as the new consumer health data provisions take effect at the same time as the rest of the CTDPA: July 1, 2023.
Consumer Health Data
The Act broadly defines consumer health data as “any personal data that a controller uses to identify a consumer’s physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data.” Consumer health data is also deemed sensitive data under the CTDPA.
The Legislature also creates a subcategory of a controller under the CTDPA: controller of consumer health data. This is a controller that, alone or jointly with others, determines the purpose and means of processing consumer health data.
As noted above, the consumer health data provisions have broader applicability than the consumer data privacy provisions in the CTDPA. First, there is no applicability threshold. Any amount of consumer health data will trigger the provisions unless an exemption applies. Second, there is no nonprofit entity level exemption.
Importantly, the Act provides an entity level exemption to covered entities or business associates under the Health Information Portability and Accountability Act (“HIPAA”). Therefore, most healthcare providers and businesses performing work on behalf of healthcare providers are not subject to the consumer health data provisions.
Except for nonprofits, all other entity-level exemptions from the CTDPA apply. Moreover, all 16 data-level exemptions from the CTDPA apply as well (e.g., financial, health and educational information protected under other laws, research information, employment information, etc.).
Obligations of Controllers of Consumer Health Data
Under the Act, controllers of consumer health data must:
- Obtain clear, affirmative and freely given consent to process, sell or offer to sell consumer health data;
- Not provide employees or contractors with access to consumer health data unless the employee or contractor is subject to a contractual or statutory duty of confidentiality;
- Not provide processors with access to consumer health data unless the controller has a contract with the processor that meets the requirements set forth in the CTDPA (Conn. Gen. Stat. §42-521);
- Not use a geofence to establish a virtual boundary that is within 1,750 feet of a mental health facility or reproductive or sexual health facility (where mental health or reproductive services comprise at least 70% of the services provided at such facility) for the purpose of identifying, tracking, collecting data from or sending any notification to a consumer regarding the consumer’s health data; and
- Conduct a data protection assessment for processing activities as required under the CTDPA because consumer health data is considered sensitive data under the CTDPA (Conn. Gen. Stat. §42-522).
Failing to comply could subject controllers of consumer health data to enforcement by the Connecticut Attorney General’s Office under the Connecticut Unfair Trade Practices Act. As with other violations of the CTDPA, there is a cure period available through the end of 2024 if the Attorney General’s Office determines that the controller could cure the violation. There is no private right of action.
- For-profit and nonprofit organizations of all sizes that are not entitled to an entity level exemption should:
- Assess the data they collect, maintain and use to determine whether they are subject to the consumer health data provisions;
- If they determine that consumer health data is involved and no exemptions apply, as part of meeting the above outlined requirements, those organizations should:
- Determine whether it is necessary to process consumer health data and, if not, consider altering data collection and processing practices;
- If consumer health data is necessary, minimize employee and contractor access to the limited amount necessary, which reduces risk to the data and likely will be helpful in a data impact assessment;
- Where employee access is necessary, consider whether any existing policies set forth confidentiality obligations that cover consumer health data that employees must acknowledge in writing. Such a written acknowledgement likely satisfies the need for a confidentiality agreement. If nothing exists, consider creating such a policy with written acknowledgement;
- Establish a contracting process for use with third parties that require access to consumer health data to perform services and ensure that such process incorporates the contract requirements set forth in the CTDPA as well as duty of confidentiality language.
Provisions Regarding Minors
The Act also contains two distinct sections on minors. The first requires social media platforms to unpublish (take down) a minor’s account within 15 business days of a request and to delete an account within 45 business days of a request. Social media platforms must provide information on how to submit requests to unpublish or delete accounts. These provisions take effect on July 1, 2024.
Second, the Act adopts an age-appropriate design code framework that is not as stringent as some in other states. These requirements apply to controllers offering an online service, product or feature to consumers that the controller knows or should know are under the age of 18. Such controllers These provisions take effect on October 1, 2024.
Consumer data privacy and the protection of sensitive data has been a major focus of state legislatures so far this year. This past legislative session, five additional states adopted consumer data privacy laws like the CTDPA and many others seriously considered such legislation. Additionally, several states passed laws protecting minors’ online activity and consumer health data privacy. These efforts are sure to continue. One is left to wonder whether this flurry of state legislative activity coupled with more aggressive enforcement by federal agencies like the Federal Trade Commission will spur Congress to act.