The Connecticut legislature passed Connecticut SB 3 on June 2, 2023. If enacted by the governor, the bill would amend the Connecticut Data Privacy Act (“CTDPA”) to include a number of provisions related to health and minors’ data. Additional detail on the CTDPA can be found in our previous blog post here.
The health-related provisions would take effect on July 1, 2023. Most provisions related to minors’ data would take effect on October 1, 2024. However, requirements that social media platforms “unpublish” or delete certain minors’ accounts would come into effect on July 1, 2024.
As reflected in this bill, state legislatures appear increasingly focused on health privacy. Connecticut’s bill comes on the heels of Nevada’s SB 370, which the Nevada legislature passed, and which, if enacted would impose requirements on consumer health data. Both the Nevada and Connecticut bill resemble Washington’s My Health My Data Act, although they appear generally narrower in scope. For additional detail on Washington’s My Health My Data Act, please review our blog post here.
The bill imposes a number of requirements related to health data.
- Consumer Health Data. The bill would introduce the concept of consumer health data. It would define consumer health data as “any personal data that a controller uses to identify a consumer’s physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data.” The bill would amend the definition of sensitive personal information to include consumer health data.
- Consumer Health Data Requirements. Entities would need consent to process or sell consumer health data. Entities would also need to impose certain restrictions on employees, contractors, and processors with access to consumer health data.
- Geofencing. The bill would prohibit entities from using a geofence to establish a virtual boundary within 1,750 feet of a mental, reproductive, or sexual health facility for the purposes of identifying, tracking, collecting from or sending any notification to a consumer regarding his or her consumer health data.
The bill also imposes a number of requirements related to children’s data.
- Social Media Platforms. The bill would require social platforms to “unpublish” or delete social media accounts upon request of a minor or a minor’s legal guardian. Social media platforms would, relatedly, be required to provide a mechanism for submitting such requests. As mentioned above, these requirements would come into effect in July 2024.
- Other. The bill would also impose a number of requirements on controllers that offer online services, products or features to consumers, where the controller has actual knowledge (or willfully disregards) that the the consumer are minors. For example, the controllers would be prohibited from processing personal data for targeted advertising or sales; profiling in furtherance of a “fully automated decision” that produces a legal or similarly significant effect; and collecting minors’ precise geolocation (subject to certain exceptions). Such controllers would also be required to conduct data protection assessments.
- Design Features. The bill would also prohibit controllers from using “any system design feature to significantly increase, sustain or extend any minor’s use” of the online service.
The bill would also impose a few miscellaneous requirements.
- Online Dating. The bill would impose requirements on online dating operators, including that the operators maintain online safety centers and adopt policies related to handling harassment reports.
- Task Force. The bill would also establish a “Division of Scientific Services” in the current Department of Emergency Services and Public Protection. Within the new division, the bill would establish the “Connecticut Internet Crimes Against Children Task Force.”