The Connecticut Act concerning Online Privacy, Data and Safety Protections (Online Privacy Act), also known as Public Act 23-56, was signed into law on June 26, 2023, and will take effect on July 1, 2024. The law amends the Connecticut Data Privacy Act (CTDPA) to expand online privacy protections for Connecticut residents.
Health Data
One of the key provisions of the new law is the expanded definition of “personal data” to include “consumer health data.” Consumer health data is defined as any personal data that a data controller uses to identify a consumer's physical or mental health condition or diagnosis, including gender-affirming health data and reproductive or sexual health data. The law requires businesses to obtain the consumer’s consent before processing consumer health data. The Online Privacy Act amends the CTDPA’s existing consent requirement, which only applies to the processing of sensitive data.
Businesses must also provide consumers with access to their consumer health data and the ability to delete it. Additionally, businesses are prohibited from using geofences to track consumers within 1,750 feet of mental health or reproductive or sexual health facilities for the purpose of identifying, tracking, collecting data from, or sending any notification to, a consumer regarding the consumer’s health data.
Children’s Data
The Online Privacy Act also includes a number of provisions aimed at protecting children's online privacy. For example, social media platforms must provide children under the age of 18 years old with the right to "unpublish" and delete their accounts from public visibility. Social media platforms must also describe and provide in their privacy notice mechanisms to exercise these rights. The law also prohibits controllers from using any systems or design features to significantly “increase, sustain, or extend” a minor’s use of the controller’s online service, product or feature. The law also presumptively prohibits the processing of minor’s data for targeted advertising, sale or profiling.
In addition, the new law requires businesses that collect personal data from minors to obtain consent (including parental consent for minors under the age of 13). Businesses must also provide parents with access to their children's personal data and the ability to delete it. Violations of this section of the law are considered unfair or deceptive acts or practices under the Connecticut consumer protection law.
Other Changes
The Online Privacy Act also makes a number of other changes to the CTDPA, such as:
- Clarifying the requirements for controllers to provide consumers with privacy notices.
- Requiring controllers to conduct data protection assessments for certain types of processing, including when the controller provides an online service, product or feature to consumers who the controller has actual knowledge are minors.
- Expanding the Attorney General’s enforcement powers.
- Establishes the Connecticut Internet Crimes Against Children Task Force within the Division of Scientific Services.
Companies should consider whether they are in scope of these new amendments. Particularly, companies should be mindful that the consumer health data provisions apply to a wide range of businesses, not just those that are regulated by HIPAA. Businesses should take care to meet the new obligations implemented by the Online Privacy Act as they pertain to consumer health data and children’s use of information online.
If you have questions about the Connecticut Act, please contact a member of the Cybersecurity & Privacy team.
