The Connecticut Data Privacy Act (CTDPA) is operative since July 1, 2023, and so are certain amendments that were signed into law as recently as June 26th, 2023. The amendments focus on protecting consumer health data and protecting minors, with additional consumer health data protections already operative but with some obligations related to minors becoming operative mid to late 2024.
Additional Obligations for Processing Consumer Health Data
As other omnibus US state privacy laws, the CTDPA already applied to health data e.g. by including in its definition of “sensitive data” “data revealing… mental or physical health condition or diagnosis”. With the recent amendments, additional obligations apply to organizations that collect and use “consumer health data” (the same term as used in the Washington state My Health My Data Act, summarized here). In the CTDPA, consumer health data is defined as “any personal data that a controller uses to identify a consumer’s physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive sexual health data”.
Top 5 things to consider if your organization collects consumer health data about Connecticut residents as a consumer health data controller:
1. Obtain consent. Just as with other sensitive data under the CTDPA, organizations must obtain consent before processing consumer health data. Consent means a clear affirmative act signifying freely given, specific, informed and unambiguous agreement.
2. Don’t sell personal data. Selling (any exchange for valuable consideration) consumer health data is not prohibited under the CTDPA. But selling requires consent. With an increasing shift under US state laws towards consent requirements for selling health data, any organization that processes something resembling health data should consider taking steps required not to sell any personal data (such as putting required contractual terms in place). Because obtaining consent is burdensome and unlikely to result in high consent rates.
3. Impose data processing terms. No person shall provide any processor with access to consumer health data unless such person and processor complies with the duties of processors under the CTDPA.
4. Implement binding protocols on workers. Ensure all employees and contractors with access to consumer health data are subject to contractual or statutory duties of confidentiality.
5. Don’t geofence around health facilities. If you operate any mental, reproductive, or sexual health facility, ensure that no geofences are used within 1,750 feet of the same for prohibited purposes such as collecting consumer health data or sending messages to consumers regarding their consumer health data.
Outlook
Unlike the Washington My Health My Data Act, the CTDPA does not include a private right of action. And until December 31, 2024, the Connecticut Attorney General shall, if a cure is deemed possible, issue a notice of violation to the consumer health data controller and give a 60 day cure period before bringing action. But requirements related to consumer health data (and personal data more broadly) are already operative in Connecticut and enforcement will follow. If your organization processes any personal data about Connecticut residents and has not yet taken steps to comply with the CTDPA, it will be most efficient to take steps to comply now and consider how CTDPA compliance can be operationalized along with compliance with privacy laws in other jurisdictions (such as the newly operative Colorado Privacy Act, see recent developments here).
