Connecticut: Governor approves online privacy, data, and protection bill, becoming law

words 1.2K read in 5 minutes, 45 Seconds

New York - Connecticut - The bill on online privacy, data, and security protections was approved by Connecticut Governor Ned Lamont on June 7, 2023, becoming law under the name Senate Bill 3. This act, which brings significant changes to the Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA), is intended to revolutionize the way personal data is handled and provide greater protection for consumers.

The effective dates of several sections of the Act are scheduled in different phases, starting from July 1, 2023. This gradual implementation will give stakeholders the necessary time to comply with the new provisions.

One of the main innovations introduced by the Act is the definition of new terms, including "abortion," "adult," "consumer," "gender affirmation healthcare services," "gender affirmation health data," "geofence," "mental health facility," "person," "reproductive or sexual healthcare services," "reproductive or sexual health data," "reproductive or sexual health facility," and "social media platform." Among the relevant definitions are those of "consumer health data," which refers to any personal data that a data controller uses to identify a consumer's physical or mental condition, including gender affirmation health data and reproductive or sexual health data.

The Act also establishes the role of the "consumer health data controller," defined as a data controller who alone or jointly with others determines the purpose and means of processing consumer health data.

Furthermore, the Act amends the definition of "data controller" to include both a natural person and a legal entity who, alone or jointly with others, determines the purpose and means of processing personal data. The Act also amends the definition of "sensitive data" to include personal data that includes:

Data revealing racial or ethnic origin, religious beliefs, mental or physical health conditions or diagnoses, sexual life, sexual orientation, citizenship or immigration status.
Consumer health data.
Processing of genetic or biometric data for the purpose of uniquely identifying an individual.
Personal data collected from a known child.
Data relating to an individual's status as a victim of a crime.
Precise geolocation data.

The Act also amends the definition of a "third party" as a person, such as a public authority, agency, or entity, other than the consumer, data controller, or data processor, or an affiliate of the processor or data controller.

Furthermore, the Act defines a "minor" as a consumer who is under 18 years old.

One of the significant changes brought by the Act pertains to health data. It will now be prohibited to provide employees or contractors with access to consumer health data unless they are subject to a contractual or legal duty of confidentiality. Similarly, obtaining consumer consent will be required before selling or offering consumer health data for sale.

Additionally, the Act imposes an obligation on social media platforms to comply with minors' requests to remove or delete their social media accounts. Data controllers offering services, products, or online functionalities to consumers must also be aware of minors' age and take appropriate measures to ensure their protection.

In conclusion, the approval of the bill on online privacy, data, and security protections represents a significant step towards ensuring greater privacy protection and consumer rights in Connecticut. These new provisions will contribute to creating a safer online environment and promoting trust in the management of personal data.

Cited and described:

Governor Ned Lamont: The governor of Connecticut who signed Senate Bill 3, making it law.

Senate Bill 3: The bill approved by the Connecticut Senate concerning online privacy, data, and security protections.
Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA): The Connecticut law that regulates personal data privacy and online monitoring. The Senate Bill 3 amends this existing law.
Consumer: A term defined in the Act as a person who uses, purchases, or commits to using or purchasing goods or services.
Consumer Health Data: Personal data used to identify a consumer's physical or mental condition, including gender affirmation health data and reproductive or sexual health data.
Consumer Health Data Controller: A controller of consumer health data who determines the purpose and means of processing such data.
Geofence: A virtual boundary that can be created around a mental health facility or a reproductive or sexual health facility to identify, track, or collect data relating to consumer health data.
Controller: A person or legal entity that determines the purpose and means of processing personal data.
Sensitive Data: Personal data that includes sensitive information such as racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual life, sexual orientation, citizenship, immigration status, precise geolocation data, etc.
Third Party: A person or entity other than the consumer, controller, or data processor.
Minor: A consumer who is under 18 years old.

Technical Glossary:

Abortion: The voluntary termination of pregnancy.
Adult: A person who has reached the age of majority as defined by state law.
Citizen: An individual who holds citizenship of a state or country.
Consumer: A person who uses, purchases, or commits to using or purchasing goods or services.
Consumer Health Data: Personal data used to identify a consumer's physical or mental condition, including gender affirmation health data and reproductive or sexual health data.
Consumer Health Data Controller: A person or entity that determines the purpose and means of processing consumer health data.
Controller: An individual or organization that determines the purpose and means of processing personal data.
Gender Affirmation Healthcare Services: Medical and therapeutic services for transgender or gender non-conforming individuals to affirm their identified gender.
Gender Affirmation Health Data: Data relating to the physical or mental health of an individual that pertains to the gender affirmation process.
Geofence: A virtual barrier that can be created around a specific geographical location to identify, track, or collect data related to that location.
Mental Health Facility: A location that provides services and assistance for mental health issues, diagnoses, and treatments.
Person: An individual or legal entity.
Reproductive or Sexual Health Services: Medical services and counseling related to sexual, reproductive, and contraceptive health.
Reproductive or Sexual Health Data: Data relating to an individual's sexual or reproductive health, including medical data, visit history, and information related to sexual health.
Reproductive or Sexual Health Facility: A location that provides services and assistance for sexual and reproductive health, such as prenatal counseling, sexually transmitted disease screening, and family planning services.
Sensitive Data: Personal data that includes particularly sensitive or private information, such as racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual life, sexual orientation, etc.
Social Media Platform: An online platform that allows users to create, share, and interact with user-generated content.
Third Party: A person or entity other than the consumer, data controller, or data processor.