6 minute read | July.24.2023
Connecticut is the third state to adopt consumer health data privacy protections, following Washington’s My Health My Data Act (“MHMD”) and Nevada’s new consumer health data privacy law. It is the first state, however, to embed broad protections for consumer health data as amendments to its omnibus data privacy law, the Connecticut Data Privacy Act (“CTDPA”).
The consumer health data privacy protections in Connecticut’s SB 3–the bill amending the CTDPA–include heightened restrictions on processing, sharing, and selling consumer health data.
Here are six things to know about the amendments, including key takeaways and next steps for your health data privacy compliance program:
The amendments regulate a “consumer health data controller” that alone, or jointly with others, determines the purposes and means of processing consumer health data. Consumer health data controllers are subject to the CTDPA even if they do not otherwise meet applicability thresholds. That means that, no matter the number of consumers whose personal data they control or process, or the percentage of their revenue generated from selling personal data, controllers are subject to the amendments if they conduct business in Connecticut or produce products or services that target Connecticut residents.
The amendments provide entity-level exemptions including for Connecticut’s state and local government agencies, entities contracting with government agencies, institutions of higher education, and entities governed by the GLBA, HIPAA and other federal laws.
Lastly, the CTDPA limits the definition of “consumer” to only Connecticut residents, which is narrower in scope than the MHMD and Nevada’s consumer health data laws. The CTDPA also explicitly excludes from the definition of consumer individuals acting in an employment or commercial context, meaning employee and business-to-business data is not in scope of the CTDPA.
The amendments define “consumer health data” as “any personal data that a controller uses to identify a consumer’s physical or mental health condition or diagnosis,” including but not limited to “gender-affirming health data and reproductive or sexual health data.”
While the definition is narrower than the consumer health data privacy laws in Washington and Nevada, Connecticut still takes a fairly expansive view of what constitutes consumer health data. For instance, the definition covers any personal data concerning a consumer’s effort to seek or, a consumer’s receipt of, reproductive or sexual health care. In turn, reproductive or sexual health care encompasses a broad range of services or products rendered or provided concerning a consumer’s reproductive system or sexual well-being, from health conditions and diagnoses to the use or purchase of medication, to bodily functions, vital signs or symptoms, and measurements thereof.
The amendments also expand the definition of “sensitive data” to include consumer health data, meaning CTDPA obligations concerning sensitive data will apply to consumer health data. The law requires controllers to:
The amendments exempt data subject to HIPAA, FERPA, FCRA, employee and job applicant data, information used for emergency contact purposes and to administer benefits, and other categories of data.
The amendments prohibit:
The amendments take effect on October 1, 2023 (and not the earlier effective date of July 1, 2023, otherwise applicable to the CTDPA). This is thanks to an addition to the Connecticut state budget law (HB 6941) which pushed back the effective date of the provisions governing consumer health data controllers.
But be careful: The CTDPA’s provisions requiring a data protection assessment and opt-in consent for processing sensitive data currently apply to controllers satisfying the existing CTDPA thresholds. Remember, “sensitive data” already currently includes a “mental or physical health condition or diagnosis.” As of October 1, 2023, these provisions will apply to all consumer health data controllers and consumer health data.
The Connecticut Attorney General has the exclusive enforcement authority. There is no private right of action.