The Consumer Health Data Amendments to the Connecticut Data Privacy Act: Six Things to Know

6 minute read | July.24.2023

Connecticut is the third state to adopt consumer health data privacy protections, following Washington’s My Health My Data Act (“MHMD”) and Nevada’s new consumer health data privacy law. It is the first state, however, to embed broad protections for consumer health data as amendments to its omnibus data privacy law, the Connecticut Data Privacy Act (“CTDPA”).

The consumer health data privacy protections in Connecticut’s SB 3–the bill amending the CTDPA–include heightened restrictions on processing, sharing, and selling consumer health data.

Here are six things to know about the amendments, including key takeaways and next steps for your health data privacy compliance program:

1. Who is regulated?

The amendments regulate a “consumer health data controller” that alone, or jointly with others, determines the purposes and means of processing consumer health data. Consumer health data controllers are subject to the CTDPA even if they do not otherwise meet applicability thresholds. That means that, no matter the number of consumers whose personal data they control or process, or the percentage of their revenue generated from selling personal data, controllers are subject to the amendments if they conduct business in Connecticut or produce products or services that target Connecticut residents.

The amendments provide entity-level exemptions including for Connecticut’s state and local government agencies, entities contracting with government agencies, institutions of higher education, and entities governed by the GLBA, HIPAA and other federal laws.  

Lastly, the CTDPA limits the definition of “consumer” to only Connecticut residents, which is narrower in scope than the MHMD and Nevada’s consumer health data laws. The CTDPA also explicitly excludes from the definition of consumer individuals acting in an employment or commercial context, meaning employee and business-to-business data is not in scope of the CTDPA.

2. What data is covered?

The amendments define “consumer health data” as “any personal data that a controller uses to identify a consumer’s physical or mental health condition or diagnosis,” including but not limited to “gender-affirming health data and reproductive or sexual health data.”

While the definition is narrower than the consumer health data privacy laws in Washington and Nevada, Connecticut still takes a fairly expansive view of what constitutes consumer health data. For instance, the definition covers any personal data concerning a consumer’s effort to seek or, a consumer’s receipt of, reproductive or sexual health care. In turn, reproductive or sexual health care encompasses a broad range of services or products rendered or provided concerning a consumer’s reproductive system or sexual well-being, from health conditions and diagnoses to the use or purchase of medication, to bodily functions, vital signs or symptoms, and measurements thereof.

The amendments also expand the definition of “sensitive data” to include consumer health data, meaning CTDPA obligations concerning sensitive data will apply to consumer health data. The law requires controllers to:

  • Conduct a data protection assessment for processing activities that present a “heightened risk of harm to a consumer,” including processing sensitive data.
  • Obtain consent from the consumer before processing consumer health data.

The amendments exempt data subject to HIPAA, FERPA, FCRA, employee and job applicant data, information used for emergency contact purposes and to administer benefits, and other categories of data.

3. What are the obligations?

The amendments prohibit:

  • Providing an employee or contractor access to consumer health data unless the employee or contractor is subject to a contractual or statutory duty of confidentiality.
  • Providing any processor with access to consumer health data unless that processor complies with CTDPA obligations on processors, such as the obligation to help controllers meet their obligations under CTDPA, notify controllers of data breaches, and have a written contract that governs the processor’s data processing activities.
  • Using a geofence to establish a virtual boundary within 1,750 feet of any mental health facility or reproductive or sexual health facility to identify, track, or collect data from, and sending any notification to, a consumer about their consumer health data.
  • Selling or offering to sell consumer health data without first obtaining the consumer’s consent.

4. When do the provisions go into effect?

The amendments take effect on October 1, 2023 (and not the earlier effective date of July 1, 2023, otherwise applicable to the CTDPA). This is thanks to an addition to the Connecticut state budget law (HB 6941) which pushed back the effective date of the provisions governing consumer health data controllers. 

But be careful: The CTDPA’s provisions requiring a data protection assessment and opt-in consent for processing sensitive data currently apply to controllers satisfying the existing CTDPA thresholds. Remember, “sensitive data” already currently includes a “mental or physical health condition or diagnosis.” As of October 1, 2023, these provisions will apply to all consumer health data controllers and consumer health data.

5. How will the provisions be enforced?

The Connecticut Attorney General has the exclusive enforcement authority. There is no private right of action.

  • Between July 1, 2023, and December 31, 2024, the CTDPA requires the Attorney General to notify a controller of a violation and to give the controller 60 days to cure the violation before initiating any action.
  • From October 1, 2023, to December 31, 2024, the amendments require the Attorney General to extend the same cure period to a consumer health data controller.
  • After January 1, 2025, the Attorney General has discretion to provide both a controller or a consumer health data controller with an opportunity to cure an alleged violation.

6. What should companies consider doing?

  • Determine whether you are within the scope of the law. Provisions related to consumer health data–including those related to consumer health data controllers–apply to a wide range of businesses that operate in Connecticut or target Connecticut residents.
  • Identify whether you process any “consumer health data.” Even companies that traditionally do not focus on health care may collect information the law views as “consumer health data” given the expansive definition.
  • Stop using geofences. The law clearly prohibits creating a “virtual boundary” around mental health or reproductive or sexual health facilities, as mentioned above. This is a blanket prohibition (in other words, there is no ability for consumers to consent to geofencing).
  • Build a compliance program. Affected businesses should take care to meet the new obligations imposed, as well as new CTDPA obligations as they pertain to consumer health data, including:
    • Performing a data protection assessment for activities that involve processing consumer health data.
    • Putting in place a process to obtain consumer consent before processing, selling or offering to sell consumer health data.
    • Updating third-party agreements as necessary, including data processing agreements.
Orrick’s Cyber, Privacy & Data Innovation Group helps clients review their state and federal compliance programs, assess the impact of legislative updates on their data processing activities and update their website disclosures and internal data flows in light of regulatory guidance and litigation trends. If you have any questions, please contact an Orrick team member for additional guidance.