The Consumer Health Data Amendments to the Connecticut Data Privacy Act: Six Things to Know

6 minute read | July.24.2023

Connecticut is the third state to adopt consumer health data privacy protections, following Washington’s My Health My Data Act (“MHMD”) and Nevada’s new consumer health data privacy law. It is the first state, however, to embed broad protections for consumer health data as amendments to its omnibus data privacy law, the Connecticut Data Privacy Act (“CTDPA”).

The consumer health data privacy protections in Connecticut’s SB 3–the bill amending the CTDPA–include heightened restrictions on processing, sharing, and selling consumer health data.

Here are six things to know about the amendments, including key takeaways and next steps for your health data privacy compliance program:

1. Who is regulated?

The amendments regulate a “consumer health data controller” that alone, or jointly with others, determines the purposes and means of processing consumer health data. Consumer health data controllers are subject to the CTDPA even if they do not otherwise meet applicability thresholds. That means that, no matter the number of consumers whose personal data they control or process, or the percentage of their revenue generated from selling personal data, controllers are subject to the amendments if they conduct business in Connecticut or produce products or services that target Connecticut residents.

The amendments provide entity-level exemptions including for Connecticut’s state and local government agencies, entities contracting with government agencies, institutions of higher education, and entities governed by the GLBA, HIPAA and other federal laws.

Lastly, the CTDPA limits the definition of “consumer” to only Connecticut residents, which is narrower in scope than the MHMD and Nevada’s consumer health data laws. The CTDPA also explicitly excludes from the definition of consumer individuals acting in an employment or commercial context, meaning employee and business-to-business data is not in scope of the CTDPA.

2. What data is covered?

The amendments define “consumer health data” as “any personal data that a controller uses to identify a consumer’s physical or mental health condition or diagnosis,” including but not limited to “gender-affirming health data and reproductive or sexual health data.”

While the definition is narrower than the consumer health data privacy laws in Washington and Nevada, Connecticut still takes a fairly expansive view of what constitutes consumer health data. For instance, the definition covers any personal data concerning a consumer’s effort to seek or, a consumer’s receipt of, reproductive or sexual health care. In turn, reproductive or sexual health care encompasses a broad range of services or products rendered or provided concerning a consumer’s reproductive system or sexual well-being, from health conditions and diagnoses to the use or purchase of medication, to bodily functions, vital signs or symptoms, and measurements thereof.

The amendments also expand the definition of “sensitive data” to include consumer health data, meaning CTDPA obligations concerning sensitive data will apply to consumer health data. The law requires controllers to:

Conduct a data protection assessment for processing activities that present a “heightened risk of harm to a consumer,” including processing sensitive data.
Obtain consent from the consumer before processing consumer health data.

The amendments exempt data subject to HIPAA, FERPA, FCRA, employee and job applicant data, information used for emergency contact purposes and to administer benefits, and other categories of data.

3. What are the obligations?

The amendments prohibit:

Providing an employee or contractor access to consumer health data unless the employee or contractor is subject to a contractual or statutory duty of confidentiality.
Providing any processor with access to consumer health data unless that processor complies with CTDPA obligations on processors, such as the obligation to help controllers meet their obligations under CTDPA, notify controllers of data breaches, and have a written contract that governs the processor’s data processing activities.
Using a geofence to establish a virtual boundary within 1,750 feet of any mental health facility or reproductive or sexual health facility to identify, track, or collect data from, and sending any notification to, a consumer about their consumer health data.
Selling or offering to sell consumer health data without first obtaining the consumer’s consent.

4. When do the provisions go into effect?

The amendments take effect on October 1, 2023 (and not the earlier effective date of July 1, 2023, otherwise applicable to the CTDPA). This is thanks to an addition to the Connecticut state budget law (HB 6941) which pushed back the effective date of the provisions governing consumer health data controllers.

But be careful: The CTDPA’s provisions requiring a data protection assessment and opt-in consent for processing sensitive data currently apply to controllers satisfying the existing CTDPA thresholds. Remember, “sensitive data” already currently includes a “mental or physical health condition or diagnosis.” As of October 1, 2023, these provisions will apply to all consumer health data controllers and consumer health data.

5. How will the provisions be enforced?

The Connecticut Attorney General has the exclusive enforcement authority. There is no private right of action.

Between July 1, 2023, and December 31, 2024, the CTDPA requires the Attorney General to notify a controller of a violation and to give the controller 60 days to cure the violation before initiating any action.
From October 1, 2023, to December 31, 2024, the amendments require the Attorney General to extend the same cure period to a consumer health data controller.
After January 1, 2025, the Attorney General has discretion to provide both a controller or a consumer health data controller with an opportunity to cure an alleged violation.

6. What should companies consider doing?

Determine whether you are within the scope of the law. Provisions related to consumer health data–including those related to consumer health data controllers–apply to a wide range of businesses that operate in Connecticut or target Connecticut residents.
Identify whether you process any “consumer health data.” Even companies that traditionally do not focus on health care may collect information the law views as “consumer health data” given the expansive definition.
Stop using geofences. The law clearly prohibits creating a “virtual boundary” around mental health or reproductive or sexual health facilities, as mentioned above. This is a blanket prohibition (in other words, there is no ability for consumers to consent to geofencing).
Build a compliance program. Affected businesses should take care to meet the new obligations imposed, as well as new CTDPA obligations as they pertain to consumer health data, including:
- Performing a data protection assessment for activities that involve processing consumer health data.
- Putting in place a process to obtain consumer consent before processing, selling or offering to sell consumer health data.
- Updating third-party agreements as necessary, including data processing agreements.

Orrick’s Cyber, Privacy & Data Innovation Group helps clients review their state and federal compliance programs, assess the impact of legislative updates on their data processing activities and update their website disclosures and internal data flows in light of regulatory guidance and litigation trends. If you have any questions, please contact an Orrick team member for additional guidance.

Authors

Thora Johnson Partner, Cyber, Privacy & Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Thora Johnson Partner

Washington, D.C.

Thora has extensive experience counseling clients on the Health Insurance Portability and Accountability Act (HIPAA) and other state and federal health privacy and regulatory compliance regimes including:

Office of the National Coordinator for Health Information Technology’s interoperability and information blocking regulations
Centers for Medicare & Medicaid Service’s (CMS’s) interoperability and patient access regulations
Part 2 confidentiality requirements applicable to substance abuse records
State health information privacy laws
Medicare/Medicaid compliance
Mental Health Parity and Addiction Equity Act (MHPAEA)
Genetic Information Nondiscrimination Act (GINA)
Affordable Care Act (ACA) compliance
Regulatory requirements of the Employer Retirement Income Security Act (ERISA), the Internal Revenue Code, HIPAA, and the ACA as they apply to employer health and wellness plans
Price transparency and surprise billing rules applicable to hospitals and health plans

Kyle Kessler Senior Associate, Cyber, Privacy & Data Innovation, Conformité & Règlementation

Los Angeles

See my bio

M:+1 310 251 5299
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Conformité & Règlementation
Technology Transactions
Technology & Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Kyle Kessler Senior Associate

Los Angeles

Kyle advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, social media and technology on a range of EU and U.S. federal and state privacy laws. Kyle’s strategic counseling advice includes, but is not limited to:

U.S. state privacy laws in California, Colorado, Connecticut, Utah and Virginia (CCPA, CPRA, CPA, CTDPA, UCPA, VCDPA)
Consumer health privacy laws, including Washington’s My Health My Data
US data broker laws, including California's Delete Act
Children's Online Privacy Protection Act (COPPA)
Computer Fraud and Abuse Act (CFAA)
Contest and Sweepstakes Laws
Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
Europe (EU) General Data Protection Regulation (GDPR)
EU e-Privacy Directive
UK's Age Appropriate Design Code (Children's Code)
False, Misleading, or Deceptive Acts or Practices
Federal Trade Commission Act (FTC)
Health Insurance Portability and Accountability Act (HIPAA)
Health Information Technology for Economic and Clinical Health Act (HITECH)
Restore Online Shoppers' Confidence Act (ROSCA)
Retail Sales Laws
Advertising and Payment Card Self-Regulatory Frameworks
State Breach Notification and Security Laws
Telephone Consumer Protection Act (TCPA)

Kyle works with clients to develop internal privacy and security compliance programs, including assisting with privacy audits and data mapping, valuating privacy and security risks in corporate transactions, advising companies through the full pre-IPO and post IPO diligence cycle, drafting and negotiating data-related vendor and arrangement contracts, meeting with teams to assist with privacy by design, developing internal and external privacy policies for employees, customers, and contractors, drafting and training on the implementation of consumer rights requests, and developing comprehensive security programs and policies.

She partners with her clients to provide practical business counsel, with an in-house and outside counsel perspective. She regularly counsels startups and tech companies through the funding life cycle, or in connection with the launch of innovative technology, products, or platforms. Kyle's background in marketing, publication relations and communications enhances the consumer protection support she provides clients. She drafts disclosure and consent frameworks in compliance with privacy and consumer protection regulations. Kyle also helps develop, implement, administer regulatory compliance programs for all aspects of promotional and customer-facing activities, including:

Contests and sweepstakes
Direct mail, email, in-store and online, social media and text messaging advertisements and marketing campaigns
Gift cards
Influencer and social media agreements and endorsements
Price comparisons
Print advertisements and product placements
Reward and loyalty programs

Kyle is active in the LGBTQ+ community and helps lead Orrick's LGBTQ+ Attorney Affinity Group. She was also selected to participate in the Leadership Council on Legal Diversity's (LCLD) 2022 Pathfinders Program.

Before joining Orrick, Kyle was an in-house attorney at a company named to Forbes' 100 Largest Private Companies list.

Alyssa Wolfington Managing Associate, Cyber, Privacy & Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

New York

See my bio

D:+1 212 506 5000
E: [email protected]

Practice:

Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Alyssa Wolfington Managing Associate

New York

Alyssa navigates clients through privacy programs and policy creation, and provides guidance on compliance with federal, state and international laws and regulations, including the California Consumer Privacy Act (CCPA), the Children’s Online Privacy Protection Act (COPPA), the General Data Protection Regulation (GDPR), the Federal Trade Commission Act (FTC Act), the Health Insurance Portability and Accountability Act (HIPAA) and state data breach notification laws. She advises clients on security incident response and federal and state investigations related to privacy and data security. She also provides assessments of privacy and security practices for companies carrying out due diligence in the context of corporate transactions.