The Consumer Health Data Amendments to the Connecticut Data Privacy Act: Six Things to Know

6 minute read | July.24.2023

Connecticut is the third state to adopt consumer health data privacy protections, following Washington’s My Health My Data Act (“MHMD”) and Nevada’s new consumer health data privacy law. It is the first state, however, to embed broad protections for consumer health data as amendments to its omnibus data privacy law, the Connecticut Data Privacy Act (“CTDPA”).

The consumer health data privacy protections in Connecticut’s SB 3–the bill amending the CTDPA–include heightened restrictions on processing, sharing, and selling consumer health data.

Here are six things to know about the amendments, including key takeaways and next steps for your health data privacy compliance program:

1. Who is regulated?

The amendments regulate a “consumer health data controller” that alone, or jointly with others, determines the purposes and means of processing consumer health data. Consumer health data controllers are subject to the CTDPA even if they do not otherwise meet applicability thresholds. That means that, no matter the number of consumers whose personal data they control or process, or the percentage of their revenue generated from selling personal data, controllers are subject to the amendments if they conduct business in Connecticut or produce products or services that target Connecticut residents.

The amendments provide entity-level exemptions including for Connecticut’s state and local government agencies, entities contracting with government agencies, institutions of higher education, and entities governed by the GLBA, HIPAA and other federal laws.

Lastly, the CTDPA limits the definition of “consumer” to only Connecticut residents, which is narrower in scope than the MHMD and Nevada’s consumer health data laws. The CTDPA also explicitly excludes from the definition of consumer individuals acting in an employment or commercial context, meaning employee and business-to-business data is not in scope of the CTDPA.

2. What data is covered?

The amendments define “consumer health data” as “any personal data that a controller uses to identify a consumer’s physical or mental health condition or diagnosis,” including but not limited to “gender-affirming health data and reproductive or sexual health data.”

While the definition is narrower than the consumer health data privacy laws in Washington and Nevada, Connecticut still takes a fairly expansive view of what constitutes consumer health data. For instance, the definition covers any personal data concerning a consumer’s effort to seek or, a consumer’s receipt of, reproductive or sexual health care. In turn, reproductive or sexual health care encompasses a broad range of services or products rendered or provided concerning a consumer’s reproductive system or sexual well-being, from health conditions and diagnoses to the use or purchase of medication, to bodily functions, vital signs or symptoms, and measurements thereof.

The amendments also expand the definition of “sensitive data” to include consumer health data, meaning CTDPA obligations concerning sensitive data will apply to consumer health data. The law requires controllers to:

Conduct a data protection assessment for processing activities that present a “heightened risk of harm to a consumer,” including processing sensitive data.
Obtain consent from the consumer before processing consumer health data.

The amendments exempt data subject to HIPAA, FERPA, FCRA, employee and job applicant data, information used for emergency contact purposes and to administer benefits, and other categories of data.

3. What are the obligations?

The amendments prohibit:

Providing an employee or contractor access to consumer health data unless the employee or contractor is subject to a contractual or statutory duty of confidentiality.
Providing any processor with access to consumer health data unless that processor complies with CTDPA obligations on processors, such as the obligation to help controllers meet their obligations under CTDPA, notify controllers of data breaches, and have a written contract that governs the processor’s data processing activities.
Using a geofence to establish a virtual boundary within 1,750 feet of any mental health facility or reproductive or sexual health facility to identify, track, or collect data from, and sending any notification to, a consumer about their consumer health data.
Selling or offering to sell consumer health data without first obtaining the consumer’s consent.

4. When do the provisions go into effect?

The amendments take effect on October 1, 2023 (and not the earlier effective date of July 1, 2023, otherwise applicable to the CTDPA). This is thanks to an addition to the Connecticut state budget law (HB 6941) which pushed back the effective date of the provisions governing consumer health data controllers.

But be careful: The CTDPA’s provisions requiring a data protection assessment and opt-in consent for processing sensitive data currently apply to controllers satisfying the existing CTDPA thresholds. Remember, “sensitive data” already currently includes a “mental or physical health condition or diagnosis.” As of October 1, 2023, these provisions will apply to all consumer health data controllers and consumer health data.

5. How will the provisions be enforced?

The Connecticut Attorney General has the exclusive enforcement authority. There is no private right of action.

Between July 1, 2023, and December 31, 2024, the CTDPA requires the Attorney General to notify a controller of a violation and to give the controller 60 days to cure the violation before initiating any action.
From October 1, 2023, to December 31, 2024, the amendments require the Attorney General to extend the same cure period to a consumer health data controller.
After January 1, 2025, the Attorney General has discretion to provide both a controller or a consumer health data controller with an opportunity to cure an alleged violation.

6. What should companies consider doing?

Determine whether you are within the scope of the law. Provisions related to consumer health data–including those related to consumer health data controllers–apply to a wide range of businesses that operate in Connecticut or target Connecticut residents.
Identify whether you process any “consumer health data.” Even companies that traditionally do not focus on health care may collect information the law views as “consumer health data” given the expansive definition.
Stop using geofences. The law clearly prohibits creating a “virtual boundary” around mental health or reproductive or sexual health facilities, as mentioned above. This is a blanket prohibition (in other words, there is no ability for consumers to consent to geofencing).
Build a compliance program. Affected businesses should take care to meet the new obligations imposed, as well as new CTDPA obligations as they pertain to consumer health data, including:
- Performing a data protection assessment for activities that involve processing consumer health data.
- Putting in place a process to obtain consumer consent before processing, selling or offering to sell consumer health data.
- Updating third-party agreements as necessary, including data processing agreements.

Orrick’s Cyber, Privacy & Data Innovation Group helps clients review their state and federal compliance programs, assess the impact of legislative updates on their data processing activities and update their website disclosures and internal data flows in light of regulatory guidance and litigation trends. If you have any questions, please contact an Orrick team member for additional guidance.

Authors

Thora Johnson Partner, Life Sciences & HealthTech, Cyber, Privacy & Data Innovation

Washington, D.C.

See my bio

Practice:

Technology & Innovation Sector
Life Sciences & HealthTech
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Thora Johnson Partner

Washington, D.C.

Thora works with medical device, pharmaceutical, biotech and digital health companies, helping them navigate the increasingly complex patchwork of state and federal health privacy laws. One client described her to the Legal 500 as a “very practical” advisor providing “exceptional guidance” on health information privacy and HIPAA compliance matters.

Her breadth and depth of experience enable Thora to assist clients in harnessing the power of artificial intelligence and executing data-sharing arrangements, all while protecting health data. As a result, Thora spends much of her time counseling pioneering startups and high-growth companies on responsible innovation in healthcare and life sciences.

Thora brings extensive experience counseling clients, including Fortune 500 companies and brick and mortar providers, on the Health Insurance Portability and Accountability Act (HIPAA) and other state and federal health privacy and regulatory compliance regimes including:

Office of the National Coordinator for Health Information Technology’s interoperability and information blocking regulations
Centers for Medicare & Medicaid Service’s (CMS’s) interoperability and patient access regulations
Part 2 confidentiality requirements applicable to substance abuse records
State health information privacy laws
State consumer privacy laws with special controls for health data
Medicare/Medicaid compliance
Mental Health Parity and Addiction Equity Act (MHPAEA)
Genetic Information Nondiscrimination Act (GINA)
Affordable Care Act (ACA) compliance
Regulatory requirements of the Employer Retirement Income Security Act (ERISA), the Internal Revenue Code, HIPAA, and the ACA as they apply to employer health and wellness plans

Thora routinely helps companies and large employers prepare for and respond to privacy and security incidents involving health information. She also defends clients in government investigations initiated by the OCR, OIG, DOJ, FTC and State AGs, among others.

Alyssa Wolfington Managing Associate, Cyber, Privacy & Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

New York

See my bio

D:+1 212 506 5000
E: [email protected]

Practice:

Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Alyssa Wolfington Managing Associate

New York

Alyssa navigates clients through privacy programs and policy creation, and provides guidance on compliance with federal, state and international laws and regulations, including the U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states, the General Data Protection Regulation (GDPR), the Federal Trade Commission Act (FTC Act), the Health Insurance Portability and Accountability Act (HIPAA) and state data breach notification laws. She advises clients on security incident response and federal and state investigations related to privacy and data security. She also provides assessments of privacy and security practices for companies carrying out due diligence in the context of corporate transactions.

Michaela Frai Associate, Cyber, Privacy & Data Innovation, Strategic Advisory & Government Enforcement (SAGE)

New York

See my bio

D:+1 617 880 2248
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Michaela Frai Associate

New York

Michaela helps clients build global privacy programs and advises on United States (U.S.) state and federal consumer privacy laws, including the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), and the Colorado Privacy Act. Her work also includes counseling on compliance with the General Data Protection Regulation (GDPR).