Connecticut is the latest state to establish wide-ranging privacy protections for consumer health data and the first to weave such protections into a preexisting comprehensive consumer privacy law. The new law, S.B. 3, amends the Connecticut Data Privacy Act (CTDPA), which took effect July 1, to include obligations and restrictions on processing, sharing and selling consumer health data that is not otherwise regulated by the federal Health Insurance Portability and Accountability Act (HIPAA).
The amendments—which took effect October 1—include provisions similar to Washington’s My Health My Data Act (MHMD) and Nevada’s health data privacy bill, S.B. 370, both of which will take effect next year. Here are some highlights:
A more expansive definition of health data
The CTDPA already classifies certain health data as “sensitive data” to the extent it “reveal[s] . . . mental or physical health condition or diagnosis.” The amendments expand this definition to include “consumer health data,” which is defined as any personal data that is “use[d] to identify a consumer’s physical or mental health condition or diagnosis, including gender-affirming health data and reproductive sexual health data.” Protections for consumer health data stem from both its classification as sensitive data and certain of the amendment’s stand-alone provisions that are directly applicable to consumer health data.
Although the CTDPA defines consumer health data more narrowly than its Washington and Nevada counterparts do, it continues the trend of regulating certain data that can be “used” to identify a health condition or diagnosis even if the information is not itself the condition or diagnosis. Also like its counterparts, the law expressly protects information related to reproductive or sexual health care and gender-affirming care.
Applies to organizations of all sizes and regardless of nonprofit status
Many of the current generation of state privacy laws exempt nonprofit organizations and businesses collecting data under specified volumes. Not so with Connecticut’s new health data law, which declined to extend the CTDPA’s applicability thresholds. This means that, barring any other potentially applicable exemptions, the amendments regulate any entity that processes consumer health data about Connecticut residents.
Like Washington’s MHMD and Nevada’s S.B. 370, the amendments do not contain an exemption for nonprofit entities. The amendments do, however, include several of the CTDPA’s other entity-level exemptions, including for state and local government agencies and their contractors, higher education institutions, and entities governed by HIPAA and the Gramm-Leach-Bliley Act (GLBA).
Opt-in consent may be required for many use cases
The amendments require clear and affirmative (opt-in) consent for any collection, use, disclosure, sale or other processing of consumer health data. Such consent must be freely given, specific, informed and unambiguous. It must also be fully revocable. Accordingly, regulated entities must notify the consumer in easy-to-understand, unambiguous language what they are consenting to and obtain the consumer’s consent voluntarily.
This requirement tracks with recent privacy laws and guidance such as Washington’s MHMD and Nevada’s S.B. 370, which both require opt-in consent for processing consumer health data beyond what is necessary to provide a consumer-requested product or service.
The amendments also align with MHMD, S.B. 370, and recent Federal Trade Commission (FTC) enforcement actions and guidance by requiring affirmative express consent before selling consumer health data. Notably, the three state consumer health laws adopt the broader, California Consumer Privacy Act (CCPA-like approach to sales by including exchanges of personal data for any valuable consideration whatsoever, even if it is nonmonetary in nature.
Other familiar obligations and restrictions
The amendments require that contracts between a regulated entity and its vendors that involve processing consumer health data contain certain provisions that govern what vendors can do with consumer health data. Accordingly, contracts between covered entities and vendors must set forth, among other things, processing instructions; the nature, purpose and duration of processing; and the rights and obligations of both parties.
Regulated entities must also conduct data protection assessments for processing activities related to consumer health data and subject any employees or contractors with access to consumer health data to a statutory or contractual duty of confidentiality.
The amendments also prohibit implementing a geofence around mental health or sexual health facilities when the geofence is used to collect or track data from consumers or to send notifications related to consumer health data. Similar prohibitions are found in MHMD and S.B. 370.
Enforcement falls solely to the attorney general
Washington’s MHMD remains the sole outlier insofar as it allows private individuals to sue regulated entities for violating its law. There is no similar express private right of action for Connecticut residents under the CTDPA or its consumer health data amendments, and, following the popular approach among the current generation of state privacy laws, the Connecticut attorney general has exclusive enforcement authority. A violation of the CTDPA is considered an unfair trade practice under the Connecticut Unfair Trade Practices Act, and thus regulated entities may face civil penalties of up to $5,000 per willful violation. From October 1, 2023 through December 31, 2023, the attorney general must notify covered entities of any violation and provide 60 days to cure the violation before initiating any action.
Recommended next steps
The amendments took effect on October 1, 2023. Organizations in all industries and lines of business—including nonprofits—should evaluate whether they collect, directly or indirectly, any consumer personal data that might be subject to the more expansive definitions of consumer health data that are now effective in Connecticut. Scrutiny can no longer be limited to whether HIPAA-regulated protected health information (PHI) is collected, and many organizations may be surprised to learn that they have regulated data. The same exercise is recommended in anticipation of the similar laws in Washington and Nevada, which will be effective in March 2024.
The privacy and protection of consumer health data has been a major focus of state and federal regulators alike. The FTC and Office of Civil Rights (OCR) have both demonstrated increased activity in the area in recent months, and several states—including Illinois, Massachusetts and New York—have pending consumer health data legislation. We will continue to provide updates and guidance on these and other consumer privacy laws as they develop.