The Connecticut Consumer Data Privacy Act (CTCDPA) took effect on July 1. But last-minute amendments via Connecticut’s Substitute Senate Bill 3 (SB 3) made major changes to the law—and took effect on the same day.
Among other things, and obviously inspired by Washington’s My Health My Data Act, SB 3 adds a new concept of “consumer health data” to the CTCDPA’s list of “sensitive data” types.
Controllers processing consumer health data face strict new rules. And the CTCDPA now applies much more broadly: “Consumer health data controllers” must now comply with the CTCDPA even if they were not covered under the law’s original thresholds.
This article examines the implications for health-related products and services of SB 3’s new definitions, rules, and scope.
Overview of Connecticut’s SB 3
SB 3 amends the CTCDPA (CT Gen Stat § 42-515), creating new provisions across the following seven areas:
- Regulating how businesses process “consumer health data”.
- Prohibiting ”geofencing” in certain health-related contexts.
- Creating new rules regarding children’s privacy and social media accounts.
- Amending the rules around warrants directed to “electronic communications services” and “remote computing services” disclosure.
- Establishing a “duty of care” for online dating companies with new obligations to protect users against other users.
- Establishing the Connecticut Internet Crimes Against Children Task Force.
- Requiring employers to disclose instances of sexual harassment and assault among ex-employees in certain contexts.
As noted, this article will focus on the health data-related aspects of SB 3, which will have a significant impact on the law’s scope and requirements.
New type of sensitive data: ‘Consumer health data’
SB 3 adds “consumer health data” as a new category of “sensitive data” under the CTCDPA.
Here’s the definition:
“‘Consumer health data”’ means any personal data that a controller uses to identify a consumer’s physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data.”
So “consumer health data” is any information that:
- Is personal data, and
- A controller uses to identify a consumer’s health condition or diagnosis.
Given the CTCDPA’s broad definition of “personal data”, this definition covers device information and data collected via cookies and similar technologies in certain contexts.
For example, an IP address indicating that an identifiable consumer has used a health-related app or visited a health-related website could be “consumer health data”—if the data is used, for example, to target the consumer with personalized ads.
Note the definition’s emphasis on “gender-affirming health data” and “reproductive or sexual health data”.
- “Gender-affirming health data” means “any personal data concerning an effort made by a consumer to seek, or a consumer’s receipt of, gender-affirming health care services”.
- “Reproductive or sexual health data” means “any personal data concerning an effort made by a consumer to seek, or a consumer’s receipt of, reproductive or sexual health care”.
While the definition is “not limited to” these types of personal data, they are perhaps explicitly referenced in the definition due to the current political and cultural climate in the US.
Broader scope: Application to ‘consumer health data controllers’
SB 3 adds a new definition of “consumer health data controller”: A specific type of “controller” under the CTCDPA that determines the purpose and means of processing consumer health data.
Why does SB 3 distinguish “consumer health data controllers” from “controllers”?
Seemingly because Connecticut wants to regulate the processing of consumer health data by companies of all sizes.
A “regular” controller only falls under the scope of the CTCDPA if it either:
- Controls of processes personal data about at least 100,000 consumers, or
- Controls of processes personal data about at least 25,000 consumers or households, and
- Derives 25% of revenues from selling personal data
These application thresholds do not apply to consumer health data controllers.
To fall under the CTCDPA’s scope, a consumer health data controller only needs to either:
- Conduct business in Connecticut or
- Produce goods or services targeted to Connecticut residents
As such, a “consumer health data controller” must comply with the CTCDPA regardless of how much personal data it processes.
References to “controllers”—and, where relevant, “controllers and processors”— in the CTCDPA are now appended with “and consumer health data controllers”, meaning that consumer health data controllers must comply with the CTCDPA’s existing obligations.
This change significantly broadens the application of the law, which now covers many new types of businesses.
New rule: Consent for processing consumer health data
Because “consumer health data” is now a type of “sensitive data”, controllers must not process consumer health data without the consumer’s consent.
This requirement means consumer health data controllers will generally need to obtain a consumer’s “freely given, specific, informed and unambiguous agreement” before collecting, using, sharing, or doing anything else with the consumer’s health data.
However, note that none of the CTCDPA’s provisions prohibits a controller from providing a service requested by the consumer or performing contractual obligations owed to the consumer, among other activities.
As such, a health-related app (for example) could potentially use consumer health data without consent to provide its core services—but would need to request the consumer’s consent before using their consumer health data for any other purposes (including selling the data).
New rule: Data protection assessments for processing consumer health data
Under the CTCDPA, controllers must conduct and document a data protection assessment before processing “sensitive data”, among other activities.
The requirement to conduct data protection assessments now also applies to “consumer health data”.
The process of conducting a data protection assessment under the CTCDPA remains unchanged. For any given set of processing activities involving consumer health data, a controller must:
1. Identify the benefits that may flow, directly and indirectly, from the processing to:
- The controller
- The consumer
- Other stakeholders
- The public
2. Weigh these potential benefits against the potential risks to the rights of the consumer, as mitigated by safeguards that can be employed by the controller, taking into account:
- The use of de-identified data
- The reasonable expectations of consumers
- The context of the processing
- The relationship between the controller and the consumer
New prohibition: Geofencing consumer health data
SB 3 prohibits a controller from using a “geofence” in the context of processing consumer health data.
“Geofencing” involves identifying or targeting individuals based on their proximity to a given location. For example, targeting ads at a consumer based on device location data that reveals the consumer has visited a healthcare facility.
SB 3 defines a “geofence” as any technology that establishes a “virtual boundary” via:
- Global positioning coordinates
- Cell tower connectivity
- Cellular data
- Radio frequency identification
- Wireless fidelity technology data
- Any other form of location detection
- Any combination of such coordinates, connectivity, data, identification, or other form of location detection
Under SB 3, a controller must not use a geofence to establish a virtual boundary within 1,750 feet of any “mental health facility” or “reproductive or sexual health facility” for the purpose of:
- Identifying a consumer
- Tracking a consumer
- Collecting data from a consumer
- Sending any notification to a consumer regarding their consumer health data
The law defines “mental health facilities” and “reproductive or sexual health facilities” as healthcare facilities in which at least 75% of the services or products are provided for mental health or reproductive or sexual health (respectively).