The Connecticut Data Privacy Act (CTDPA) took effect on July 1. But last-minute amendments via Connecticut’s Substitute Senate Bill 3 (SB 3) made major changes to the law.
This article will examine SB 3’s ambitious new requirements around children’s personal data, most of which apply from October 2024. These include new rules on targeted ads, system design, and data protection assessments, among many other provisions.
This law will seriously affect many companies covered by the CTDPA that process personal data about consumers aged under 18.
Overview of Connecticut’s SB 3
SB 3 amends several parts of the CTDPA (CT Gen Stat § 42-515).
The bill provides new rules around processing data about children, which we’ll cover in detail below.
In addition to these new requirements relating to children’s personal data, SB 3 also provides:
- New rules and prohibitions relating to “consumer health data”.
- Changes to how law enforcement authorities direct warrants towards “electronic communications services” and “remote computing services”.
- A new “duty of care” for online dating companies.
- A new requirement for employers to disclose instances of sexual harassment and assault among their ex-employees when providing employment references.
- The creation of a new state task force for safeguarding children.
As noted, this article will focus on the children’s privacy aspects of SB 3.
New definition: ‘Minor’
SB 3 adds a new definition to the CTDPA: “Minor”, meaning “any consumer who is younger than eighteen years of age”.
The CTDPA already provides rules on processing personal data about “children”, but the law links the definition of a “child” to that of the Children’s Online Privacy Protection Act (COPPA). Under COPPA, a “child” is “an individual under 13”.
So, following SB 3, the CTDPA applies to processing personal data about two different groups of young people:
- “Minors” (consumers under 18)
- “Children” (consumers under 13)
To further complicate matters, some of SB 3’s requirements only apply to minors under 16. We’ll make this all clear as we talk through the bill.
Existing CTDPA provisions regarding ‘children’
The CTDPA’s rules regarding “children” (consumers under 13) remain unchanged following the enactment of SB 3.
Here’s a brief summary of those existing provisions:
- Personal data “collected from a known child” (we’ll call this “children’s data”) is a type of sensitive data.
- Controllers must only process children’s data in compliance with COPPA (including by providing notice to—and obtaining consent from—a child’s parent or guardian under certain conditions).
- Controllers must allow a child’s parent or guardian to exercise consumer rights on the child’s behalf.
- Controllers must conduct a data protection assessment before processing personal data collected from a known child (or any other type of sensitive data).
Not all these provisions around “children” apply when processing data about “minors”.
But because SB 3 does not exclude children under 13 from the definition of “minor”, the rules around “minors” do also apply to “children” (under 13) – except in one specific context, which we’ll highlight below.
New requirements for controllers offering services used by minors
SB 3 provides new requirements for controllers offering an online service, product, or feature to minors, meaning any controller that:
- “Offers any service, product, or feature” (“service”) to consumers, and
- Has “actual knowledge” that the service is used by minors, or
- “Willfully disregards” whether the service is used by minors.
The “actual knowledge” and “willful disregard” thresholds are not defined in the CTDPA.
But based on the way these terms are normally used, it would appear that this part of SB 3 does not apply to a controller that—using reasonable means and making a commercially reasonable effort—determines that no minors are using its services.
We’ll call such controllers a “controller that offers services to minors” as shorthand.
New rules on using minors’ personal data
SB 9 tightly regulates how controllers that offer services to minors use minors’ personal data and design their products and services.
None of the provisions we cover in this section applies if the controller has obtained consent from:
- The minor
- If the minor is under 13, the minor’s parent or guardian (in line with COPPA)
These provisions also do not apply in the context of services provided under the direction of an “educational entity”.
New principles: Purpose limitation, storage limitation
SB 3 provides new rules similar to the principles of “purpose limitation” and “storage limitation” found in other data protection and privacy laws.
The law prohibits a controller that offers services to minors from processing minors’ personal data:
- In any way that is not reasonably necessary to provide the service
- For any purpose:
- Not disclosed at the time of collecting the minor’s personal data
- Incompatible with providing the service
- For any longer than necessary to provide the service
New prohibitions: Targeted ads, selling personal data, profiling
SB 3 prohibits a controller that offers service to minors from using minors’ personal data for any of the following activities:
- Targeted advertising
- Selling personal data
- Profiling in the areas of
- Financial or lending services
- Education enrollment or opportunity
- Criminal justice
- Employment opportunity
- Health care services
- Access to essential goods or services
New rule: System design
SB 9 prohibits a controller that offers services to minors from using “any system design feature” to “significantly increase, sustain or extend any minor’s use of such online service, product or feature”.
Hopefully, this somewhat ambiguous provision will be substantiated in future regulation.
New prohibition: Location data
The law prohibits a controller that offers services to minors from collecting a minor’s precise geolocation data (within 1,750 feet) unless:
- The data is reasonably necessary for the controller to provide the service, and
- The data is collected for the shortest time necessary, and
- The controller displays a signal showing the minor that their precise geolocation data is being collected throughout the collection.
New prohibition: Dark patterns
SB 3 prohibits a controller offering services to minors from using a consent mechanism that is designed with the intention of—or that has the effect of—substantially subverting or impairing “user autonomy, decision-making or choice”.
This amounts to a prohibition on obtaining consent via “dark patterns” that arguably existed in the CTDPA before SB 3.
New prohibition: Messaging apps
The law bans controllers from offering direct messaging apps for use by minors unless they include “readily accessible and easy-to-use safeguards” to prevent adults from sending unsolicited communications to minors “with whom they are not connected”.
This ban does not apply to email and private direct messaging apps.
New definition: ‘Heightened risk of harm to minors’
SB 9 introduces new requirements around data processing that presents a “heightened risk of harm to minors”.
A “heightened risk of harm to minors” means processing minors’ personal data in a manner that presents “any reasonably foreseeable risk” of the following in respect of minors:
- Unfair or deceptive treatment
- Unlawful disparate impact
- Financial, physical or reputational injury
- Any intrusion, insofar as it would be offensive to a “reasonable person” on:
- Solitude or seclusion
- Private affairs or concerns
New requirement: Data protection assessment for minors
A controller offering services to minors must take “reasonable care” the ensure its services do not create a heightened risk of harm to minors.
To achieve this, the controller must undertake an enhanced data protection assessment.
This data protection assessment must comply with the usual CTDPA requirements for data protection assessment, and also address:
The purpose of the online service, product or feature (“service”)
- The categories of minors’ personal data that the service processes
- The purposes for processing minors’ personal data with respect to the service
- Any reasonably foreseeable heightened risk of harm to minors
If the controller identifies any heightened risk of harm to minors, it might implement measures to mitigate or eliminate this risk.
The controller must also:
- Review the data protection assessment following any material change in the service
- Retain the assessment for as long as the service remains in operation and for a minimum of three years
A controller that has conducted a data protection assessment in this manner will be assumed to have taken reasonable care to avoid a heightened risk of harm to minors unless the Attorney General can show otherwise.
New rules for social media platforms
SB 3 provides new rules specific to social media platforms.
The law defines a “social media platform” as a “public or semi-public internet-based service or application” (“platform”) with certain characteristics that we’ve summarised as follows:
- It is used by a consumer in Connecticut
- It is primarily intended to enable users to “socially interact” within the platform
- It enables a user to:
- Create a public or semi-public profile used to sign into the platform
- Create a public list of other users the user interacts with on the platform (i.e., “follow”, “friend”, or “connect with” people)
- Create or post content that is visible to other users
The definition explicitly excludes platforms or services that:
- Exclusively provide email or direct messaging services
- Primarily provide content about topics of interest, where user interactions are incidental to that content (for example, a news website that allows comments under articles)
- Are used “under the direction of an educational entity” (e.g. learning management systems)
Unpublishing and deleting minors’ social media accounts
SB 3 effectively provides a new consumer right for minors—and, in some cases, their parents or guardians.
We can think of SB 3 as creating “the right to delete or unpublish a social media account”, although the law does not use this phrase.
Social media platforms must have a process allowing minors to “unpublish” or “delete” their accounts.
- “Unpublish” means “to remove a social media account from public visibility”.
- “Delete” requires the platform to:
- Delete the minor’s account, and
- Stop processing the minor’s personal data except for purposes permitted under the CTDPA and other applicable law.
These unpublish and deletion rights must be available for:
- Minors, and
- The parents or guardians of minors under 16
As with other CTDPA consumer rights, a social media platform must comply with a valid request to unpublish or delete a minor’s social media account within a specific time period:
- Unpublish: Within 15 days of receiving a request.
- Delete: Within 45 days, with a further 45-day extension available if reasonably necessary and if the minor (or parent) is notified within the original 45-day period.
The social media platform must establish one or more “secure and reliable means” for minors or their parents to submit a request to unpublish or delete the minor’s social media account and to authenticate the minor’s (or their parent’s) identity.
The social media platform must describe the above process in its privacy notice.