Connecticut Is Latest State to Broaden Its Online Privacy Law

Connecticut consumers will have more control over how businesses treat information about their health and the data of youth under 18 years old through an expansion of the state’s consumer privacy law.

Lawmakers added the new requirements to the Connecticut Data Privacy Act, which took effect July 1 to provide people with rights over their personal information that include accessing and correcting what companies collect. The amendments related to health data are already in effect while youth and other provisions will come online in 2024.

The action by Connecticut lawmakers reflects growing concerns about safeguarding additional categories of data as numerous states enact baseline consumer privacy protections this year. State privacy laws may continue to morph as newer priorities come into legislators’ focus.

Other states have recently enacted standalone privacy laws related to health data or that regulate a child’s experience online. Attorneys helping clients navigate the state privacy landscape see the potential for more amendments elsewhere.

“It’s clear that these categories of data are top of mind for regulators,” said Kristin Hadgis, partner at Morgan, Lewis & Bockius LLP. “So I think it’s important for businesses to be aware of them. Even if maybe they’re not subject to the particular requirements of certain of these laws, taking a more holistic approach and seeing where the US is heading as far as consumer data privacy is important.”

Geofencing Prohibited

Lawmakers passed Connecticut’s initial state privacy law last year, which allows people to opt out of having their data sold or used for targeted advertising, among other rights. Legislators announced their intent to expand the law earlier this year as part of a safety-focused agenda.

The policy changes (S.B. 3) enacted last month include protecting consumer health information, defined as data used to identify physical or mental health conditions. The category includes gender-affirming care and sexual health data.

Companies can’t sell consumer health data without an individual’s consent under provisions that took effect July 1. The law also prevents geofencing mental health or sexual health facilities for identification, tracking, or collecting data.

Those changes didn’t give a lot of time for business compliance, Hadgis said. The amendments are narrow enough, though, that they will only affect entities collecting consumer health data, she said.

The privacy law expansion will also impact online platforms with users under 18 years old. Social media platforms must remove a minor’s account upon request and stop processing their personal data, with some exceptions, starting July 1, 2024.

Companies will also be limited in how they process a minor’s data and collect geolocation data starting Oct. 1, 2024. Platforms that offer direct messaging must include safeguards for youth that limit unsolicited messages from adults they’re not connected to.

Beyond children, the amended law also includes online dating safety requirements starting Jan. 1, 2024. Platforms must provide safety advice and information on how to report unwanted or harmful behavior.

Changing Landscape

Elsewhere, Colorado’s consumer privacy law also took effect July 1, marking a major compliance deadline for companies. Privacy laws were previously implemented in California and Virginia, while Utah’s law will start at the end of this year.

The new batch of laws are similar to those already in effect but have nuances and differences, said Ryan Blaney, co-head of the global privacy and cybersecurity group at Proskauer Rose LLP and a health care partner. The landscape is constantly changing with new laws and modifications to existing ones, he said.

States including Iowa, Indiana, Florida, Montana, Tennessee, and Texas all recently enacted measures.

“We’re continuing to see these waves of new laws that have slight variations that need to be looked at and need to be addressed in order for companies to be able to comply with them,” Blaney said.

For state requirements related to health and children, the impact depends on the industry, Blaney said. The first step is determining what type of information a business is collecting, he said.