Connecticut Expands Regulation of Consumer Data Privacy
The Connecticut legislature passed and the governor recently signed amendments to the Connecticut Data Privacy Act (CTDPA), the state's comprehensive consumer data privacy law, which goes into effect July 1, 2023. Some provisions in the new legislation – An Act Concerning Online Privacy, Data and Safety Protections (CT Online Privacy Law) – go into effect July 1, 2023, while other provisions will become effective next July 1 and October 1, 2024. The new law gives minors (and in some cases minors' parents) more control over their personal data and accounts on social media platforms and introduces new protections for minors' personal data and health-related data of Connecticut residents.
We highlight key provisions of the CT Online Privacy Law below.
Enhanced Privacy Protections for Consumer Health Data
Effective July 1, 2023
The new law amends the CTDPA to protect "consumer health data," which includes any personal data that a controller uses to identify a consumer's physical or mental health condition or diagnosis, including gender-affirming health data and reproductive or sexual health data. The law amends the existing definition of "sensitive data" to include "consumer health data," thereby requiring controllers to obtain consent from consumers before processing such data. It also prohibits any person from selling or offering to sell "consumer health data" without consumers' consent or allowing employees or contractors access to "consumer health data" unless they are subject to contractual or statutory duties of confidentiality.
The law also prohibits the use of "geofences" (i.e., virtual boundaries using GPS, cellular, Wi-Fi, or similar technology within 1,750 feet of any mental health or reproductive or sexual health facility) for the purpose of identifying, tracking, or collecting data from or sending notifications to a consumer "regarding the consumer's consumer health data."
Ability to "Unpublish" and Delete Accounts on Social Media Platforms
Effective July 1, 2024
The CT Online Privacy Law requires social media platforms to give minors – defined as consumers under 18 years of age – the right to "unpublish" (i.e., remove from public visibility) and delete their accounts. Social media platforms will have to describe and provide in their privacy notices mechanisms to exercise these rights. Platforms will have 15 business days to "unpublish" accounts and 45 business days (with a 45-day extension, when necessary, with notice) after receiving a request to delete accounts and cease processing that minor's personal data. Social media platforms are not required to delete accounts when preserving the account or personal data is otherwise permitted or required by applicable law, including as required or permitted under the CTDPA. While minors who are 16 and older must exercise this right themselves, parents may make requests on behalf of minors under 16 years of age.
The CT Online Privacy Law defines "social media platforms" narrowly to include public or semi-public Internet-based services or apps that:
- Are used by consumers in Connecticut,
- Are primarily intended to connect and allow users to socially interact with such service or app, and
- Enable a user to: (a) construct a public (or semi-public) profile for the purpose of signing into the service or app; (b) populate a public list of other users with whom the user shares a social connection through the service or app; and (c) create or post content that is visible by other users (including but not limited to message boards, chat rooms, or through a landing page or main feed that shows the user content that is generated by other users).
The law expressly excludes public (or semi-public) Internet-based services or apps that:
- Exclusively provide email or direct messaging services;
- Primarily consist of news, sports, entertainment, interactive video games, electronic commerce, or content that is preselected by the provider or for which any chat, comments, or interactive functionality is incidental to, directly related to, or dependent on the provision of such content; or
- Is used by and under the direction of an educational entity, including but not limited to learning management systems or student engagement programs.
Unlike other laws that impose obligations regarding minors, the CT Online Privacy Law does not require that the social media platforms have "actual knowledge" or willfully disregard that the consumer is a minor. It does require, however, that the social media platform "authenticate" the request, meaning that the social media platform will not have to comply if it cannot – using reasonable means and making a commercially reasonable effort – determine that the request has been submitted by or on behalf of the minor who is entitled to exercise the right. As part of the authentication process, the individual making the request will need to provide information showing that the account or personal data belongs to a minor, as defined under the law, and this will undoubtedly require some proof of age of the minor account holder.
Violations of this section of the law are unfair or deceptive acts or practices under the Connecticut consumer protection statute and are enforceable by the Connecticut attorney general.
Children's Online Safety Protections
Effective October 1, 2024
The CT Online Privacy Law also creates new obligations for controllers that provide an "online service, product, or feature" to "minors" (here, again, minors are consumers who are under 18 years of age). An "online service, product, or feature" is defined broadly to include any service, product, or feature that is provided online, except for: (1) any telecommunications service, as defined in 47 U.S.C. § 153; (2) broadband Internet access service, as defined in 47 C.F.R. § 54.400; or (3) delivery or use of a physical product.
Controllers that provide an online service, product, or feature to consumers whom the controller has actual knowledge, or willfully disregards, are minors must: (1) use "reasonable care" to avoid any "heightened risk of harm" to minors caused by the online service, product, or feature; and (2) conduct a data protection assessment of such online service, product, or feature to, among other things, address any "heightened risk of harm" to minors. A "heightened risk of harm" occurs when a controller processes minors' personal data in a way that creates a reasonably foreseeable risk of: (1) unfair or deceptive treatment of or unlawful disparate impact on minors; (2) any financial, physical, or reputational injury to minors; or (3) any physical or other intrusion upon the solitude or seclusion – or the private affairs or concerns – of minors, if such intrusion would be offensive to a reasonable person. Controllers that comply with the requirement to conduct a data protection assessment will be entitled to a rebuttable presumption that they have complied with the duty to use reasonable care in an enforcement action brought by the Connecticut attorney general.
Certain Activities Prohibited Without Consent: Controllers that offer an online service, product, or feature and have actual knowledge or willfully disregard that consumers are minors are prohibited from doing the following without the minor's consent (or consent of the minor's parent, if the minor is under 13 years of age):
- Processing a minor's personal data for: (1) targeted advertising; (2) sales; or (3) profiling in furtherance of any fully automated decisions that produce legal or similarly significant effects;
- Processing a minor's personal data except as – or for longer than – reasonably necessary to provide the online service, product, or feature;
- Processing a minor's personal data for any processing purpose other than what the controller disclosed at the time of collection (or is reasonably necessary for and compatible with the processing purpose disclosed);
- Using any system design feature to "significantly increase, sustain, or extend" any minor's use of such online service, product, or feature; or
- Collecting a minor's precise geolocation data, unless – in addition to obtaining the required consent – such precise geolocation data is necessary for the controller to provide such online service, product, or feature (and then only for the time necessary to do so) and the controller provides to the minor a signal – available for the duration of collection – that the controller is collecting such data.
Consent mechanisms provided may not be designed to substantially subvert or impair or manipulate with the effect of substantially subverting or impairing user autonomy, decision-making, or choice.
Direct Messaging Services: Controllers may not offer any direct messaging "apparatus" for use by minors without providing easily accessible safeguards that limit the ability of adults to send unsolicited communications to minors with whom they are not connected. This provision will not apply to services whose predominant or exclusive function is: (1) email; or (2) direct messaging consisting of text, photos, or videos sent between devices when such messages are shared between – and only visible to – sender and recipient and not posted publicly.
Enforcement and Cure Period: The Connecticut attorney general has exclusive enforcement authority and from October 1, 2024, through December 31, 2025, must give controllers or processors 30 days to cure any alleged violations of these provisions that the attorney general determines (in his or her discretion) the controller may cure. Beginning January 1, 2026, the attorney general will have discretion to provide an opportunity to cure and will consider the following factors in doing so: (1) the number of violations that the controller or processor is alleged to have committed; (2) the size and complexity of the controller or processor; (3) the nature and extent of the controller's or processor's processing activities; (4) whether there exists a substantial likelihood that the alleged violation has caused or will cause public injury; (5) the safety of persons or property; (6) whether the alleged violation was likely caused by a human or technical error; and (7) the sensitivity of the data.
Looking Ahead
State legislators continue to be active in this area – even when they have already passed baseline privacy legislation – so watch this space. DWT's Privacy & Security team will continue to monitor the rapid development of state privacy laws and regulations.