Connecticut Shows You Can Have It All
On June 3rd, Connecticut Senate Bill 3 (SB 3), an “Act Concerning Online Privacy, Data and Safety Protections,” cleared the state legislature following unanimous votes in the House and Senate. If enacted by Governor Lamont, SB 3 will amend the Connecticut Data Privacy Act (CTDPA) to create new rights and protections for consumer health data and minors under the age of 18, and also make small-but-impactful amendments to existing provisions of the CTDPA. The bill also contains some standalone sections, such as a section requiring the operators of online dating services within the state to implement new safety features, including a mechanism to report “harmful or unwanted” behavior.
The children’s and health provisions of SB 3 appear to be informed by the California Age-Appropriate Design Code (AADC) and the recently enacted Washington State My Health, My Data Act, respectively, but contain numerous important distinctions. FPF has prepared a comparison chart to help stakeholders assess how SB 3’s youth privacy provisions compare to the California AADC. The provisions related to consumer health data will take effect on October 1, 2023, while the new requirements governing minors’ data and accounts will take effect a year later, on October 1, 2024.
New protections for youth online (Sections 7-13)
Sections 8-13 of SB 3 create new protections for youth online by expanding youth-specific protections to include teens up to 18, placing limits on certain data processing activities, and requiring services to assess risk to minors through data protection assessments. SB 3 appears to draw inspiration from the California Age-Appropriate Design Code Act’s (AADC) obligations and prohibitions but includes many divergences, which are assessed in further detail in a comparison chart. If enacted, these provisions will go into effect on October 1, 2024, with a right to cure until December 31, 2025. Additionally, Section 7 of the bill specifically regulates social media platforms and is largely focused on facilitating requests from a minor or minor’s parent to “unpublish” a minor’s social media account within 15 business days.
1. Scope
The obligations in Sections 8-13 will apply to controllers offering any online service, product, or feature to consumers whom the controller has actual knowledge, or wilfully disregards, are minors. “Minors” is defined as any consumers under 18, in line with recently-passed legislation in California and Florida. SB 3 borrows California AADC’s “online service, product, or feature” scope but retains the CTDPA’s “actual knowledge, or wilfully disregards” knowledge standard rather than the California AADC’s “likely to be accessed” standard. As written, it appears that the data protection and design obligations under the proposal would apply on an individualized basis to minors who the bill aims to protect, rather than governing the entire service. Additionally, there are also no affirmative age estimation requirements within the proposal, meaning that the scope of SB 3 is narrower than the California AADC because it only applies to controllers who have actual knowledge or willfully disregard that minors are using their service. These diversions may be in response to First Amendment objections raised in the Netchoice v. Bonta litigation seeking to strike down the California AADC.
2. Key obligations
SB 3 requires controllers to use reasonable care to avoid “any heightened risk of harm to minors” caused by their service. “Heightened risk of harm to minors” is defined to mean “processing minors’ personal data in a manner that presents any reasonably foreseeable risk of (A) any unfair or deceptive treatment of, or any unlawful disparate impact on minors, (B) any financial, physical or reputational injury to minors, or (C) any physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of minors if such intrusion would be offensive to a reasonable person.” This requirement is reminiscent of the California AADC’s “material detriment” language, though “material detriment” and “harm” are undefined within the California AADC, and thus SB 3 may provide more clarity to controllers in scope.
Building off the data protection assessment requirements set forth in the CTDPA, SB 3 requires controllers to address (1) the purpose of the service, (2) the categories of minors’ personal data processed by the service, (3) the purpose of the data processing, and (4) any heightened risk of harm to minors that is a reasonably foreseeable result of offering the service. The bill specifically notes that a single data protection assessment may address a comparable set of processing operations that include similar activities. If controllers comply with the data protection assessment requirements of the bill, there is a rebuttable presumption in any enforcement action brought by the State AG that a controller used the reasonable care required to avoid heightened risk of harm to minors.
SB 3 includes several data processing limits that are subject to the consent of a minor or minor’s parent. While 2023 has seen the passage of legislation in other states requiring teens to receive parent consent, and thus treating all minors the same for purposes of exercising rights online, SB 3 allows for minors 13 and older to consent for themselves. Absent consent, controllers are prohibited from processing data not reasonably necessary to provide a service, retaining data for longer than necessary, and using any system design feature to “significantly increase, sustain or extend” a minor’s use of the service. Although data minimization is a key privacy principle found in most privacy proposals, it is atypical for this to be subject to consent. Targeted advertising and sale of a minor’s personal data are also subject to the consent of a minor or minor’s parent, expanding the CTDPA’s existing protections for teens that create opt-in requirements for the sale or processing for targeted advertising of data from teens 13-15.
In addition to the above limits subject to the consent of a minor, SB 3 creates new prohibitions for controllers offering services to minors. Like the California AADC, there are also limits on collecting precise geolocation information with a requirement to provide a signal when that information is being collected. While neither SB 3 nor the California AADC give guidance or further definition on “signal,” California AADC specifies an “obvious signal.” The bill also includes two design-related prohibitions: controllers are prohibited from providing any consent mechanisms designed to impact user autonomy or choice and are also prohibited from offering direct messaging without providing “readily accessible and easy-to-use safeguards” to limit the ability to receive messages from adults who the minor is not connected with.
New protections for consumer health data (Sections 1-6)
The CTDPA designates data revealing “health condition and diagnosis” information as a sensitive category of personal data subject to heightened protections, including an affirmative consent requirement for processing. SB 3 aims to expand the CTDPA’s protections for consumer health information by (1) creating a new sensitive data category under the CTDPA of “consumer health data,” (2) creating protections governing the collection and processing of “consumer health data,” applicable to a broad range of entities, and (3) establishing restrictions on the geofencing of healthcare facilities.
1. Definitions
If enacted, SB 3 will add eleven new health-related definitions to the CTDPA, including the terms “abortion,” “consumer health data,” “geofence,” “gender-affirming health data,” and “reproductive or sexual health data.” SB 3 is focused on establishing protections for “consumer health data,” defined as “any personal data that a controller uses to identify a consumer’s physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data” (emphasis added). This is a narrower definition of “consumer health data” than established under the Washington ‘My Health, My Data’ Act (MHMD), which applies to personal information that “identifies” a consumer’s health status, even if not used for a health-related purpose.
SB 3’s focus on “data used to identify physical or mental health condition or diagnosis” differs slightly from the CTDPA’s original protections for “data revealing mental or health condition or diagnosis” in that it centers on regulated entity use of data, rather than the nature of a data point. Data is subject to these new health data protections when an entity uses it to identify something about a consumer’s health, seemingly including through inference, whether or not that data “reveals” something about a consumer’s health on its face. In addition, SB 3’s definition of “consumer health data” explicitly includes “gender-affirming” and “reproductive and sexual” health information. It remains to be seen what the impact of distinction will be when the CTDPA takes effect.
2. Expanded Protections for the Collection and Processing of “Consumer Health Data”
SB 3 would create several protections exclusive to consumer health data that apply to “persons,” a category that includes non-profits and small businesses, which are otherwise excluded from coverage under the CTDPA. First, SB 3 requires that any employee or contractor with access to consumer health data shall be subject to either a contractual or statutory duty of confidentiality. In addition, the Act will forbid entities that collect and process consumer health data from selling that health data without prior consumer consent.
3. Restrictions on Geofencing
SB 3 follows MHMD in responding to concerns about the geofencing-facilitated digital harassment of individuals visiting abortion and gender-affirming care facilities post-Dobbs v. Jackson Women’s Health Organization by forbidding “persons” from geofencing mental, reproductive, or sexual health facilities for certain purposes. These purposes include the geofencing of health facilities conducted in order to (1) identify, (2) track, (3) collect data from, or (4) send health-related notifications to consumers. The act defines “geofence” broadly, as “any technology that uses global positioning coordinates, cell tower connectivity, cellular data, radio frequency identification, wireless fidelity technology data or any other form of location detection, or any combination of such coordinates, connectivity, data, identification or other form of location detection, to establish a virtual boundary.”
Other modifications to CTDPA
In addition to the substantive changes creating new consumer rights for consumer health data and youth data, SB 3 makes minor but meaningful changes to CTDPA. FPF observes 4 notable changes:
(1) “Data concerning an individual’s status as a victim of crime” is added to the “sensitive personal data” definition, perhaps inspired by pending legislation in Oregon.
(2) Consistent with other state privacy laws, Tribal nation government organizations and air carriers are carved out of scope of the CTDPA.
(3) The knowledge standard for processing youth data was modified from actual knowledge and wilfully disregards to actual knowledge or wilfully disregards. This amendment fixes a likely drafting error and aligns the CTDPA’s knowledge standard with the CCPA and Montana, strengthening privacy protections for children.
(4) Finally, SB 3 clarifies the Connecticut Attorney General may consider the “sensitivity of the data” involved in a violation of the CTDPA, along with other factors, when determining whether to grant a controller or consumer health data controller a right to cure.
Conclusion
Connecticut’s unanimous passage of SB 3 reflects the urgency of the new priorities around health and kids’ privacy that have permeated the 2023 legislative session. When these provisions take effect in October, the modified CTDPA will provide a template for other states that may wish to integrate protections for consumer health data within their comprehensive privacy laws, rather than passing standalone laws like MHMD. Similarly, Connecticut provides a template for states seeking to increase protections for youth online by first setting baseline standards for all consumers and then building off of that framework to create heightened protections for those under 18.
