Connecticut’s privacy law takes effect on July 1, with some key changes after the governor signed Senate Bill 3 on June 26. Some portions of the amendments concerning newly defined “consumer health law” will have immediate effect while others, including those concerning processing children’s data, have more lead time (effective October 1, 2024).  

Will these changes apply to your company?  

Yes, if your company conducts business in Connecticut, you target your goods or services to residents of Connecticut, and you collect or process (or direct others to collect or process on your behalf) “consumer health data.”  

What is “consumer health data”?  

Consumer health data means any personal data that a controller uses to identify a Connecticut consumer’s physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data. It is considered “sensitive data” under Connecticut’s privacy law.  

Who is a Connecticut consumer?  

A Connecticut resident, but not an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit or government agency.

Does Connecticut’s privacy law include a private right of action?  

No. It is only enforceable by the Connecticut Attorney General’s Office.

Is there a cure period for violations of the law?  

Yes, until December 31, 2024, the Connecticut Attorney General must, before initiating an action for violation of this privacy law, issue a notice to the regulated business if the Attorney General determines a cure is possible. A regulated business would have 60 days from receipt of such notice to cure such violation.  

If this law applies to me, what should I do next?  

A non-exhaustive list of considerations for next steps are proposed below.  

  • Consider if your company is processing regulated “consumer health data” of individuals in Connecticut.  
  • If your company was previously relying on the thresholds for triggering Connecticut privacy law and processes Connecticut consumer health data, then prepare to update company data activities to address Connecticut’s law.  
  • If your company is subject to this law and does not already obtain consent before processing this type of data, then work with your website and mobile app teams to update the user experience.

*The information in this alert is a condensed summary and is not exhaustive of all legal requirements, potential exceptions or variables under the referenced laws. This overview does not substitute for considering the legal requirements in their entirety or in light of facts specific to a particular organization.