Data privacy remains a high priority for state lawmakers, and health data has become a special focus in 2023. California passed an amendment that bolsters protections for reproductive health data, and Washington lawmakers created a sprawling (and highly confusing) privacy law dedicated exclusively to consumer health data.
Connecticut Governor Ned Lamont also signed a bill into law over the summer that protects consumer health data. It is more substantial than the CCPA amendment, but significantly more restrained than Washington’s My Health My Data Act. As a direct change to the existing Connecticut Data Privacy Act (CTDPA), any companies that conduct business in the state should take note.
Here is an overview of the new requirements for businesses.
Consumer Health Data
Most of the changes to Connecticut’s privacy law are related to “consumer health data,” so it’s important to start with an understanding of what that term means. According to the statute:
“Consumer health data” means any personal data that a controller uses to identify a consumer's physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data.
Protected health information that is covered by HIPAA is exempted from the CTDPA, so medical records are not what’s at issue here. Rather, it’s other data, not covered by HIPAA, that could nevertheless be used to infer or identify a health issue. For example, if a consumer had purchased items such as a pregnancy test and prenatal vitamins, a retailer could use that information to market other pregnancy-related products based on its assessed likelihood that the consumer is pregnant.
On the other hand, the definition suggests that it’s not enough to simply have that data; the controller has to use it to identify the health condition. In the pregnancy example above, if the retailer simply sold those products to the consumer but didn’t use her purchase history to infer anything or market other products to her, then it would appear that the purchase history is not “consumer health data.”
Geofencing
Geofencing is an important concept in the updated CTDPA, and one that not all businesses may be familiar with. A geofence is technology that uses location data such as GPS coordinates to create a virtual boundary. For example, marketers may use a geofence to display relevant ads if a consumer is within a certain distance to a business.
The Connecticut law creates new rules for using geofences to establish virtual boundaries around mental health facilities and reproductive or sexual health facilities.
Biggest Changes to the Law
The CTDPA amendments contain several major changes for businesses that control consumer health data.
1. Expanded scope
In a big expansion of the applicability of the CTPDA, all provisions that relate to consumer health data and consumer health data controllers apply to any business that conducts business in Connecticut or produces products or services that are targeted to state residents.
In other words, there is no minimum consumer count that must be met before businesses are required to comply with the new rules about consumer health data.
2. New Types of “Sensitive Data”
Under the CTDPA, “sensitive data” receives extra protection. Specifically, controllers must first get consent before processing any sensitive data.
These are the categories of data that are now considered to be sensitive data:
- Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status
- Consumer health data
- The processing of genetic or biometric data for the purpose of uniquely identifying an individual
- Personal data collected from a known child
- Data concerning an individual's status as a victim of crime
- Precise geolocation data
The addition of consumer health data here seems unnecessary at first, as the first category already includes “data revealing…mental or physical health condition or diagnosis.” However, it makes sense in the context of the CTDPA’s expanded scope for consumer health data (see Section #1 above). In order for the expanded scope to apply to a particular provision, it must explicitly include the words “consumer health data.”
Protection for data revealing a person’s status as a victim of a crime seems to be unrelated to the amendments regarding consumer health data, but businesses should take note anyway.
2. Requirements for Processing Consumer Health Data
The CTDPA amendments add a specialized set of rules for the processing of consumer health data. Controllers are prohibited from doing any of the following:
- Providing any employee or contractor with access to consumer health data unless the employee or contractor is subject to a contractual or statutory duty of confidentiality
- Providing any processor with access to consumer health data unless the processor meets all of the statutory requirements for processors
- Using a geofence to establish a virtual boundary that is within 1750 feet of any mental health facility or reproductive or sexual health facility for the purpose of identifying, tracking, collecting data from, or sending any notification to a consumer regarding the consumer's consumer health data
- Selling or offering to sell consumer health data without first obtaining the consumer's consent
The way the law is written, it is ambiguous as to whether a controller is allowed to get consent for all of these activities or just for the sale of consumer health data. Practically speaking, it may not make a difference as controllers are unlikely to request (or receive) consent for the first three items in this list.
Ensuring that employees have a duty of confidentiality is a clear new rule that could affect many businesses. The prohibition on geofencing around certain health facilities is also a big change, though it’s likely to affect fewer businesses.
The rule about processors creates a bit of a conundrum. Under the CTDPA (and other similar privacy laws), a data recipient is only a processor if it meets certain statutory requirements, such as adhering to the controller’s instructions. If a data recipient fails to meet those requirements, it is not a processor. Instead it is considered an independent controller of the data. Therefore this new rule about providing consumer health data to processors seems to have no real meaning, at least on the surface.
The requirement to obtain consent before selling consumer health data also appears to be superfluous. As a type of sensitive data, controllers must obtain consent before any processing of consumer health data, not just for the sale of the data.
Even though the impact of some of these new rules remains unclear, they do send a clear message that consumer health data should be treated with particular care.
Multi-State Privacy Compliance
Privacy laws are more complicated than many realize, and as these amendments to Connecticut’s privacy law show, they can change at any time. The patchwork of statutes and regulations will only grow more complex over time, making compliance very difficult for small and medium-sized businesses.
TrueVault US simplifies privacy compliance across multiple state laws, so that businesses can handle it on their own. With an interface that is familiar to anyone who has done their own taxes online, TrueVault guides you through every step of the process, from onboarding vendors to handling privacy requests. When there are changes to the laws, we incorporate these updates into your Privacy Center at no extra cost, and often with no extra work!
Contact our team to learn more and view a demo of how TrueVault works.
