Connecticut Health Data Protection Requirements: Key Laws and a Practical Compliance Guide

Connecticut Data Privacy Act Overview

The Connecticut Data Privacy Act (CTDPA) took effect on July 1, 2023. It establishes baseline obligations for data controllers and processors and grants Connecticut residents robust Consumer Data Rights. At a high level, the CTDPA requires purpose limitation, data minimization, reasonable security, and an explicit mechanism for consent and consent revocation.

Scope and thresholds

• General CTDPA applicability: in the preceding calendar year, you controlled or processed personal data of at least 100,000 consumers (excluding data processed solely to complete a payment transaction), or at least 25,000 consumers while deriving more than 25% of gross revenue from the sale of personal data.
• Exception for health data: any Connecticut Consumer Health Data Controller is in scope regardless of those thresholds if it conducts business in the state or targets Connecticut residents.

Core controller duties and Privacy Notice Obligations

• Publish a clear, meaningful privacy notice that discloses categories of personal data, processing purposes, how to exercise and appeal rights, categories of data shared, categories of third parties, and a contact method.
• Honor opt-out requests for targeted advertising, sale of personal data, and certain profiling. Beginning January 1, 2025, you must also recognize a universal opt-out preference signal (such as Global Privacy Control) with consumer consent.
• Execute contracts with processors addressing confidentiality, deletion/return, subprocessor flow-downs, audits/assessments, and assistance with compliance.
• Maintain reasonable administrative, technical, and physical safeguards appropriate to the volume and sensitivity of data processed.

Consumer Health Data Amendments

Connecticut augmented the CTDPA with consumer health data provisions effective October 1, 2023. These provisions define “consumer health data,” create the Connecticut Consumer Health Data Controller concept, and add targeted Health Data Processing Prohibitions.

Key rules you must implement

• Confidentiality: do not grant employees or contractors access to consumer health data unless they are bound by a statutory or contractual confidentiality duty.
• Processor controls: do not provide processors access to consumer health data unless your contract meets CTDPA processor standards.
• Geofencing ban: you may not use a geofence within 1,750 feet of a reproductive or sexual health facility or a mental health facility to identify, track, collect data from, or send notifications to consumers about their consumer health data.
• Sale restriction: you may not sell, or offer to sell, consumer health data without first obtaining the consumer’s consent (an Explicit Consent Requirement).

Sensitive Data Processing Rules

The CTDPA treats several categories as “sensitive data,” including consumer health data, genetic and biometric identifiers used for unique identification, precise geolocation, data revealing racial or ethnic origin, religious beliefs, sex life/sexual orientation, citizenship or immigration status, personal data of a known child, and an individual’s status as a victim of crime.

• Explicit Consent Requirement: do not process sensitive data without opt-in consent. For a known child, comply with COPPA and obtain verifiable parental consent as required.
• Teens aged 13–15: do not sell their personal data or process it for targeted ads without the teen’s consent.
• Data-Protection Impact Assessment: before processing activities that present a heightened risk of harm—targeted advertising, sale of personal data, certain profiling with significant effects, or any sensitive data processing—conduct and document a risk assessment comparable to a Data-Protection Impact Assessment and be prepared to provide it confidentially to the Attorney General upon request.

Consumer Rights Under CTDPA

Connecticut residents can exercise the following rights and expect timely responses:

• Access and confirmation: know whether you process their data and access it (subject to trade-secret protections).
• Correction: fix inaccuracies, considering the data’s nature and processing purposes.
• Deletion: delete personal data provided by or obtained about the consumer; for data sourced elsewhere, you may retain minimal records to honor future deletion or opt the consumer out of further processing.
• Portability: receive a copy in a portable, readily usable format where processing is automated.
• Opt out: targeted advertising, sale of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.

Timelines and process: you must respond without undue delay and within 45 days (with one 45‑day extension if reasonably necessary). If you deny a request, you must provide an appeal process and respond to the appeal in writing within 60 days, including a method to contact the Attorney General if the appeal is denied.

Enforcement and Compliance Procedures

Attorney General Enforcement is exclusive under the CTDPA; there is no private right of action. From July 1, 2023 through December 31, 2024, violations generally received a 60‑day cure period when curable. Beginning January 1, 2025, any cure opportunity is discretionary and may consider factors such as the number of violations, organization size/complexity, processing scope, injury likelihood, and data sensitivity.

Penalties and exposure

• CTDPA violations are treated as unfair trade practices under state law. The Attorney General may seek civil penalties of up to $5,000 per willful violation, as well as injunctive relief, restitution, and disgorgement where appropriate.
• During investigations, the Attorney General may require production of your data protection assessments; these are confidential and exempt from public disclosure.

Exemptions from CTDPA

Entity-level exemptions include state and local government bodies, their contractors acting on their behalf (for consumer health data processing under contract), nonprofit organizations, institutions of higher education, registered national securities associations, financial institutions and data subject to GLBA, HIPAA covered entities and business associates, tribal nation government organizations, and air carriers regulated by federal law.

Data-level exemptions include, among others: HIPAA-protected health information; substance-use disorder patient records under 42 U.S.C. 290dd‑2; human-subjects research under 45 C.F.R. 46, 21 C.F.R. Parts 6/50/56, and ICH‑GCP; patient safety work product; de‑identified health information under HIPAA; public health activities; FCRA-regulated data; DPPA, FERPA, and Farm Credit Act data; and certain employment-context, emergency contact, and benefits-administration data. These exemptions also appear for consumer health data with substantially similar scope.

Practical Steps for Compliance

1) Confirm scope and roles

• Map where you do business and whether you target Connecticut residents. Determine if you meet CTDPA thresholds and whether you are a Connecticut Consumer Health Data Controller (thresholds do not apply to health data controllers).

2) Inventory data and classify sensitivity

• Catalog data flows, sources, purposes, recipients, retention, and location. Tag consumer health data, biometric/genetic identifiers, precise geolocation, minors’ data, and other sensitive categories.

3) Update your Privacy Notice Obligations

• Disclose required elements: categories, purposes, rights and appeals, sharing, third parties, and contact method. If you sell personal data or engage in targeted advertising, provide a clear opt-out mechanism and a conspicuous link enabling consumer or authorized-agent opt-out.

4) Build consent and opt-out controls

• Implement explicit opt-in for all sensitive data processing and for any sale of consumer health data. For teens aged 13–15, obtain consent before targeted advertising or sale. Honor universal opt-out signals by default starting January 1, 2025.

5) Complete a Data-Protection Impact Assessment

• Conduct and document assessments for targeted advertising, sale of personal data, profiling with significant effects, and all sensitive data processing (including consumer health data). Record mitigations and be prepared to furnish assessments confidentially to the Attorney General.

6) Tighten vendor and employee controls

• Execute CTDPA‑compliant processor contracts and flow down obligations to subprocessors. Limit workforce access to consumer health data and bind employees/contractors to confidentiality.

7) Engineer geolocation and geofencing safeguards

• Disable or block geofencing tactics within 1,750 feet of reproductive/sexual health and mental health facilities when such tactics would identify, track, collect, or message consumers regarding their health data.

8) Operationalize rights, security, and recordkeeping

• Stand up verified rights workflows (45‑day SLA with one extension), an appeals process, secure data export, and deletion options. Maintain reasonable security controls and keep decision logs for consent, opt-outs, appeals, and assessments.

Conclusion

Connecticut’s framework blends comprehensive privacy obligations with consumer health data safeguards. If you determine scope accurately, embed explicit consent and opt-out controls, complete risk assessments, update notices and contracts, and harden geofencing and security practices, you will satisfy the CTDPA’s core requirements and the state’s targeted health data protections.

FAQs.

What businesses are subject to Connecticut health data protection requirements?

Any business that conducts business in Connecticut or targets Connecticut residents may be subject. The general CTDPA thresholds apply to most controllers (100,000 consumers, or 25,000 with more than 25% revenue from personal data sales). Separately, any Connecticut Consumer Health Data Controller is covered regardless of thresholds. Entity- and data‑level exemptions (e.g., HIPAA/GLBA, nonprofits, higher education, government bodies) can take specific activities out of scope.

How does the CTDPA regulate the sale of consumer health data?

Sale of consumer health data is prohibited without the consumer’s prior consent. Because consumer health data is “sensitive,” you also need opt‑in consent to process it at all. Your privacy notice must explain what you collect, why, with whom you share it, and how consumers can opt out and appeal. Teens aged 13–15 require their own consent before you sell their data or use it for targeted advertising.

What rights do consumers have under Connecticut data privacy laws?

Consumers can confirm and access their data, correct inaccuracies, delete data, and obtain a portable copy. They can opt out of targeted advertising, the sale of personal data, and profiling that produces legal or similarly significant effects. You must respond within 45 days (with a possible 45‑day extension), offer an appeal process with a 60‑day decision window, and accept authorized‑agent and universal opt-out signals.

What are the penalties for non-compliance with Connecticut health data laws?

The Connecticut Attorney General has exclusive enforcement authority. Violations of the CTDPA (including its consumer health data provisions) constitute unfair trade practices under state law, with civil penalties up to $5,000 per willful violation, plus potential injunctive relief, restitution, and disgorgement. As of January 1, 2025, any cure period is discretionary and based on factors like violation count, organization size/complexity, and data sensitivity.