June 2023

1. Right To Privacy / Constitutional Protection

Although Connecticut does not have an explicit constitutional right to data privacy, the state has enacted a variety of key privacy laws that are intended to protect a residents’ privacy with respect to their personal information. Thus, despite the state's lack of an explicit constitutional right to data privacy, the following key privacy laws demonstrate the state's commitment to addressing and protecting its resident’s individual privacy concerns.

2. Key Privacy Laws

The key privacy laws include:

• §36a-701b of Chapter 669 of Title 36a the General Statutes of Connecticut ('Conn. Gen. Stat.') ('the Data Breach Notification Law');
• §42-470 et seq. of Chapter 743dd of Title 42 of the Conn. Gen. Stat., specifically:
  • Conn. Gen. Stat. §42-470 ('the Social Security Number Protection Law'); and
  • Conn. Gen. Stat. §42-471 ('the Personal Information Safeguarding Law').
• Connecticut Act Concerning Personal Data Privacy and Online Monitoring ('CTDPA') (Effective July 1, 2023)

Moreover, Senate Bill 3, for an act concerning online privacy, data, and safety protections ('Public Act No. 23-56') became law and will enter into effect across 2023 and 2024. In particular, the Public Act No. 23-56 makes amendments to the CTDPA on data relating to minors and health.

Additional Sections provide specific rules for state contractors and insurance companies:

• §4e-70 of Chapter 62a of Title 4e of the Conn. Gen. Stat. ('the State Contractors Law');
• §4e-71 of Chapter 62a of Title 4e of the Conn. Gen. Stat. ('the Confidential Information Sharing Law'); and
• §38a-38 of Chapter 697 of Title 38a of the Conn. Gen. Stat. ('the Insurance Data Security Law').

Scope of Application and Key Definitions

Data Breach Notification Law

Under the Data Breach Notification Law, electronic personal information is protected. 'Personal information' is defined as an individual's first name or first initial and last name in combination with one, or more, of the following data:

• social security number;
• driver's license number or state identification card number;
• account number, credit, or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account;
• individual taxpayer identification numbers, such as social security numbers, or identity protection personal identification numbers issued by the Internal Revenue Service ('IRS');
• passport numbers, military identification numbers, or other identification numbers used by the government to verify an individual's identity;
• medical information regarding an individual's medical history, including their mental or physical condition, treatment, or diagnoses;
• health insurance policy information, including policy numbers, subscriber identification numbers, and any other unique identifiers issued by the insurer; and
• biometric information consisting of data generated by electronic measurements of an individual's unique physical characteristics used to authenticate or ascertain an individual's identity, such as fingerprints, voiceprints, and retina or iris images.

The Data Breach Notification Law further defines personal information to include an individual's username or e-mail address when combined with a password or security question and answer that would make an online account accessible.

However, the Data Breach Notification Law explicitly states that information which is otherwise lawfully made available to the public through federal, state, or local government records, or widely distributed media is excluded from the definition of personal information under the law.

Under the Data Breach Notification Law, a 'breach of security' is defined as unauthorized access to, or acquisition of:

• electronic files;
• media;
• databases; or
• computerized data which contains personal information.

Particularly, the Data Breach Notification Law extends to breaches of security involving computerized data when access to personal information has not been secured by encryption, or technological method that would ensure that the personal information is unreadable or otherwise usable.

In the event of a breach of security, those who are subject to compliance with the statute are statutorily required to notify the Connecticut Attorney General ('AG') and the affected resident(s) without 'unreasonable delay.' However, the AG and any affected resident(s) must be notified no later than 60 days after the breach was initially discovered. If additional residents are identified whose personal information was breached, or reasonably believed to have been breached after that initial 60 day period, those subject to compliance must notify the affected resident(s) as soon as possible. If an entity subject to compliance with the statute reasonably determines that a breach of security is unlikely to result in harm to the affected individual(s) after engaging in an appropriate investigation, then notification is not required.

Under certain circumstances, such as when a breach of security involves an individual's social security and/or tax identification numbers, entities are required to provide each affected individual with at least 24 months of identity theft prevention and mitigation services at no cost to the affected individual(s). Entities must also provide the affected individual(s) with all the necessary information required for the individual to enroll in the services being offered and to place a credit freeze on their affected file.

Further, if a breach of security involves an individual's username or e-mail address, in combination with a password or security question and answer that would allow access to the individual’s online account, the entity must instruct the affected individual(s) to change any password(s), security question(s), and answer(s) used to access the affected online account and any other accounts in which the individual uses the same information to access.

Social Security Number Protection Law

Under the Social Security Number Protection Law, those parties who collect social security numbers are prohibited from intentionally displaying an individual’s social security number publicly, or otherwise requiring an individual to:

• print their social security number on any card required to access products and/or services;
• send their social security number over the Internet, unless a secure connection is being used or the social security number is encrypted; or
• use their social security number to access a website, unless a password, unique identification number or other form of authentication is also required.

Personal Information Safeguarding Law

Under the Personal Information Safeguarding Law, paper or electronic personal information is protected. 'Personal information' under the Personal Information Safeguarding Law statute is defined in a slightly different manner than it is under the Data Breach Notification Law as it relates to information that can be associated with a specific individual through one or more identifiers, such as a:

• social security number;
• driver's license number;
• state identification card number;
• account number;
• credit or debit card number;
• passport number;
• alien registration number;
• health insurance identification number; or
• any military identification information.

However, like the Data Privacy Notification Law, the definition of 'personal information' under the Personal Information Safeguarding Law also excludes information that has been made lawfully available to the public through federal, state or local government records, or such information that has otherwise been made available by widely distributed media.

CTDPA

On May 10, 2022, the CTDPA was signed into law, making Connecticut the fifth U.S. state to enact a state-level privacy law. The CTDPA is intended to protect consumer's privacy by providing them with rights over their personal information and establishing a framework for controlling and processing personal data.

The CTDPA limits the definition of a 'consumer' to individuals who reside in the State of Connecticut and does not extend to individuals acting in a 'commercial or employment context' or those who are employees, owners, directors, officers or contractors of an entity. However, the CTDPA broadly defines 'personal data' as any information that is or can be reasonably linked to an 'identifiable individual.' As with the Data Privacy Notification Law and Personal Information Safeguarding Law, the CTDPA’s definition of 'personal data' excludes information that has been made lawfully available to the public through federal, state or local government records, or such information that has otherwise been made available by widely distributed media.

Like similar consumer privacy laws that have gone into effect in other states, the CTDPA provides consumers with a variety of rights, such as:

• the right to access and confirm whether a controller is processing their personal data;
• the ability to correct any false or inaccurate personal data;
• the right to delete personal data that has been 'provided by, or obtained about' the consumer;
• the right to obtain a 'portable copy' of the personal data in which a controller has processed; and
• the right to opt-out of the processing of their personal data being obtained for the purpose of targeted advertisements, the 'sale of personal data' or 'profiling in connection with automated decisions that produce legal or similarly significant effects concerning the consumer.'

It should be noted that under the CTDPA, the 'sale of personal data' is limited to exchanging a consumer's personal data for money or 'other valuable consideration.' It does not include:

• a controller's disclosure of personal data to a processer that is processing data on the controller's behalf;
• disclosing personal data to a third party in relation to a product or service that was requested by the consumer;
• a controller's disclosure of personal data to one of its affiliates;
• a controller's disclosure of personal data when the consumer has instructed the controller to disclose the personal data or intentionally utilizes the controller to interact with a third party;
• personal data that a consumer has intentionally made available to the public without restriction to a limited audience; or
• personal data that has been disclosed or transferred as an asset to a transaction in which a third party takes control of the original controller's assets.

As noted above, the CTDPA becomes effective on July 1, 2023. It is crucial that those subject to its requirements take necessary steps to comply with its provisions.

Who Must Comply?

Data Breach Notification Law

Under the Data Breach Notification Law, any person who conducts business in the State of Connecticut, and who, in the ordinary course of such person's business, owns, licenses or maintains computerized data, that includes personal information, must comply with the obligations outlined in the statute.

However, despite the statutory timeframe provided for notifying individuals affected by a breach of security, those who are subject to compliance with other federal laws such as the Health Insurance Portability and Accountability Act of 1996 ('HIPAA') or the Health Information Technology for Economic and Clinical Health Act ('HITECH') should be aware that there may be a shorter window for providing affected individuals with notice. Nonetheless, entities that are required to comply with the notification requirements under HIPAA and/or HITECH are still required to notify the AG and provide individuals with appropriate identity theft prevention and/or mitigation services in accordance with the Data Breach Notification Law.

Social Security Number Law

Despite the statutes reference to 'person[s]' subject to compliance, for purposes of this law, a 'person' is broadly defined to include both individuals and entities. However, it should be noted that the statute’s definition of a 'person' does not extend to the state or any of its political subdivisions or agencies. Further, the statute is not intended to prevent a person from using or otherwise releasing a social security number when required by state or federal law for 'internal verification or administrative purposes.'

Personal Information Safeguarding Law

Under the Personal Information Safeguarding Law, any person who possesses personal information must safeguard any data, computer files, and documents containing personal information from being misused by third parties. The person possessing personal information is required to destroy, erase or make any data unreadable prior to disposing of data, computer files and documents. Additionally, those who engage in the collection of social security numbers in the ordinary course of business are subject to both the Social Security Number Law and Personal Information Safeguarding Law.

CTDPA

The CTDPA is specifically intended to regulate 'controllers' and 'processors' of data. A 'controller' is defined as an individual or legal entity that determines the purpose in which and the method of processing an individual’s personal data. A 'processor' refers to the legal entity or individual that processes personal data on a controller's behalf. Specifically, those conducting business or engaging in product production in Connecticut or otherwise targeting their services towards Connecticut residents are subject to compliance if:

• an individual or entity annually controlled or processed 100,000 or more consumers' personal data in the past year, unless such data was controlled or processed for the sole purpose of finalizing payment for a transaction; or

• 25% or more of the controller's or processor's gross revenue was received from the sale of personal data and involved 25,000 or more consumers' personal data.

Despite the CTDPA's limited applicability to controllers and processors, those entities and individuals that have controlled and processed significant amounts of consumers' personal data within the previous year will be subject to compliance.

Data controllers have a variety of obligations under the CTDPA, such as:

• to provide consumers with notice regarding the categories of personal data being processed, any purpose(s) for which the data is being used, and inform consumers regarding the methods they may exercise their rights under the CTDPA;
• to limit the personal data they collect to only what is 'reasonably necessary' and adequately related to the 'specific purpose' for which the data is processed;
• to ensure their methods for collection and agreements for processing data are compliant and reasonably safeguard personal data in a secure manner;
• to conduct assessments over their processing methods to ensure consumers are not at a heightened risk for having their rights discriminated against; and
• respond to consumers' requests when exercising their rights under the CTDPA.

Among other obligations, the requirements under the CTDPA will require data controllers to utilize a variety of safeguards and response mechanisms to maintain compliance. Data processors must abide by controllers' instructions and also consider the nature in which the personal data is being processed, including accessibility to the data. Processors must take 'reasonably practicable' steps to ensure that the controller can respond to consumer requests and conduct necessary data protection assessments.

Enforcement

The Privacy and Data Security Department of the AG enforces the state laws governing notification of data breaches, safeguarding of personal information and protection of social security numbers and other sensitive information. This department is also responsible for enforcement of federal laws under which the AG has enforcement authority, including HIPAA, the Children's Online Privacy Protection Act of 1998 ('COPPA'), and the Fair Credit Reporting Act of 1970 ('FCRA'). This office can investigate data breaches and bring claims under the Connecticut Unfair Trade Practices Act ('CUTPA'), under Chapter 735a of Title 42 of the Conn. Gen. Stat. or seek settlements with offending parties. There are separate penalties for violations of the Social Security Number Law and the Personal Information Safeguarding Law.

The CTDPA does not allow for a private right of action for consumers. The AG has exclusive authority to enforce any CTDPA violations. Entities that intentionally violate the CTDPA may be subject to up to $5,000 in civil penalties per violation.

Social Security Number Law/Personal Information Safeguarding Law

Under both the Social Security Number Law and the Personal Information Safeguarding Law, a person that intentionally violates any provision is subject to a $500 civil penalty for each violation. All civil penalties received pursuant to a violation of the statute is to be deposited into the Privacy Protection Guaranty and Enforcement Account.

The Commissioner of Consumer Protection ('the Commissioner') is responsible for maintaining and utilizing the Privacy Protection Guaranty and Enforcement Account to reimburse affected individuals for losses sustained due to another person's violation of the statute. The Commissioner may also utilize the account funds for enforcement of the statutory regulations, such as for conducting investigations and holding hearings for any violating person(s).

If a person who is alleged to be in violation of the statute refuses to appear or otherwise cooperate with the Commissioner's request(s), the Superior Court may order the violating person to comply to further aid in enforcement. Additionally, the Commissioner may request the AG to apply to the Superior Court for a temporary or permanent restraining order to prevent any person from further violating the statutory requirements.

3. Health Data

Connecticut has, in its evidentiary rules, in Chapter 889 of Title 52 of the Conn. Gen. Stat., a series of laws that protect communications and records disclosed between a patient and their mental health provider. Depending on the provider type (e.g., psychiatrist, physician, psychologist, social worker, marital and family therapist, etc.), these statutes differ slightly in how each defines terms like 'communication' and 'record,' as well as the circumstances where the patient's consent is not required prior to disclosure of such communications and records. While these statutes are in the evidentiary rules, healthcare providers in Connecticut afford greater protection to mental health records due to these laws, as the protections offered in the statutes are stricter than HIPAA. If violated, it is unclear at present how Connecticut would enforce these laws outside of permitting or excluding evidence in a case.

§20-7c of Chapter 369 of Title 20 of the Conn. Gen. Stat. governs patients' right to access their health record, and provides limited exceptions pursuant to which a provider may withhold information from the health record if such provider determines the information would be detrimental to the physical or mental health of the patient or is likely to cause the patient to harm themselves or another individual.

There are also Connecticut laws that allow minors to consent to certain medical treatment, and to keep such medical treatment confidential, subject to certain restrictions:

• §19a-216 of Chapter 368e of Title 19a of the Conn. Gen. Stat. regarding examination or treatment of minor for sexually transmitted disease;
• §17a-688 of Chapter 319j of Title 17a of the Conn. Gen. Stat. regarding treatment for drug and alcohol dependence;
• §19a-582 of Chapter 368x of Title 19a of the Conn. Gen. Stat. regarding general consent for HIV-related testing;
• §19a-116 of Chapter 368a of Title 19a of the Conn. Gen. Stat. regarding regulation of facilities which offer abortion services; and
• §19a-14c of Chapter 368a of Title 19a of the Conn. Gen. Stat. regarding the provision of outpatient mental health treatment to minors without parental consent.

§19a-550 of Chapter 368v of Title 19a of the Conn. Gen. Stat. is the State of Connecticut patients' bill of rights for those individuals who are patients of a nursing home, residential care home or chronic disease hospital. This statute assures confidential treatment of personal and medical records and certain rights regarding the release of records to individuals outside of the facility.

Further, note that 'covered entities' and 'business associates' as defined under HIPAA are exempt from the CTDPA and are not otherwise subject to the new requirements.

4. Financial Data

The key law governing financial privacy in the State of Connecticut is the Banking Law of Connecticut under Title 36a of the Conn. Gen. Stat. ('the Banking Law').

Key Definitions

§36a-41 of the Banking Law defines a financial institution as a bank, Connecticut credit union, federal credit union, an out-of-state bank that maintains a branch in Connecticut, and an out-of-state credit union that maintains an office in Connecticut.

Financial records are defined as any original or any copy, whether physically or electronically retained, of (§36a-41 of the Banking Law):

• a document providing signature authority over a deposit account or a share account with a financial institution;
• a statement, ledger card, or other record on any deposit account or share account with a financial institution showing each transaction in or with respect to that account;
• any check, draft, or money order drawn on a financial institution or issued and payable by such an institution; or
• any item, other than an institutional or periodic charge, made pursuant to any agreement by a financial institution and a customer which constitutes a debit or credit to that person's account with that financial institution, if the information does not consist of a check, draft, or money order payable by the financial institutions.

Financial Institution Requirements

Connecticut law requires financial institutions (i.e., banks, state and federal credit unions, out-of-state banks, trusts and credit unions that have a branch/office in Connecticut, Connecticut banking law licensees or other entity subject to the Banking Commissioner's jurisdiction) to comply with the Gramm-Leach-Bliley Act of 1999 ('Gramm-Leach-Bliley Act') provisions with respect to customer privacy and protection of non-public information under §36a-44a of the Banking Law on customer protections.

With certain exceptions, this prohibits financial institutions from disclosing customer financial records without the customer's prior authorization. §36a-42 of the Banking Law enumerates eight  such exceptions; §36a-43 of the Banking Law discusses the requirements to disclose financial records pursuant to lawful authority; and §36a-44 of the Banking Law sets forth 18 additional exceptions regarding the confidential treatment of customer records.

Further note that “banking and account information” are part of the definition of 'personal information' under the Data Breach Notification Law.

Note also that those financial institutions subject to the Gramm-Leach-Bliley Act are exempted from compliance with the CTDPA.

Violations

Known and willful violations of the abovementioned statutes may result in a Class C misdemeanor under Connecticut law.

§53a-36 of Chapter 952 of Title 53a of the Conn. Gen. Stat. defines penalties for a Class C misdemeanor as an imprisonment that cannot exceed three months, which is exclusive of any monetary penalties that may also be imposed.

§53a-42 of Chapter 952 of Title 53a of the Conn. Gen. Stat. defines penalties for a Class C as a fine of an amount not to exceed $500.

5. Employment Data 

Key Laws

Under §31-40x(b) of Chapter 557 of Title 31 of the Conn. Gen. Stat., employers may not:

• request or require that an applicant or employee give an employer their username and password, password, or any other means of authentication to access a personal online account;
• request or require that an applicant or employee access or authenticate a personal online account in the employer's presence; or
• require an applicant or employee to invite the employer or accept an invitation from the employer to join a group affiliated with any of the applicant's or employee's personal online accounts.

An employer may not retaliate against an applicant or employee because they refuse any of the above prohibited requests, or because they file (or cause to be filed) any compliant with a court concerning the employer's violation of this statute.

There are certain exceptions to these prohibitions:

• an employer is not precluded from complying with applicable law;
• an employer is not prohibited from conducting an investigation to ensure compliance with applicable law or prohibitions against work-related conduct when it receives specific information about activity on an employee's or applicant's personal online account;
• an employer may conduct an investigation accessing a personal online account about an employee's or applicant's unauthorized transfer of such employer's proprietary information, confidential information or financial data to or from a personal online account operated by an employee, applicant or other source; and
• monitoring, reviewing, accessing or blocking electronic data stored on an electronic communications device paid for, in whole or in part, by an employer, or traveling through or stored on an employer's network, in compliance with state and federal law.

Any employer conducting an investigation pursuant to this statute may require an employee or applicant to allow the employer to access their personal online account for the purpose of conducting such investigation, provided the employer shall not require such employee or applicant to disclose the username and password, password, or other authentication means for accessing such personal online account.

Under Conn. Gen. Stat. §31-40x(a)(5), a 'personal online account' is defined as any online account that is used by an employee or applicant exclusively for personal purposes and unrelated to any business purpose of such employee's or applicant's employer or prospective employer, including, but not limited to, electronic mail, social media and retail-based internet websites. A personal online account does not include any account created, maintained, used or accessed by an employee or applicant for a business purpose of such employee's or applicant's employer or prospective employer.



Under §31-48d(a)(3) of Chapter 557 of Title 31 of Conn. Gen. Stat., 'electronic monitoring' is defined as the collection of information on an employer's premises concerning employees' activities or communications by any means other than direct observation, including the use of a computer, telephone, wire, radio, camera, electromagnetic, photoelectronic or photo-optical systems. However, it does not include the collection of information for security purposes in common areas of the employer's premises which are held out for use by the public, or which is prohibited under state or federal law.

Enforcement

The Connecticut Labor Commissioner ('the Labor Commissioner') may investigate violations of Conn. Gen. Stat. §31-40x. If the Labor Commissioner finds that an employee has been aggrieved by an employer's violation of this statute, the Labor Commissioner may impose on the employer a civil penalty of up to $500 for the first violation and $1,000 for each subsequent violation, and may award the employee all appropriate relief including rehiring or reinstatement to their previous job, payment of back wages, reestablishment of employee benefits or any other remedies that the Labor Commissioner may deem appropriate. If the Labor Commissioner finds that an applicant has been aggrieved by an employer’s violation of this statute, the Labor Commissioner may impose on the employer a civil penalty up to $25 for the first violation and $500 for each subsequent violation. There is no private right of action.

Pursuant to Conn. Gen. Stat. §31-48d, employers must provide written notice to employees before engaging in electronic monitoring. The notice must inform employees of any type of monitoring the employer may utilize. Employers must also post in a conspicuous place a notice detailing such information. The posting may constitute prior notice.

When an employer has reasonable grounds to believe that employees are engaged in conduct which violates the law, the legal rights of the employer, or the legal rights of other employees, or creates a hostile workplace environment—and such electronic monitoring may produce evidence of this misconduct—the employer may conduct monitoring without giving prior written notice.

The Labor Commissioner may impose civil penalties under Conn. Gen. Stat. §31-48d. The maximum civil penalty is $500 for the first offense, $1,000 for the second offense, and $3,000 for the third and each subsequent offense. There is no private right of action.

The CTDPA is not applicable to personal data that is collected within an employment or other business relationship and those 'acting in a commercial or employment context' do not qualify as 'consumers' under its definition.

6. Online Privacy 

The overall purpose of the CTDPA is to regulate the processing of consumer's personal data online. Those entities subject to compliance must also ensure there are various online mechanisms in place to permit consumers to exercise their various rights. Further, consumers will be permitted to access, opt-out of and safeguard their personal data being collected through online monitoring and targeted advertisement technologies.

7. Unsolicited Commercial Communications

§52-570c of Chapter 925 of Title 52 of the Conn. Gen. Stat. prohibits unsolicited advertising material disseminated via email unless there is an unsubscribe option and the subject line of the message begins with the letters 'ADV.' This applies to all for-profit businesses if the business does not have an established business relationship with the recipient.

Any individual aggrieved by a violation of the statute may, within two years of the alleged violation, bring a civil action in Connecticut Superior Court to enjoin further violations and seek $500 per violation (each such unsolicited email constituting a violation), together with costs and a reasonable attorneys' fee.

8. Privacy Policies Policies

The CTDPA requires data controllers to provide a 'reasonably accessible and clear' privacy notice. Data controllers must also implement reasonable safeguards to ensure the information being processed is accurate and provide consumers with a method for accessing and correcting their personal data.

The CTDPA requires each privacy notice to set forth:

• the categories of personal data that the controller processes;
• the controller's purpose for processing the consumer’s personal data;
• the method in which consumers may exercise their rights under the CTDPA and/or appeal a controller's determination of a consumer's request;
• if the controller shares personal data with any third parties, the controller must disclose the categories of personal data being shared and the categories of third parties with whom the controller shares the personal data; and
• an online method or e-mail address through which the consumer may communicate with the controller.

9. Data Disposal/Cybersecurity /Data Security

Under Public Act No. 21-119 for an act incentivizing the adoption of cybersecurity standards for businesses ('the Safe Harbor Law'), Connecticut state courts are prohibited from assessing punitive damages in a data breach litigation where the defendant 'created, maintained, and complied with a written cybersecurity program that contains administrative, technical and physical safeguards for the protection of personal or restricted information and that conforms to an industry recognized cybersecurity framework'. The cybersecurity program must also be designed to protect:

• the confidentiality and security of personal and restricted information;
• against threats or hazards to the security or integrity of such information; and
• against unauthorized access to and acquisition of information that would result in a material risk of identity theft or other fraud to the individual.

An acceptable cybersecurity program may also be measured by various factors, including the covered entity's:

• size and complexity;
• the nature and scope of its activities;
• the sensitivity of information to be protected; and
• the cost and availability of tools to improve information security and reduce risks.

The law applies to 'covered entities' which are defined as any business that 'accesses, maintains, communicates, or processes personal information or restricted information in or through one or more systems, networks, or services located in or outside [the] state'.

'Personal information' follows the same definition as used under the Data Breach Notification Law. However, it is important to note that 'restricted information' is separately defined as 'any information about an individual, other than personal information or publicly available information, that, alone or in combination with other information, including personal information, can be used to distinguish or trace the individual's identity or that is reasonably linked or linkable to an individual, if the information is not encrypted, redacted or altered by any method or technology in such a manner that the information is unreadable, and the breach of which is likely to result in a material risk of identity theft or other fraud to a person or property.'

10. Other Specific Jurisdictional Requirements

Not applicable at this time.