Substitute House Bill No. 6002 seeks to bring state agencies in line with the data protection and privacy laws established under the Connecticut Data Privacy Act (CTDPA), effectively removing previous exemptions that allowed state bodies to bypass these regulations. The bill introduces new legal language that mandates state agencies to comply with the same consumer health data privacy standards as private entities, including obtaining consumer consent before sharing or selling health data. It also emphasizes the confidentiality obligations for employees and contractors who access such data, thereby enhancing consumer rights regarding personal data, such as the ability to delete, opt out of processing, and access their data.

In addition to these changes, the bill clarifies the applicability of data protection laws to various entities, including private institutions of higher education and national securities associations. It imposes further requirements on state agencies concerning consumer health data and protections for minors, such as limiting data collection to necessary information, implementing reasonable security practices, and conducting data protection assessments for high-risk activities. The effective date for these provisions is set for January 1, 2026, and the bill reflects a significant shift towards prioritizing consumer protection in the digital landscape.

Statutes affected:
Committee Bill: 42-526
GAE Joint Favorable: 42-526, 42-516
File No. 677: 42-526, 42-516