Substitute House Bill No. 6002 seeks to bring state agencies in line with the data protection and privacy laws established under the Connecticut Data Privacy Act (CTDPA), effectively removing existing exemptions that previously applied to state entities. The bill deletes the phrase "of this state or" from various sections, thereby ensuring that state bodies, authorities, and agencies are subject to the same regulations governing consumer health data as private organizations. New legal language clarifies the applicability of these laws to state agencies and private institutions of higher education, granting residents rights over their personal data, including the ability to delete, opt out of processing, and access their data.

In addition to aligning state agencies with CTDPA provisions, the bill introduces stricter guidelines for handling consumer health data, such as requiring confidentiality agreements for employees and contractors, limiting data collection to necessary information, and mandating consumer consent before selling health data. It also imposes specific requirements for protecting minors in online services, including prohibiting access to consumer health data without confidentiality obligations and ensuring reasonable care to protect minors from harm. The changes are set to take effect on January 1, 2026, and while the bill establishes new obligations for state agencies, the enforcement mechanisms remain uncertain, as violations would fall under the jurisdiction of the attorney general.

Statutes affected:
Committee Bill: 42-526
GAE Joint Favorable: 42-526, 42-516
File No. 677: 42-526, 42-516