Substitute House Bill No. 6002 seeks to align state agencies with the data protection and privacy standards established by the Connecticut Data Privacy Act (CTDPA), effectively removing previous exemptions that shielded these entities from compliance. The bill specifically repeals language that exempted state bodies from the provisions of sections 42-515 to 42-525, thereby subjecting them to the same regulations regarding consumer health data and personal data processing as private organizations. New requirements introduced by the bill include obtaining consent before selling consumer health data and prohibiting the use of geofences near sensitive facilities. Additionally, the bill broadens the scope of accountability by applying its provisions to any person conducting business in the state or targeting residents.

The legislation also enhances consumer rights concerning personal data, allowing residents to delete their data, opt out of processing, and access their information. It mandates that the state limit data collection to what is necessary, implement reasonable security practices, and obtain consent before processing sensitive data. Specific provisions regarding consumer health data and online services for minors are included, such as prohibiting access to consumer health data without a confidentiality obligation and requiring careful handling of minors' data. The bill is set to take effect on January 1, 2026, and is expected to have fiscal implications for state agencies due to compliance costs, marking a significant shift in how state agencies manage personal data in line with private sector standards.

Statutes affected:
Committee Bill: 42-526
GAE Joint Favorable: 42-526, 42-516
File No. 677: 42-526, 42-516