LCO No. 5796 1 of 34
General Assembly Committee Bill No. 3
January Session, 2023
LCO No. 5796
Referred to Committee on JUDICIARY
Introduced by:
(JUD)
AN ACT CONCERNING ONLINE PRIVACY, DATA AND SAFETY
PROTECTIONS AND AN EMPLOYER'S DUTY TO DISCLOSE KNOWN
INSTANCES OF SEXUAL HARASSMENT OR ASSAULT COMMITTED
BY AN EMPLOYEE WHEN MAKING EMPLOYMENT
RECOMMENDATIONS.
Be it enacted by the Senate and House of Representatives in General
Assembly convened:
Section 1. (NEW) (Effective July 1, 2025) (a) For the purposes of this 1
section, unless the context otherwise requires: 2
(1) "Abortion" means terminating a pregnancy for any purpose 3
other than producing a live birth; 4
(2) "Affiliate" means any legal entity that (A) shares common 5
branding with another legal entity, and (B) controls, is controlled by or 6
is under common control with another legal entity through (i) 7
ownership of, or the power to vote, more than fifty per cent of the 8
outstanding shares of any class of voting securities in either legal 9
entity, (ii) control over the election of a majority of the directors of 10
either legal entity or individuals exercising similar functions of the 11
directors of either legal entity, or (iii) the power to exercise a 12
controlling influence over the management of either legal entity; 13
Committee Bill No. 3
LCO No. 5796 2 of 34
(3) "Biometric data" has the same meaning as provided in section 42-14
515 of the general statutes; 15
(4) "Collect" means to buy, rent, access, retain, receive, acquire, infer, 16
derive or otherwise process consumer health data in any manner; 17
(5) "Consent" has the same meaning as provided in section 42-515 of 18
the general statutes; 19
(6) "Consumer" has the same meaning as provided in section 42-515 20
of the general statutes; 21
(7) "Consumer health data" (A) means any personal information that 22
is linked, or reasonably linkable, to a consumer and identifies the 23
consumer's past, present or future physical or mental health, 24
including, but not limited to, any (i) individual health conditions, 25
treatment, statuses, diseases or diagnoses, (ii) social, psychological, 26
behavioral and medical interventions, (iii) health-related surgeries or 27
procedures, (iv) use or purchase of medications, (v) bodily functions, 28
vital signs or symptoms or measurements of such functions, signs or 29
symptoms, (vi) diagnoses or diagnostic testing, treatment or 30
medication, (vii) gender-affirming care information, (viii) reproductive 31
or sexual health information, (ix) biometric data concerning the 32
information described in subparagraph (A) of this subdivision, (x) 33
genetic data concerning information described in subparagraph (A) of 34
this subdivision, (xi) precise location information that could reasonably 35
indicate such consumer's attempt to acquire or receive health services 36
or supplies, or (xii) any information described in subparagraphs (A)(i) 37
to (A)(xi), inclusive, of this subdivision that is derived or extrapolated 38
from non-health information such as proxy, derivative, inferred or 39
emergent data derived or extrapolated by any means, including, but 40
not limited to, algorithms or machine learning, and (B) does not 41
include any personal information that is used to engage in any public 42
or peer-reviewed scientific, historical or statistical research, provided 43
such research (i) is in the public interest, (ii) adheres to all other 44
applicable ethics and privacy laws, and (iii) is approved, monitored 45
Committee Bill No. 3
LCO No. 5796 3 of 34
and governed by an institutional review board, human subjects 46
research ethics review board or another similar independent oversight 47
entity that determines that the regulated entity has implemented 48
reasonable safeguards to mitigate privacy risks associated with such 49
research, including, but not limited to, any risks associated with re-50
identification; 51
(8) "Dark patterns" has the same meaning as provided in section 42-52
515 of the general statutes; 53
(9) "De-identified data" has the same meaning as provided in section 54
42-515 of the general statutes; 55
(10) "Gender-affirming care information" means any personal 56
information concerning seeking or obtaining past, present or future 57
gender-affirming care services, including, but not limited to, (A) any 58
precise location information that could reasonably indicate a 59
consumer's attempt to seek or obtain gender-affirming care services, 60
(B) any personal information concerning any effort made to research or 61
obtain gender-affirming care services, or (C) any gender-affirming care 62
information that is derived, extrapolated or inferred, including, but not 63
limited to, any such information that is derived, extrapolated or 64
inferred from non-health information such as proxy, derivative, 65
inferred, emergent or algorithmic data; 66
(11) "Gender-affirming care services" (A) means health services or 67
products that support and affirm any consumer's gender identity, 68
including, but not limited to, social, psychological, behavioral, 69
cosmetic, medical or surgical interventions, and (B) includes, but is not 70
limited to, treatments for gender dysphoria, gender-affirming 71
hormone therapy and gender-affirming surgical procedures; 72
(12) "Genetic data" means any data, regardless of format, concerning 73
a consumer's genetic characteristics and includes, but is not limited to, 74
(A) raw sequence data that result from the sequencing of a consumer's 75
complete extracted DNA or a portion of such extracted DNA, (B) 76
Committee Bill No. 3
LCO No. 5796 4 of 34
genotypic and phenotypic information that results from analyzing 77
such raw sequence data, and (C) self-reported health data that a 78
consumer submits to a regulated entity and is analyzed in connection 79
with such raw sequence data; 80
(13) "Geofence" means any technology that uses global positioning 81
coordinates, cell tower connectivity, cellular data, radio frequency 82
identification, wireless fidelity technology data or any other form of 83
location detection, or any combination of such coordinates, 84
connectivity, data, identification or other form of location detection, to 85
establish a virtual boundary that is within two thousand feet of the 86
perimeter around any physical location; 87
(14) "Health care service" means any service provided to any 88
consumer to assess, measure, improve or learn about such consumer's 89
health, including, but not limited to, any service provided to assess, 90
measure, improve or learn about (A) individual health conditions, 91
statuses, diseases or diagnoses, (B) social, psychological, behavioral 92
and medical interventions, (C) health-related surgeries or procedures, 93
(D) use or purchase of medication, (E) bodily functions, vital signs or 94
symptoms or measurements of such functions, signs or symptoms, (F) 95
diagnoses or diagnostic testing, treatment or medication, (G) 96
reproductive health care services, and (H) gender-affirming care 97
services; 98
(15) "Person" means any individual, corporation, trust, 99
unincorporated association or partnership, but does not include any 100
government agency, tribal nation government organization or 101
contracted service provider when such service provider is processing 102
consumer health data on behalf of a government agency; 103
(16) "Personal information" (A) means any information that 104
identifies, or is reasonably capable of being associated or linked, 105
directly or indirectly, with any consumer, (B) includes, but is not 106
limited to, any data associated with a persistent unique identifier such 107
as an Internet browser cookie, Internet protocol address, device 108
Committee Bill No. 3
LCO No. 5796 5 of 34
identifier or any other form of persistent unique identifier, and (C) 109
does not include any publicly available information or de-identified 110
data; 111
(17) "Precise location information" has the same meaning as 112
provided in section 42-515 of the general statutes; 113
(18) "Process" and "processing" mean any operation or set of 114
operations performed on consumer health data; 115
(19) "Processor" has the same meaning as provided in section 42-515 116
of the general statutes; 117
(20) "Publicly available information" has the same meaning as 118
provided in section 42-515 of the general statutes; 119
(21) "Regulated entity" (A) means any legal entity that (i) does 120
business in this state or produces or provides goods or services that are 121
targeted to consumers in this state, and (ii) alone or jointly with others, 122
determines the purpose and means of collecting, processing, sharing or 123
selling consumer health data, and (B) does not mean any government 124
agency, tribal nation government organization or contracted service 125
provider when such service provider is processing consumer health 126
data on behalf of a government agency; 127
(22) "Reproductive or sexual health information" (A) means any 128
personal information concerning seeking or obtaining past, present or 129
future reproductive or sexual health services, and (B) includes, but is 130
not limited to, (i) any precise location information that could 131
reasonably indicate a consumer's attempt to acquire or receive 132
reproductive or sexual health services, (ii) any personal information 133
concerning any effort made to research or obtain reproductive or 134
sexual health services, or (iii) any personal information or location 135
information described in this subdivision that is derived, extrapolated 136
or inferred, including, but not limited to, any such information that is 137
derived, extrapolated or inferred from any non-health information 138
Committee Bill No. 3
LCO No. 5796 6 of 34
such as proxy, derivative, inferred, emergent or algorithmic data; 139
(23) "Reproductive or sexual health service" means any health 140
service or product that supports or concerns any consumer's 141
reproductive system or sexual well-being, including, but not limited 142
to, any health service or product that supports or concerns (A) 143
individual health conditions, statuses, diseases or diagnoses, (B) social, 144
psychological, behavioral and medical interventions, (C) health-related 145
surgeries or procedures, including, but not limited to, abortions, (D) 146
use or purchase of medications, including, but not limited to, 147
medications for the purposes of abortion, (E) bodily functions, vital 148
signs or symptoms or measurements of such functions, signs or 149
symptoms, (F) diagnoses or diagnostic testing, treatment or 150
medication, and (G) medical or nonmedical services concerning and 151
provided in conjunction with an abortion, including, but not limited to, 152
diagnostics, counseling, supplies and follow-up services concerning 153
and provided in conjunction with an abortion; 154
(24) "Sale" or "sell" (A) means sharing consumer health data for 155
monetary or other valuable consideration, and (B) does not include 156
sharing consumer health data for monetary or other valuable 157
consideration (i) to a third party as an asset that is part of a merger, 158
acquisition, bankruptcy or other transaction in which the third party 159
assumes control of all or part of the regulated entity's assets and 160
complies with the requirements established in this section, or (ii) by a 161
regulated entity to a processor when sharing such consumer health 162
data is consistent with the purpose for which the consumer health data 163
was collected and disclosed to the consumer; 164
(25) "Service provider" means any person that processes consumer 165
health data on behalf of a regulated entity; 166
(26) "Share" and "sharing" (A) mean any release, disclosure, 167
dissemination, divulsion, making available, provision of access to, 168
licensing or communication, orally, in writing or by electronic or any 169
other means, of consumer health data by a regulated entity to a third 170
Committee Bill No. 3
LCO No. 5796 7 of 34
party or affiliate, and (B) do not include (i) any disclosure of consumer 171
health data by a regulated entity to a processor if such disclosure is to 172
provide goods or services in a manner that is consistent with the 173
purpose for which such data was collected and disclosed to the 174
consumer, (ii) any disclosure of consumer health data made to a third 175
party with whom the consumer has a direct relationship when (I) such 176
disclosure is made for the purpose of providing a product or service 177
requested by such consumer, (II) the regulated entity maintains control 178
and ownership of such data, and (III) the third party exclusively uses 179
such data at the regulated entity's direction and in a manner that is 180
consistent with the purpose for which such data was collected and 181
disclosed to the consumer, or (iii) any disclosure or transfer of 182
consumer health data made to a third party as an asset that is part of a 183
merger, acquisition, bankruptcy or other transaction in which the third 184
party assumes control of all or part of the regulated entity's assets and 185
complies with the requirements established in this section; and 186
(27) "Third party" means any entity other than a consumer, 187
regulated entity or affiliate of a regulated entity. 188
(b) Notwithstanding any provision of the general statutes, each 189
regulated entity shall: 190
(1) Restrict access to consumer health data by the employees, 191
processors and contractors of such regulated entity: 192
(A) To those employees, processors and contractors for which the 193
consumer to whom such data relates has provided consent; or 194
(B) Where such access is necessary to provide to the consumer to 195
whom such data relates a product or service that such consumer has 196
requested from such regulated entity; 197
(2) Establish, implement and maintain administrative, technical and 198
physical data security practices that, at a minimum, satisfy a 199
reasonable standard of care within such regulated entity's industry to 200
Committee Bill No. 3
LCO No. 5796 8 of 34
protect the confidentiality, integrity and accessibility of consumer 201
health data in a manner that is appropriate for the volume and nature 202
of such consumer health data; and 203
(3) (A) Not collect or share consumer health data concerning any 204
consumer (i) without having first obtained such consumer's consent to 205
collect or share such consumer health data for a specified purpose, (ii) 206
beyond what is reasonably necessary, proportionate and limited to 207
provide or maintain (I) a specific product or service requested by such 208
consumer, or (II) any communication by such regulated entity to such 209
consumer that is reasonably anticipated within the context of their 210
relationship, or (iii) for any purpose that is not expressly permitted 211
under the provisions of this section. 212
(B) The consent required under subparagraph (A) of this 213
subdivision shall (i) be separately and distinctly obtained for collecting 214
and sharing consumer health data, and (ii) clearly and conspicuously 215
disclose (I) the categories of consumer health data collected or shared, 216
(II) the purpose of collecting or sharing of the consumer health data, 217
including, but not limited to, the specific ways in which such 218
consumer health data will be used, (III) the categories of entities with 219
which the consumer health data will be shared, and (IV) how the 220
consumer may withdraw consent from any future collection or sharing 221
of such consumer's consumer health data. 222
(c) (1) Notwithstanding any provision of the general statutes, no 223
person shall: 224
(A) Sell, or offer to sell, consumer health data without first obtaining 225
the consumer's signed, written consent on a form described in 226
subdivision (2) of this subsection; or 227
(B) Implement a geofence to identify, track, collect data from or send 228
notifications or messages to a consumer that enters the virtual 229
perimeter around a health care provider or health care facility 230
providing health care services on an in-person basis. 231
Committee Bill No. 3
LCO No. 5796 9 of 34
(2) Prior to selling, or offering to sell, a consumer's health data, the 232
person who intends to sell, or offer to sell, such consumer health data 233
shall provide to the consumer a form containing: 234
(A) A description of the consumer health data to be offered or sold; 235
(B) The name of, and contact information for, the person who 236
collected and intends to sell, or offer to sell, such consumer health data; 237
(C) The name of, and contact information for, the person who 238
intends to purchase such consumer health data from the person 239
described in subparagraph (B) of this subdivision; 240
(D) A description of the purpose of such proposed offer or sale, 241
including, but not limited to, a description of how such consumer 242
health data will be gathered and how the person described in 243
subparagraph (C) of this subdivision intends to use such consumer 244
health data; 245
(E) A statement disclosing that the provision of goods or services 246
shall not be made conditional on such consumer signing such form; 247
(F) A statement disclosing that such consumer has a right to revoke 248
such consumer's consent at any time and a description of how such 249
consumer may revoke such consent; 250
(G) A statement disclosing that any consumer health data sold 251
pursuant to this subsection may be subject to redisclosure by the 252
person described in subparagraph (C) of this subdivision and may no 253
longer be protected under this section following such redisclosure; 254
(H) An expiration date for such consent, which date shall be not 255
later than one year after such consumer signs such form; and 256
(I) Such consumer's signature and the date on which such consumer 257
signs such form. 258
(3) No form required under subparagraph (A) of subdivision (1) of 259
Committee Bill No. 3
LCO No. 5796 10 of 34
this subsection shall be valid if: 260
(A) The expiration date on such form has passed; 261
(B) Such form does not satisfy the requirements established in 262
subdivision (2) of this subsection; 263
(C) The consumer has revoked such consumer's consent; 264
(D) Such form has been combined with any other document for the 265
purpose of obtaining consent concerning multiple sales, or offers to 266
sell, consumer health data; or 267
(E) The provision of goods or services is conditioned on the 268
consumer signing such form. 269
(4) Each person who provides a form to a consumer pursuant to 270
subdivision (2) of this subsection shall provide a signed copy of such 271
form to the consumer who signed such form. 272
(5) Each person who sells or purchases consumer health data in the 273
manner described in this subsection shall retain a copy of each form 274
required under subdivision (2) of this subsection for a period of at least 275
six years beginning on the date the consumer signed such form or the 276
last date such form was effective, whichever is later. 277
(d) A processor may process consumer health data only pursuant to 278
a binding contract between the processor and a regulated entity, which 279
contract shall set forth the processing instructions for, and limit the 280
actions which the processor may take with respect to, the consumer 281
health data such processor processes on behalf of the regulated entity. 282
The processor shall not process consumer health data in a manner that 283
is inconsistent with the terms of such contract. The processor shall 284
assist the regulated entity by taking all appropriate and possible 285
technical and organizational measures that are necessary for such 286
regulated entity to perform such regulated entity's duties under this 287
section. If the processor fails to adhere to the regulated entity's 288
Committee Bill No. 3
LCO No. 5796 11 of 34
processing instructions or processes consumer health data in a manner 289
that is outside the scope of such contract, such processor shall be 290
deemed to constitute a regulated entity and shall be subject to all 291
provisions of this section concerning regulated entities. 292
(e) Any violation of the provisions of this section shall constitute an 293
unfair trade practice under subsection (a) of section 42-110b of the 294
general statutes and shall be enforced solely by the Attorney General. 295
Nothing in this section shall be construed to create a private right of 296
action or to provide grounds for an action under section 42-110g of the 297
general statutes. 298
Sec. 2. (NEW) (Effective July 1, 2024) (a) For the purposes of this 299
section: 300
(1) "Consumer" has the same meaning as provided in section 42-515 301
of the general statutes; 302
(2) "Minor" means any consumer who is younger than eighteen 303
years of age; 304
(3) "Personal data" has the same meaning as provided in section 42-305
515 of the general statutes; and 306
(4) "Social media platform" (A) means a public or semi-public 307
Internet-based service or application that (i) is used by a consumer in 308
this state, (ii) is primarily intended to connect and allow users to 309
socially interact within such service or application, and (iii) enables a 310
user to (I) construct a public or semi-public profile for the purposes of 311
signing into and using such service or application, (II) populate a 312
public list of other users with whom the user shares a social connection 313
within such service or application, and (III) create or post content that 314
is viewable by other users, including, but not limited to, on message 315
boards, in chat rooms, or through a landing page or main feed that 316
presents the user with content generated by other users, and (B) does 317
not include a public or semi-public Internet-based service or 318
Committee Bill No. 3
LCO No. 5796 12 of 34
application that (i) exclusively provides electronic mail or direct 319
messaging services, or (ii) primarily consists of news, sports, 320
entertainment, electronic commerce or content that is preselected by 321
the provider or for which any chat, comments or interactive 322
functionality is incidental to, directly related to, or dependent on the 323
provision of such content. 324
(b) Not later than ten days after a social media platform receives a 325
request to delete a social media platform account from a minor or, if 326
the minor is younger than sixteen years of age, from a minor's parent 327
or legal guardian, the social media platform shall delete the minor's 328
social media platform account and cease processing such minor's 329
personal data. A social media platform shall establish, and shall 330
describe in a privacy notice, one or more secure and reliable means for 331
submitting a request pursuant to this subsection. 332
(c) No social media platform shall establish an account for a minor 333
who is younger than sixteen years of age unless the social media 334
platform has obtained consent from the minor's parent or legal 335
guardian to establish such account. 336
(d) Any violation of the provisions of this section shall constitute an 337
unfair trade practice under subsection (a) of section 42-110b of the 338
general statutes and shall be enforced solely by the Attorney General. 339
Nothing in this section shall be construed to create a private right of 340
action or to provide grounds for an action under section 42-110g of the 341
general statutes. 342
Sec. 3. (NEW) (Effective July 1, 2025) For the purposes of this section 343
and sections 4 to 8, inclusive, of this act: 344
(1) "Adult" means any individual who is at least eighteen years of 345
age; 346
(2) "Algorithm" means any computerized procedure consisting of a 347
set of steps used to accomplish a predetermined objective; 348
Committee Bill No. 3
LCO No. 5796 13 of 34
(3) "Consent" has the same meaning as provided in section 42-515 of 349
the general statutes; 350
(4) "Consumer" has the same meaning as provided in section 42-515 351
of the general statutes; 352
(5) "Controller" means any person that, alone or jointly with others, 353
determines the purpose and means of processing personal data; 354
(6) "Heightened risk of harm to minors" means processing minors' 355
personal data, including, but not limited to, through use of any 356
algorithm, in a manner that presents any reasonably foreseeable risk of 357
(A) any unfair or deceptive treatment of, or any unlawful disparate 358
impact on, minors, (B) any financial, physical or reputational injury to 359
minors, (C) any physical or other intrusion upon the solitude or 360
seclusion, or the private affairs or concerns, of minors if such intrusion 361
would be offensive to a reasonable person, or (D) any other substantial 362
injury to minors; 363
(7) "HIPAA" has the same meaning as provided in section 42-515 of 364
the general statutes; 365
(8) "Minor" means any consumer who is younger than eighteen 366
years of age; 367
(9) "Online service, product or feature" means any service, product 368
or feature that is provided online. "Online service, product or feature" 369
does not include any (A) telecommunications service, as defined in 47 370
USC 153, as amended from time to time, or (ii) delivery or use of a 371
physical product; 372
(10) "Person" means an individual, association, company, limited 373
liability company, corporation, partnership, sole proprietorship or 374
trust; 375
(11) "Personal data" has the same meaning as provided in section 42-376
515 of the general statutes; 377
Committee Bill No. 3
LCO No. 5796 14 of 34
(12) "Precise geolocation data" has the same meaning as provided in 378
section 42-515 of the general statutes; 379
(13) "Process" and "processing" have the same meaning as provided 380
in section 42-515 of the general statutes; 381
(14) "Processor" means any person that, on behalf of a controller, 382
processes personal data; 383
(15) "Profiling" has the same meaning as provided in section 42-515 384
of the general statutes; 385
(16) "Protected health information" has the same meaning as 386
provided in section 42-515 of the general statutes; 387
(17) "Sale of personal data" has the same meaning as provided in 388
section 42-515 of the general statutes; 389
(18) "Targeted advertising" (A) means displaying an advertisement 390
to a minor based on profiling, and (B) does not include (i) an 391
advertisement that is (I) based on the context of a minor's current 392
search query, visit to an Internet web site or online application, or (II) 393
directed to a minor in response to the minor's current request for 394
information or feedback, or (ii) processing personal data solely to 395
measure or report advertising frequency, performance or reach; and 396
(19) "Third party" has the same meaning as provided in section 42-397
515 of the general statutes. 398
Sec. 4. (NEW) (Effective July 1, 2025) (a) Each controller that offers 399
any online service, product or feature to consumers whom such 400
controller has actual knowledge, or wilfully disregards, are minors 401
shall use reasonable care to avoid any heightened risk of harm to 402
minors proximately caused by such online service, product or feature. 403
(b) (1) Subject to the consent requirement established in subdivision 404
(3) of this subsection, no controller that offers any online service, 405
Committee Bill No. 3
LCO No. 5796 15 of 34
product or feature to consumers whom such controller has actual 406
knowledge, or wilfully disregards, are minors shall process any 407
minor's personal data: (A) For the purposes of (i) targeted advertising, 408
(ii) any sale of personal data, or (iii) profiling in furtherance of any 409
decision made by such controller that results in the provision or denial 410
by such controller of any financial or lending services, housing, 411
insurance, education enrollment or opportunity, criminal justice, 412
employment opportunities, health care services or access to essential 413
goods or services; (B) that is not reasonably necessary to provide such 414
online service, product or feature; (C) for any processing purpose other 415
than the purpose that the controller disclosed at the time such 416
controller collected such personal data; (D) for longer than is 417
reasonably necessary to provide such online service, product or 418
feature; or (E) in any circumstances in which such minor's personal 419
data is accessible by, or visible to, any other user of such online service, 420
product or feature. 421
(2) Subject to the consent requirement established in subdivision (3) 422
of this subsection, no controller that offers an online service, product or 423
feature to consumers whom such controller has actual knowledge, or 424
wilfully disregards, are minors shall collect a minor's precise 425
geolocation data unless: (A) Such precise geolocation data is necessary 426
for the controller to provide such online service, product or feature 427
and, if such data is necessary to provide such online service, product 428
or feature, such controller may only collect such data for the time 429
necessary to provide such online service, product or feature; and (B) 430
the controller provides to the minor a signal indicating that such 431
controller is collecting such precise geolocation data, which signal shall 432
be conspicuous to such minor for the entire duration of such collection. 433
(3) No controller shall engage in the activities described in 434
subdivisions (1) and (2) of this subsection unless the controller obtains 435
the minor's consent or, if the minor is younger than thirteen years of 436
age, the consent of such minor's parent or legal guardian. A controller 437
that complies with the verifiable parental consent requirements 438
Committee Bill No. 3
LCO No. 5796 16 of 34
established in the Children's Online Privacy Protection Act of 1998, 15 439
USC 6501 et seq., and the regulations, rules, guidance and exemptions 440
adopted pursuant to said act, as said act and such regulations, rules, 441
guidance and exemptions may be amended from time to time, shall be 442
deemed to have satisfied any requirement to obtain parental consent 443
under this subdivision. 444
(c) No controller that offers any online service, product or feature to 445
consumers whom such controller has actual knowledge, or wilfully 446
disregards, are minors shall: (1) Use any user interface designed or 447
manipulated with the substantial effect of subverting or impairing user 448
autonomy, decision-making or choice, including, but not limited to, 449
any practice the Federal Trade Commission refers to as a "dark 450
pattern", to lead or encourage any minor to provide any personal data 451
that is not reasonably necessary to provide such online service, 452
product or feature; (2) by default use any system design feature to 453
increase, sustain or extend any minor's use of such online service, 454
product or feature by, among other things, automatically playing any 455
media, offering any reward to encourage such minor to spend time 456
using such online service, product or feature or sending notifications 457
to such minor; (3) allow any minor's parent, legal guardian or any 458
other consumer to monitor such minor's online activity unless such 459
controller provides to such minor a signal, which is obvious to such 460
minor, indicating that such minor is being monitored; or (4) allow any 461
adult to contact any minor through any messaging apparatus unless 462
such adult previously established and maintains an ongoing lawful 463
relationship with such minor. 464
Sec. 5. (NEW) (Effective July 1, 2025) (a) Each controller that, on or 465
after July 1, 2025, offers any online service, product or feature to 466
consumers whom such controller has actual knowledge, or wilfully 467
disregards, are minors shall conduct a data protection assessment for 468
such online service, product or feature: (1) In a manner that is 469
consistent with the requirements established in section 42-522 of the 470
general statutes; and (2) that addresses (A) the purpose of such online 471
Committee Bill No. 3
LCO No. 5796 17 of 34
service, product or feature, (B) the categories of minors' personal data 472
that such online service, product or feature processes, (C) the purposes 473
for which such controller processes minors' personal data with respect 474
to such online service, product or feature, and (D) any heightened risk 475
of harm to minors that is a reasonably foreseeable result of offering 476
such online service, product or feature to minors. 477
(b) Each controller that conducts a data protection assessment 478
pursuant to subsection (a) of this section shall: (1) Review such data 479
protection assessment at least biennially; and (2) maintain 480
documentation concerning such data protection assessment as long as 481
such controller offers the online service, product or feature that is the 482
subject of such assessment to minors. 483
(c) If any controller conducts a data protection assessment pursuant 484
to subsection (a) of this section and determines that the online service, 485
product or feature that is the subject of such assessment poses a 486
heightened risk of harm to minors, such controller shall establish and 487
implement a plan to mitigate or eliminate such risk before such 488
controller offers such online service, product or feature to consumers 489
whom such controller has actual knowledge, or wilfully disregards, 490
are minors. 491
Sec. 6. (NEW) (Effective July 1, 2025) (a) A processor shall adhere to 492
the instructions of a controller and shall assist the controller in meeting 493
the controller's obligations under sections 3 to 8, inclusive, of this act. 494
Such assistance shall include providing necessary information to 495
enable the controller to conduct and document data protection 496
assessments. 497
(b) A contract between a controller and a processor shall govern the 498
processor's data processing procedures with respect to processing 499
performed on behalf of the controller. The contract shall be binding 500
and clearly set forth instructions for processing data, the nature and 501
purpose of processing, the type of data subject to processing, the 502
duration of processing and the rights and obligations of both parties. 503
Committee Bill No. 3
LCO No. 5796 18 of 34
The contract shall also require that the processor: (1) Ensure that each 504
person processing personal data is subject to a duty of confidentiality 505
with respect to the data; (2) at the controller's direction, delete or 506
return all personal data to the controller as requested at the end of the 507
provision of services, unless retention of the personal data is required 508
by law; (3) upon the reasonable request of the controller, make 509
available to the controller all information in its possession necessary to 510
demonstrate the processor's compliance with the obligations in 511
sections 3 to 8, inclusive, of this act; (4) after providing the controller 512
an opportunity to object, engage any subcontractor pursuant to a 513
written contract that requires the subcontractor to meet the obligations 514
of the processor with respect to the personal data; and (5) allow, and 515
cooperate with, reasonable assessments by the controller or the 516
controller's designated assessor, or the processor may arrange for a 517
qualified and independent assessor to conduct an assessment of the 518
processor's policies and technical and organizational measures in 519
support of the obligations under sections 3 to 8, inclusive, of this act, 520
using an appropriate and accepted control standard or framework and 521
assessment procedure for such assessments. The processor shall 522
provide a report of such assessment to the controller upon request. 523
(c) Nothing in this section shall be construed to relieve a controller 524
or processor from the liabilities imposed on the controller or processor 525
by virtue of such controller's or processor's role in the processing 526
relationship, as described in sections 3 to 8, inclusive, of this act. 527
(d) Determining whether a person is acting as a controller or 528
processor with respect to a specific processing of data is a fact-based 529
determination that depends upon the context in which personal data is 530
to be processed. A person who is not limited in such person's 531
processing of personal data pursuant to a controller's instructions, or 532
who fails to adhere to such instructions, is a controller and not a 533
processor with respect to a specific processing of data. A processor that 534
continues to adhere to a controller's instructions with respect to a 535
specific processing of personal data remains a processor. If a processor 536
Committee Bill No. 3
LCO No. 5796 19 of 34
begins, alone or jointly with others, determining the purposes and 537
means of the processing of personal data, the processor is a controller 538
with respect to such processing and may be subject to an enforcement 539
action under section 8 of this act. 540
Sec. 7. (NEW) (Effective July 1, 2025) (a) The provisions of sections 1, 541
3 to 6, inclusive, and 8 of this act shall not apply to any: (1) Body, 542
authority, board, bureau, commission, district or agency of this state or 543
of any political subdivision of this state; (2) organization that is exempt 544
from taxation under Section 501(c)(3), 501(c)(4), 501(c)(6) or 501(c)(12) 545
of the Internal Revenue Code of 1986, or any subsequent 546
corresponding internal revenue code of the United States, as amended 547
from time to time; (3) individual who, or school, board, association, 548
limited liability company or corporation that, is licensed or accredited 549
to offer one or more programs of higher learning leading to one or 550
more degrees; (4) national securities association that is registered 551
under 15 USC 78o-3, as amended from time to time; (5) financial 552
institution or data that is subject to Title V of the Gramm-Leach-Bliley 553
Act, 15 USC 6801 et seq., as amended from time to time; (6) covered 554
entity or business associate, as defined in 45 CFR 160.103, as amended 555
from time to time; or (7) air carrier, as defined in 49 USC 40102, as 556
amended from time to time, and regulated under the Federal Aviation 557
Act of 1958, 49 USC 40101 et seq., and the Airline Deregulation Act, 49 558
USC 41713, as said acts may be amended from time to time. 559
(b) The following information and data is exempt from the 560
provisions of sections 1, 3 to 6, inclusive, and 8 of this act: (1) Protected 561
health information; (2) patient-identifying information for the 562
purposes of 42 USC 290dd-2, as amended from time to time; (3) 563
identifiable private information for the purposes of the federal policy 564
for the protection of human subjects under 45 CFR 46, as amended 565
from time to time; (4) identifiable private information that is otherwise 566
information collected as part of human subjects research pursuant to 567
the good clinical practice guidelines issued by the International 568
Council for Harmonisation of Technical Requirem ents for 569
Committee Bill No. 3
LCO No. 5796 20 of 34
Pharmaceuticals for Human Use, as amended from time to time; (5) the 570
protection of human subjects under 21 CFR Parts 6, 50 and 56, as 571
amended from time to time, or personal data used or shared in 572
research, as defined in 45 CFR 164.501, as amended from time to time, 573
that is conducted in accordance with the standards set forth in this 574
subdivision and subdivisions (3) and (4) of this subsection, or other 575
research conducted in accordance with applicable law; (6) information 576
and documents created for the purposes of the Health Care Quality 577
Improvement Act of 1986, 42 USC 11101 et seq., as amended from time 578
to time; (7) patient safety work products for the purposes of section 579
19a-127o of the general statutes and the Patient Safety and Quality 580
Improvement Act, 42 USC 299b-21 et seq., as amended from time to 581
time; (8) information derived from any of the health care related 582
information listed in this subsection that is de-identified in accordance 583
with the requirements for de-identification under HIPAA; (9) 584
information originating from and intermingled so as to be 585
indistinguishable from, or information treated in the same manner as, 586
information that is exempt under this subsection and maintained by a 587
covered entity or business associate, program or qualified service 588
organization, as specified in 42 USC 290dd-2, as amended from time to 589
time; (10) information used for public health activities and purposes as 590
authorized by HIPAA, community health activities and population 591
health activities; (11) the collection, maintenance, disclosure, sale, 592
communication or use of any personal information bearing on a 593
consumer's credit worthiness, credit standing, credit capacity, 594
character, general reputation, personal characteristics or mode of living 595
by a consumer reporting agency, furnisher or user that provides 596
information for use in a consumer report, and by a user of a consumer 597
report, but only to the extent that such activity is regulated by and 598
authorized under the Fair Credit Reporting Act, 15 USC 1681 et seq., as 599
amended from time to time; (12) personal data collected, processed, 600
sold or disclosed in compliance with the Driver's Privacy Protection 601
Act of 1994, 18 USC 2721 et seq., as amended from time to time; (13) 602
personal data regulated by the Family Educational Rights and Privacy 603
Committee Bill No. 3
LCO No. 5796 21 of 34
Act, 20 USC 1232g et seq., as amended from time to time; (14) personal 604
data collected, processed, sold or disclosed in compliance with the 605
Farm Credit Act, 12 USC 2001 et seq., as amended from time to time; 606
(15) data processed or maintained (A) in the course of an individual 607
applying to, employed by or acting as an agent or independent 608
contractor of a controller, processor or third party, to the extent that 609
the data is collected and used within the context of that role, (B) as the 610
emergency contact information of an individual under sections 1, 3 to 611
6, inclusive, and 8 of this act used for emergency contact purposes, or 612
(C) that is necessary to retain to administer benefits for another 613
individual relating to the individual who is the subject of the 614
information under subdivision (1) of this subsection and used for the 615
purposes of administering such benefits; and (16) personal data 616
collected, processed, sold or disclosed in relation to price, route or 617
service, as such terms are used in the Airline Deregulation Act, 49 USC 618
40101 et seq., as amended from time to time, by an air carrier subject to 619
said act, to the extent sections 1, 3 to 6, inclusive, and 8 of this act are 620
preempted by 49 USC 41713, as amended from time to time. 621
(c) No provision of this section or section 1, 3 to 6, inclusive, or 8 of 622
this act shall be construed to restrict a controller's or processor's ability 623
to: (1) Comply with federal, state or municipal ordinances or 624
regulations; (2) comply with a civil, criminal or regulatory inquiry, 625
investigation, subpoena or summons by federal, state, municipal or 626
other governmental authorities; (3) cooperate with law enforcement 627
agencies concerning conduct or activity that the controller or processor 628
reasonably and in good faith believes may violate federal, state or 629
municipal ordinances or regulations; (4) investigate, establish, exercise, 630
prepare for or defend legal claims; (5) take immediate steps to protect 631
an interest that is essential for the life or physical safety of the minor or 632
another individual, and where the processing cannot be manifestly 633
based on another legal basis; (6) prevent, detect, protect against or 634
respond to security incidents, identity theft, fraud, harassment, 635
malicious or deceptive activities or any illegal activity, preserve the 636
integrity or security of systems or investigate, report or prosecute 637
Committee Bill No. 3
LCO No. 5796 22 of 34
those responsible for any such action; (7) engage in public or peer-638
reviewed scientific or statistical research in the public interest that 639
adheres to all other applicable ethics and privacy laws and is 640
approved, monitored and governed by an institutional review board 641
that determines, or similar independent oversight entities that 642
determine, (A) whether the deletion of the information is likely to 643
provide substantial benefits that do not exclusively accrue to the 644
controller or processor, (B) the expected benefits of the research 645
outweigh the privacy risks, and (C) whether the controller or processor 646
has implemented reasonable safeguards to mitigate privacy risks 647
associated with research, including, but not limited to, any risks 648
associated with re-identification; (8) assist another controller, processor 649
or third party with any obligation under section 1, 3 to 6, inclusive, or 8 650
of this act; or (9) process personal data for reasons of public interest in 651
the area of public health, community health or population health, but 652
solely to the extent that such processing is (A) subject to suitable and 653
specific measures to safeguard the rights of the minor whose personal 654
data is being processed, and (B) under the responsibility of a 655
professional subject to confidentiality obligations under federal, state 656
or local law. 657
(d) No obligation imposed on a controller or processor under any 658
provision of section 1, 3 to 6, inclusive, or 8 of this act shall be 659
construed to restrict a controller's or processor's ability to collect, use 660
or retain data for internal use to: (1) Conduct internal research to 661
develop, improve or repair products, services or technology; (2) 662
effectuate a product recall; (3) identify and repair technical errors that 663
impair existing or intended functionality; or (4) perform internal 664
operations that are (A) reasonably aligned with the expectations of a 665
minor or reasonably anticipated based on the minor's existing 666
relationship with the controller or processor, or (B) otherwise 667
compatible with processing data in furtherance of the provision of a 668
product or service specifically requested by a minor. 669
(e) No controller or processor shall be required to comply with any 670
Committee Bill No. 3
LCO No. 5796 23 of 34
provision of section 1, 3 to 6, inclusive, or 8 of this act if compliance 671
with such provision would violate an evidentiary privilege under the 672
laws of this state, and no such provision shall be construed to prevent 673
a controller or processor from providing, as part of a privileged 674
communication, any personal data concerning a minor to any other 675
person who is covered by such evidentiary privilege. 676
(f) No provision of section 1, 3 to 6, inclusive, or 8 of this act shall be 677
construed to: (1) Impose any obligation on a controller that adversely 678
affects the rights or freedoms of any person, including, but not limited 679
to, the rights of any person (A) to freedom of speech or freedom of the 680
press guaranteed in the First Amendment to the United States 681
Constitution, or (B) under section 52-146t of the general statutes; or (2) 682
apply to any individual's processing of personal data in the course of 683
such individual's purely personal or household activities. 684
(g) (1) Any personal data processed by a controller pursuant to this 685
section may be processed to the extent that such processing is: (A) 686
Reasonably necessary and proportionate to the purposes listed in this 687
section; and (B) adequate, relevant and limited to what is necessary in 688
relation to the specific purposes listed in this section. 689
(2) Any controller that collects, uses or retains data pursuant to 690
subsection (d) of this section shall, where applicable, take into account 691
the nature and purpose or purposes of such collection, use or 692
retention. Such data shall be subject to reasonable administrative, 693
technical and physical measures to protect the confidentiality, integrity 694
and accessibility of the personal data and to reduce reasonably 695
foreseeable risks of harm to minors concerning such collection, use or 696
retention of personal data. 697
(h) If any controller or processor processes personal data pursuant 698
to an exemption established in subsections (a) to (g), inclusive, of this 699
section, such controller or processor bears the burden of demonstrating 700
that such processing qualifies for such exemption and complies with 701
the requirements established in subsection (g) of this section. 702
Committee Bill No. 3
LCO No. 5796 24 of 34
Sec. 8. (NEW) (Effective July 1, 2025) (a) Any violation of the 703
provisions of sections 3 to 7, inclusive, of this act shall constitute an 704
unfair trade practice under subsection (a) of section 42-110b of the 705
general statutes and shall be enforced solely by the Attorney General. 706
Nothing in this section or sections 3 to 7, inclusive, of this act shall be 707
construed to create a private right of action or to provide grounds for 708
an action under section 42-110g of the general statutes. 709
(b) (1) During the period beginning July 1, 2025, and ending 710
December 31, 2027, if the Attorney General, in the Attorney General's 711
discretion, determines that a controller or processor has violated any 712
provision of sections 3 to 7, inclusive, of this act but may cure such 713
alleged violation, the Attorney General shall provide written notice to 714
such controller or processor, in a form and manner prescribed by the 715
Attorney General and before the Attorney General commences any 716
action to enforce such provision, disclosing such alleged violation and 717
such provision. 718
(2) (A) Not later than thirty days after a controller or processor 719
receives a notice under subdivision (1) of this subsection, the controller 720
or processor may send a notice to the Attorney General, in a form and 721
manner prescribed by the Attorney General, disclosing that such 722
controller or processor has: (i) Determined that such controller or 723
processor did not commit the alleged violation of sections 3 to 7, 724
inclusive, of this act; or (ii) cured such violation and taken measures 725
that are sufficient to prevent further such violations. 726
(B) If the Attorney General receives a notice described in 727
subparagraph (A) of this subdivision and determines, in the Attorney 728
General's discretion, that the controller or processor that sent such 729
notice did not commit the alleged violation or has cured such violation 730
and taken the measures described in subparagraph (A)(ii) of this 731
subdivision, such controller or processor shall not be liable for any civil 732
penalty under subsection (a) of this section. 733
(C) Not later than February 1, 2027, the Attorney General shall 734
Committee Bill No. 3
LCO No. 5796 25 of 34
submit a report, in accordance with section 11-4a of the general 735
statutes, to the joint standing committee of the General Assembly 736
having cognizance of matters relating to general law. Such report shall 737
disclose: (i) The number of notices the Attorney General has issued 738
pursuant to subdivision (1) of this subsection; (ii) the nature of each 739
violation that was the subject of a notice issued by the Attorney 740
General pursuant to subdivision (1) of this subsection; (iii) the number 741
of violations that were cured pursuant to subparagraphs (A) and (B) of 742
this subdivision; and (iv) any other matter the Attorney General deems 743
relevant for the purposes of such report. 744
(c) Beginning on January 1, 2027, the Attorney General may, in the 745
Attorney General's discretion, provide to a controller or processor an 746
opportunity to cure any alleged violation of the provisions of sections 747
3 to 7, inclusive, of this act in the manner described in subdivisions (1) 748
and (2) of section (b) of this section. In determining whether to grant 749
the controller or processor an opportunity to cure such alleged 750
violation, the Attorney General may consider: (1) The number of such 751
violations that such controller or processor is alleged to have 752
committed; (2) the size and complexity of such controller or processor; 753
(3) the nature and extent of such controller's or processor's processing 754
activities; (4) whether there exists a substantial likelihood that such 755
alleged violation has caused or will cause public injury; (5) the safety 756
of persons or property; and (6) whether such alleged violation was 757
likely caused by a human or technical error. 758
Sec. 9. Section 54-33c of the general statutes is repealed and the 759
following is substituted in lieu thereof (Effective October 1, 2023): 760
(a) The applicant for a search warrant shall file the application for 761
the warrant and all affidavits upon which the warrant is based with 762
the clerk of the court for the geographical area within which any 763
person who may be arrested in connection with or subsequent to the 764
execution of the search warrant would be presented with the return of 765
the warrant. Upon the arrest of any person in connection with or 766
Committee Bill No. 3
LCO No. 5796 26 of 34
subsequent to the execution of the search warrant, the law enforcement 767
agency that arrested the person shall notify the clerk of such court of 768
the return of the warrant by completing a form prescribed by the Chief 769
Court Administrator and filing such form with the clerk together with 770
any applicable uniform arrest report or misdemeanor summons. 771
(b) Except for a warrant for the installation and use of a tracking 772
device: (1) The warrant shall be executed within ten days and returned 773
with reasonable promptness consistent with due process of law and 774
shall be accompanied by a written inventory of all property seized; (2) 775
a copy of such warrant shall be given to the owner or occupant of the 776
dwelling, structure, motor vehicle or place designated in the warrant, 777
or the person named in the warrant; and (3) within forty-eight hours of 778
such search, a copy of the application for the warrant and a copy of all 779
affidavits upon which the warrant is based shall be given to such 780
owner, occupant or person. The judge or judge trial referee may, by 781
order, dispense with the requirement of giving a copy of the affidavits 782
to such owner, occupant or person at such time if the applicant for the 783
warrant files a detailed affidavit with the judge or judge trial referee 784
which demonstrates to the judge or judge trial referee that (A) the 785
personal safety of a confidential informant would be jeopardized by 786
the giving of a copy of the affidavits at such time, or (B) the search is 787
part of a continuing investigation which would be adversely affected 788
by the giving of a copy of the affidavits at such time, or (C) the giving 789
of a copy of the affidavits at such time would require disclosure of 790
information or material prohibited from being disclosed by chapter 791
959a. If a warrant is directed to a provider of an electronic 792
communications service as defined in subdivision (4) of subsection (a) 793
of section 54-47aa, or a remote computing service in subdivision (8) of 794
subsection (a) of section 54-47aa, for records of a subscriber or 795
customer of such provider, the court shall order that the provider not 796
disclose the existence of such warrant to such subscriber or customer 797
or any other person or entity for a period of up to ninety days if the 798
court determines that there is reason to believe that notification of the 799
existence of the warrant may result in (i) endangering the life or 800
Committee Bill No. 3
LCO No. 5796 27 of 34
physical safety of an individual; (ii) flight from prosecution; (iii) 801
destruction of or tampering with evidence; (iv) intimidation of 802
potential witnesses; or (v) otherwise seriously jeopardizing the 803
investigation. 804
(c) A warrant for the installation and use of a tracking device shall 805
be returned with reasonable promptness consistent with due process 806
of law and after the period authorized for tracking, including any 807
extension period authorized under subsection (d) of section 54-33a, has 808
expired. Within ten days after the use of the tracking device has ended, 809
a copy of the application for the warrant and a copy of all affidavits 810
upon which the warrant is based shall be given to the person who was 811
tracked or the owner of the property to, in or on which the tracking 812
device was installed. The judge or judge trial referee may, by order, 813
dispense with the requirement of giving a copy of the affidavits to the 814
person who was tracked or the owner of the property to, in or on 815
which the tracking device was installed if the applicant for the warrant 816
files a detailed affidavit with the judge or judge trial referee which 817
demonstrates to the judge or judge trial referee that (1) the personal 818
safety of a confidential informant would be jeopardized by the giving 819
of a copy of the affidavits at such time, or (2) the search is part of a 820
continuing investigation which would be adversely affected by the 821
giving of a copy of the affidavits at such time, or (3) the giving of a 822
copy of the affidavits at such time would require disclosure of 823
information or material prohibited from being disclosed by chapter 824
959a. 825
(d) If the judge or judge trial referee dispenses with the requirement 826
of giving a copy of the affidavits at such time pursuant to subsection 827
(b) or (c) of this section, such order shall not affect the right of such 828
owner, occupant or person to obtain such copy at any subsequent time. 829
No such order shall limit the disclosure of such affidavits to the 830
attorney for a person arrested in connection with or subsequent to the 831
execution of a search warrant unless, upon motion of the prosecuting 832
authority within two weeks of such person's arraignment, the court 833
Committee Bill No. 3
LCO No. 5796 28 of 34
finds that the state's interest in continuing nondisclosure substantially 834
outweighs the defendant's right to disclosure. 835
(e) Any order entered pursuant to subsection (b) or (c) of this section 836
dispensing with the requirement of giving a copy of the affidavits to 837
such owner, occupant or person shall be for a specific period of time, 838
not to exceed (1) two weeks beyond the date the warrant is executed, 839
or (2) with respect to a warrant for the installation and use of a 840
tracking device, two weeks after any extension period authorized 841
under subsection (d) of section 54-33a has expired. Within the 842
applicable time period set forth in subdivision (1) or (2) of this 843
subsection, the prosecuting authority may seek an extension of such 844
period of time. Upon the execution and return of the warrant, 845
affidavits which have been the subject of such an order shall remain in 846
the custody of the clerk's office in a secure location apart from the 847
remainder of the court file. 848
Sec. 10. Section 21a-435 of the general statutes is repealed and the 849
following is substituted in lieu thereof (Effective October 1, 2023): 850
As used in this section, [and] sections 21a-436 to 21a-439, inclusive, 851
and section 11 of this act: 852
(1) "Connecticut user" means a user who provides a Connecticut 853
home address or zip code when registering with an online dating 854
operator or a user who is known or determined by an online dating 855
operator or its online dating platform to be in Connecticut at the time 856
of registration; 857
(2) "Criminal background screening" means a name search for an 858
individual's history of criminal convictions that is conducted by 859
searching an (A) available and regularly updated government public 860
record database that in the aggregate provides national coverage for 861
searching an individual's history of criminal convictions; or (B) a 862
regularly updated database maintained by a private vendor that 863
provides national coverage for searching an individual's history of 864
Committee Bill No. 3
LCO No. 5796 29 of 34
criminal convictions and sexual offender registries; 865
(3) "Criminal conviction" means a conviction for a crime in this state, 866
another state, or under federal law; 867
(4) "Online dating" means the act of using a digital service to initiate 868
relationships with other individuals for the purpose of romance, sex or 869
marriage; 870
(5) "Online dating operator" means a person who operates a 871
software application designed to facilitate online dating; 872
(6) "Online dating platform" means a digital service designed to 873
allow users to interact through the Internet to participate in online 874
dating; and 875
(7) "User" means an individual who uses the online dating services 876
of an online dating operator. 877
Sec. 11. (NEW) (Effective October 1, 2023) An online dating operator 878
shall owe a duty of care to any user of its online dating platform to 879
protect against potential criminal activity of other users, including a 880
duty to notify users if the online dating operator has had a 881
communication with another user determined by the online dating 882
operator to have a higher propensity to commit a crime against 883
individuals. 884
Sec. 12. Section 29-7b of the general statutes is repealed and the 885
following is substituted in lieu thereof (Effective July 1, 2023): 886
(a) There shall be within the Department of Emergency Services and 887
Public Protection a Division of Scientific Services. The Commissioner 888
of Emergency Services and Public Protection shall serve as 889
administrative head of such division, and may delegate jurisdiction 890
over the affairs of such division to a deputy commissioner. 891
(b) The Division of Scientific Services shall provide technical 892
Committee Bill No. 3
LCO No. 5796 30 of 34
assistance to law enforcement agencies in the various areas of scientific 893
investigation. The division shall maintain facilities and services for the 894
examination and analysis of evidentiary materials in areas including, 895
but not limited to, chemistry, arson, firearms, questioned documents, 896
microscopy, serology, toxicology, trace evidence, latent fingerprints, 897
impressions and other similar technology. The facilities, services and 898
personnel of the division shall be available, without charge, to the 899
Office of the Chief Medical Examiner and all duly constituted 900
prosecuting, police and investigating agencies of the state. 901
(c) The Division of Scientific Services: (1) May investigate any 902
physical evidence or evidentiary material related to a crime upon the 903
request of any federal, state or local agency, (2) may conduct or assist 904
in the scientific field investigation at the scene of a crime and provide 905
other technical assistance and training in the various fields of scientific 906
criminal investigation upon request, (3) shall assure the safe custody of 907
evidence during examination, (4) shall forward a written report of the 908
results of an examination of evidence to the agency submitting such 909
evidence, (5) shall render expert court testimony when requested, and 910
(6) shall conduct ongoing research in the areas of the forensic sciences. 911
The Commissioner of Emergency Services and Public Protection or a 912
director designated by the commissioner shall be in charge of the 913
Division of Scientific Services operations and shall establish and 914
maintain a system of case priorities and a procedure for submission of 915
evidence and evidentiary security. The director of the Division of 916
Scientific Services shall be in the unclassified service and shall serve at 917
the pleasure of the commissioner. 918
(d) In accordance with the provisions of sections 4-38d, 4-38e and 4-919
39, all powers and duties of the Department of Public Health under the 920
provisions of sections 14-227a, 14-227c, 15-140u and 21a-283 shall be 921
transferred to the Division of Scientific Services within the Department 922
of Emergency Services and Public Protection. 923
(e) There is established within the Division of Scientific Services the 924
Committee Bill No. 3
LCO No. 5796 31 of 34
Connecticut Internet Crimes Against Children Task Force, which shall 925
consist of affiliate law enforcement agencies in the state. The task force 926
shall use state and federal moneys appropriated to it in a manner that 927
is consistent with the duties prescribed in 34 USC 21114. 928
Sec. 13. (NEW) (Effective October 1, 2023) (a) As used in this section: 929
(1) "Employee" means any person engaged in service to an employer 930
in a business of his or her employer; 931
(2) "Employer" means a person engaged in business who has 932
employees, including the state and any political subdivision of the 933
state; 934
(3) "Occurring in the workplace" includes attendance at an off-935
premises work-related event that is coordinated by or through the 936
employer, between employees or between an employe r and an 937
employee; 938
(4) "Sexual assault" means any act that would constitute a violation 939
of section 53a-70, 53a-70a, 53a-70c, 53a-71, 53a-72a, 53a-72b or 53a-73a 940
of the general statutes; and 941
(5) "Sexual harassment" has the same meaning as provided in 942
subdivision (8) of subsection (b) of section 46a-60 of the general 943
statutes, and includes any act constituting sexual harassment under 29 944
CFR 1604.11(a). 945
(b) Notwithstanding the provisions of section 31-128f of the general 946
statutes, if an employer knows that a person is evaluating the 947
candidacy of a current or former employee of the employer, and the 948
employer provides such person with a recommendation or positive 949
commentary relating to the current or former employee's work 950
performance, such employer has a duty to timely disclose to such 951
person any known act of sexual harassment or sexual assault 952
committed by the employee occurring in the workplace of the 953
employer. For purposes of this section, an employer knows about an 954
Committee Bill No. 3
LCO No. 5796 32 of 34
act of sexual assault when the individual who provides the 955
recommendation or positive commentary is an employee or agent of 956
the employer and has actual knowledge of such act. For purposes of 957
this section, an employer knows about an act of sexual harassment 958
when the individual who provides the recommendation or positive 959
commentary is the employer, or an employee or agent of the employer 960
and has actual knowledge of such act, and a complaint alleging the 961
sexual harassment was filed with the Commission on Human Rights 962
and Opportunities, the Equal Employment Opportunity Commission 963
or a court of competent jurisdiction. An employer's duty to timely 964
disclose any known act of sexual harassment or sexual assault shall 965
terminate one year following the date on which the employer, or an 966
employee or agent of the employer, has actual knowledge of an act of 967
sexual harassment or sexual assault committed by an employee. 968
Notwithstanding the provisions of this subsection, a former employer's 969
duty to timely disclose known acts of sexual harassment or sexual 970
assault under this subsection shall terminate prior to the expiration of 971
such one-year period, if during such period: (1) A criminal prosecution 972
involving the sexual assault (A) is dismissed, (B) results in the entry of 973
a nolle prosequi of the sexual assault charges, or (C) results in the 974
acquittal of the former employee; or (2) in a proceeding before the 975
Commission on Human Rights and Opportunities involving a 976
complaint of sexual harassment, (A) the complainant withdraws the 977
complaint, or (B) said commission enters a finding that there is no 978
reasonable cause for the complaint. 979
(c) If an employer owes a duty to disclose to a person who is 980
evaluating the candidacy of a current or former employee of the 981
employer under subsection (b) of this section, and such person hires 982
the current or former employee in reliance on, in whole or in part, the 983
former employer's recommendation or positive commentary, then for 984
such time that the former employee is employed by the person, the 985
former employer shall be liable to any employee of the person who 986
relied on such recommendation or positive commentary for the 987
following acts committed by the former employee occurring in the 988
Committee Bill No. 3
LCO No. 5796 33 of 34
workplace of the person: (1) Any act of sexual harassment committed 989
by the former employee, if the former employer breached its duty to 990
disclose sexual harassment, and (2) any act of sexual harassment and 991
sexual assault committed by the former employee, if the former 992
employer breached its duty to disclose sexual assault. 993
This act shall take effect as follows and shall amend the following
sections:
Section 1 July 1, 2025 New section
Sec. 2 July 1, 2024 New section
Sec. 3 July 1, 2025 New section
Sec. 4 July 1, 2025 New section
Sec. 5 July 1, 2025 New section
Sec. 6 July 1, 2025 New section
Sec. 7 July 1, 2025 New section
Sec. 8 July 1, 2025 New section
Sec. 9 October 1, 2023 54-33c
Sec. 10 October 1, 2023 21a-435
Sec. 11 October 1, 2023 New section
Sec. 12 July 1, 2023 29-7b
Sec. 13 October 1, 2023 New section
Statement of Purpose:
To (1) Establish standards concerning the provision of access to, and
sharing of, consumer health data; (2) prohibit geofencing of certain
health data; (3) establish additional requirements concerning minors'
personal data and social media platform accounts; (4) revise disclosure
requirements relating to warrants directed to providers of electronic
communication services and remote computing services; (5) establish a
duty of care owed by online dating operators to users relating to
potential criminal activity of other users; (6) codify in statute the
existence and prescribed duties of the Connecticut Internet Crimes
Against Children Task Force; and (7) require employers to disclose
known instances of sexual harassment and assault when making
employment recommendations relating to former employees.
[Proposed deletions are enclosed in brackets. Proposed additions are indicated by underline,
except that when the entire text of a bill or resolution or a section of a bill or resolution is new, it is
not underlined.]
Committee Bill No. 3
LCO No. 5796 34 of 34
Co-Sponsors: SEN. LOONEY, 11th Dist.; SEN. DUFF, 25th Dist.
SEN. ANWAR, 3rd Dist.; SEN. CABRERA, 17th Dist.
SEN. COHEN, 12th Dist.; SEN. FLEXER, 29th Dist.
SEN. FONFARA, 1st Dist.; SEN. GASTON, 23rd Dist.
SEN. HOCHADEL, 13th Dist.; SEN. KUSHNER, 24th Dist.
SEN. LESSER, 9th Dist.; SEN. LOPES, 6th Dist.
SEN. MAHER, 26th Dist.; SEN. MARONEY, 14th Dist.
SEN. MARX, 20th Dist.; SEN. MCCRORY, 2nd Dist.
SEN. MILLER P., 27th Dist.; SEN. MOORE, 22nd Dist.
SEN. RAHMAN, 4th Dist.; SEN. SLAP, 5th Dist.
SEN. WINFIELD, 10th Dist.; REP. DELANY, 144th Dist.
S.B. 3