LCO \\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-R02-
SB.docx
1 of 31
General Assembly Substitute Bill No. 3
January Session, 2023
AN ACT CONCERNING ONLINE PRIVACY, DATA AND SAFETY
PROTECTIONS.
Be it enacted by the Senate and House of Representatives in General
Assembly convened:
Section 1. (NEW) (Effective July 1, 2025) (a) For the purposes of this 1
section, unless the context otherwise requires: 2
(1) "Abortion" means terminating a pregnancy for any purpose other 3
than producing a live birth; 4
(2) "Affiliate" means any legal entity that (A) shares common 5
branding with another legal entity, and (B) controls, is controlled by or 6
is under common control with another legal entity through (i) 7
ownership of, or the power to vote, more than fifty per cent of the 8
outstanding shares of any class of voting securities in either legal entity, 9
(ii) control over the election of a majority of the directors of either legal 10
entity or individuals exercising similar functions of the directors of 11
either legal entity, or (iii) the power to exercise a controlling influence 12
over the management of either legal entity; 13
(3) "Biometric data" has the same meaning as provided in section 42-14
515 of the general statutes; 15
(4) "Collect" means to buy, rent, access, retain, receive, acquire, infer, 16 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
2 of 31
derive or otherwise process consumer health data in any manner; 17
(5) "Consent" has the same meaning as provided in section 42-515 of 18
the general statutes; 19
(6) "Consumer" has the same meaning as provided in section 42-515 20
of the general statutes; 21
(7) "Consumer health data" (A) means any personal information that 22
is linked, or reasonably linkable, to a consumer and identifies the 23
consumer's past, present or future physical or mental health, including, 24
but not limited to, any (i) individual health condition, treatment, status, 25
disease or diagnosis, (ii) social, psychological, behavioral or medical 26
intervention, (iii) health-related surgery or procedure, (iv) use or 27
purchase of medication, (v) bodily function, vital sign or symptom or 28
any measurement of any such function, sign or symptom, (vi) diagnosis 29
or diagnostic testing, treatment or medication, (vii) gender-affirming 30
care information, (viii) reproductive or sexual health information, (ix) 31
biometric data concerning the information described in this 32
subparagraph, (x) genetic data concerning the information described in 33
this subparagraph, (xi) precise location information that could 34
reasonably indicate such consumer's attempt to acquire or receive health 35
services or supplies, or (xii) information described in subparagraphs 36
(A)(i) to (A)(xi), inclusive, of this subdivision that is derived or 37
extrapolated from non-health information such as proxy, derivative, 38
inferred or emergent data derived or extrapolated by any means, 39
including, but not limited to, algorithms or machine learning, and (B) 40
does not include any personal information that is used to engage in any 41
public or peer-reviewed scientific, historical or statistical research, 42
provided such research (i) is in the public interest, (ii) adheres to all 43
other applicable ethics and privacy laws, and (iii) is approved, 44
monitored and governed by an institutional review board, human 45
subjects research ethics review board or another similar independent 46
oversight entity that determines that the regulated entity has 47
implemented reasonable safeguards to mitigate privacy risks associated 48
with such research, including, but not limited to, any risks associated 49 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
3 of 31
with re-identification; 50
(8) "De-identified data" has the same meaning as provided in section 51
42-515 of the general statutes; 52
(9) "Gender-affirming care information" means any personal 53
information concerning seeking or obtaining past, present or future 54
gender-affirming care services, including, but not limited to, (A) any 55
precise location information that could reasonably indicate a consumer's 56
attempt to seek or obtain gender-affirming care services, (B) any 57
personal information concerning any effort made to research or obtain 58
gender-affirming care services, or (C) any gender-affirming care 59
information that is derived, extrapolated or inferred, including, but not 60
limited to, any such information that is derived, extrapolated or inferred 61
from non-health information such as proxy, derivative, inferred, 62
emergent or algorithmic data; 63
(10) "Gender-affirming care services" (A) means health services or 64
products that support and affirm any consumer's gender identity, 65
including, but not limited to, social, psychological, behavioral, cosmetic, 66
medical or surgical interventions, and (B) includes, but is not limited to, 67
treatments for gender dysphoria, gender-affirming hormone therapy 68
and gender-affirming surgical procedures; 69
(11) "Genetic data" means any data, regardless of format, concerning 70
a consumer's genetic characteristics and includes, but is not limited to, 71
(A) raw sequence data that result from the sequencing of a consumer's 72
complete extracted DNA or a portion of such extracted DNA, (B) 73
genotypic and phenotypic information that results from analyzing such 74
raw sequence data, and (C) self-reported health data that a consumer 75
submits to a regulated entity and is analyzed in connection with such 76
raw sequence data; 77
(12) "Geofence" means any technology that uses global positioning 78
coordinates, cell tower connectivity, cellular data, radio frequency 79
identification, wireless fidelity technology data or any other form of 80 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
4 of 31
location detection, or any combination of such coordinates, connectivity, 81
data, identification or other form of location detection, to establish a 82
virtual boundary that is within two thousand feet of the perimeter 83
around any physical location; 84
(13) "Health care service" means any service provided to any 85
consumer to assess, measure, improve or learn about such consumer's 86
health, including, but not limited to, any service provided to assess, 87
measure, improve or learn about any (A) individual health condition, 88
status, disease or diagnosis, (B) social, psychological, behavioral or 89
medical intervention, (C) health-related surgery or procedure, (D) use 90
or purchase of medication, (E) bodily function, vital sign or symptom or 91
any measurement of any such function, sign or symptom, (F) diagnosis 92
or diagnostic testing, treatment or medication, (G) reproductive or 93
sexual health service, or (H) gender-affirming care services; 94
(14) "Person" means any individual, corporation, trust, 95
unincorporated association or partnership, but does not include any 96
government agency, tribal nation government organization or 97
contracted service provider when such service provider is processing 98
consumer health data on behalf of a government agency; 99
(15) "Personal information" (A) means any information that 100
identifies, or is reasonably capable of being associated or linked, directly 101
or indirectly, with any consumer, (B) includes, but is not limited to, any 102
data associated with a persistent unique identifier such as an Internet 103
browser cookie, Internet protocol address, device identifier or any other 104
form of persistent unique identifier, and (C) does not include any 105
publicly available information or de-identified data; 106
(16) "Precise location information" has the same meaning as provided 107
in section 42-515 of the general statutes; 108
(17) "Process" and "processing" mean any operation or set of 109
operations performed on consumer health data; 110
(18) "Processor" has the same meaning as provided in section 42-515 111 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
5 of 31
of the general statutes; 112
(19) "Publicly available information" has the same meaning as 113
provided in section 42-515 of the general statutes; 114
(20) "Regulated entity" (A) means any legal entity that (i) does 115
business in this state or produces or provides goods or services that are 116
targeted to consumers in this state, and (ii) alone or jointly with others, 117
determines the purpose and means of collecting, processing, sharing or 118
selling consumer health data, and (B) does not mean any government 119
agency, tribal nation government organization or contracted service 120
provider when such service provider is processing consumer health 121
data on behalf of a government agency; 122
(21) "Reproductive or sexual health information" (A) means any 123
personal information concerning seeking or obtaining past, present or 124
future reproductive or sexual health services, and (B) includes, but is not 125
limited to, (i) any precise location information that could reasonably 126
indicate a consumer's attempt to acquire or receive reproductive or 127
sexual health services, (ii) any personal information concerning any 128
effort made to research or obtain reproductive or sexual health services, 129
and (iii) any personal information or location information described in 130
this subdivision that is derived, extrapolated or inferred, including, but 131
not limited to, any such information that is derived, extrapolated or 132
inferred from any non-health information such as proxy, derivative, 133
inferred, emergent or algorithmic data; 134
(22) "Reproductive or sexual health service" means any health service 135
or product that supports or concerns any consumer's reproductive 136
system or sexual well-being, including, but not limited to, any health 137
service or product that supports or concerns any (A) individual health 138
condition, status, disease or diagnosis, (B) social, psychological, 139
behavioral or medical intervention, (C) health-related surgery or 140
procedure, including, but not limited to, an abortion, (D) use or 141
purchase of any medication, including, but not limited to, any 142
medication used or purchased for the purposes of an abortion, (E) 143 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
6 of 31
bodily function, vital sign or symptom or any measurement of any such 144
function, sign or symptom, (F) diagnosis or diagnostic testing, treatment 145
or medication, and (G) medical or nonmedical service concerning and 146
provided in conjunction with an abortion, including, but not limited to, 147
any diagnostics, counseling, supplies and follow-up services concerning 148
and provided in conjunction with an abortion; 149
(23) "Sale" or "sell" (A) means sharing consumer health data for 150
monetary or other valuable consideration, and (B) does not include 151
sharing consumer health data for monetary or other valuable 152
consideration (i) to a third party as an asset that is part of a merger, 153
acquisition, bankruptcy or other transaction in which the third party 154
assumes control of all or part of the regulated entity's assets and 155
complies with the requirements established in this section, or (ii) by a 156
regulated entity to a processor when sharing such consumer health data 157
is consistent with the purpose for which the consumer health data was 158
collected and disclosed to the consumer; 159
(24) "Service provider" means any person that processes consumer 160
health data on behalf of a regulated entity; 161
(25) "Share" and "sharing" (A) mean any release, disclosure, 162
dissemination, divulsion, making available, provision of access to, 163
licensing or communication, orally, in writing or by electronic or any 164
other means, of consumer health data by a regulated entity to a third 165
party or affiliate, and (B) do not include (i) any disclosure of consumer 166
health data by a regulated entity to a processor if such disclosure is to 167
provide goods or services in a manner that is consistent with the 168
purpose for which such data was collected and disclosed to the 169
consumer, (ii) any disclosure of consumer health data made to a third 170
party with whom the consumer has a direct relationship when (I) such 171
disclosure is made for the purpose of providing a product or service 172
requested by such consumer, (II) the regulated entity maintains control 173
and ownership of such data, and (III) the third party exclusively uses 174
such data at the regulated entity's direction and in a manner that is 175
consistent with the purpose for which such data was collected and 176 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
7 of 31
disclosed to the consumer, or (iii) any disclosure or transfer of consumer 177
health data made to a third party as an asset that is part of a merger, 178
acquisition, bankruptcy or other transaction in which the third party 179
assumes control of all or part of the regulated entity's assets and 180
complies with the requirements established in this section; and 181
(26) "Third party" means any entity other than a consumer, regulated 182
entity or affiliate of a regulated entity. 183
(b) Notwithstanding any provision of the general statutes, each 184
regulated entity shall: 185
(1) Restrict access to consumer health data by the employees, 186
processors and contractors of such regulated entity: 187
(A) To those employees, processors and contractors for which the 188
consumer to whom such data relates has provided consent; or 189
(B) Where such access is necessary to provide to the consumer to 190
whom such data relates a product or service that such consumer has 191
requested from such regulated entity; 192
(2) Establish, implement and maintain administrative, technical and 193
physical data security practices that, at a minimum, satisfy a reasonable 194
standard of care within such regulated entity's industry to protect the 195
confidentiality, integrity and accessibility of consumer health data in a 196
manner that is appropriate for the volume and nature of such consumer 197
health data; and 198
(3) (A) Not collect or share consumer health data concerning any 199
consumer (i) without having first obtained such consumer's consent to 200
collect or share such consumer health data for a specified purpose, (ii) 201
beyond what is reasonably necessary, proportionate and limited to 202
provide or maintain (I) a specific product or service requested by such 203
consumer, or (II) any communication by such regulated entity to such 204
consumer that is reasonably anticipated within the context of their 205
relationship, or (iii) for any purpose that is not expressly permitted 206 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
8 of 31
under the provisions of this section. 207
(B) The consent required under subparagraph (A) of this subdivision 208
shall (i) be separately and distinctly obtained for collecting and sharing 209
consumer health data, and (ii) clearly and conspicuously disclose (I) the 210
categories of consumer health data collected or shared, (II) the purpose 211
of collecting or sharing the consumer health data, including, but not 212
limited to, the specific ways in which such consumer health data will be 213
used, (III) the categories of entities with which the consumer health data 214
will be shared, and (IV) how the consumer may withdraw consent from 215
any future collection or sharing of such consumer's consumer health 216
data. 217
(c) (1) Notwithstanding any provision of the general statutes, no 218
person shall: 219
(A) Sell, or offer to sell, consumer health data without first obtaining 220
the consumer's signed, written consent on a form described in 221
subdivision (2) of this subsection; or 222
(B) Implement a geofence to identify, track, collect data from or send 223
notifications or messages to a consumer that enters the virtual perimeter 224
around a health care provider or health care facility providing health 225
care services on an in-person basis. 226
(2) Prior to selling, or offering to sell, a consumer's consumer health 227
data, the person who intends to sell, or offer to sell, such consumer 228
health data shall provide to the consumer a form containing: 229
(A) A description of the consumer health data to be offered or sold; 230
(B) The name of, and contact information for, the person who 231
collected and intends to sell, or offer to sell, such consumer health data; 232
(C) The name of, and contact information for, the person who intends 233
to purchase such consumer health data from the person described in 234
subparagraph (B) of this subdivision; 235 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
9 of 31
(D) A description of the purpose of such proposed offer or sale, 236
including, but not limited to, a description of how such consumer health 237
data will be gathered and how the person described in subparagraph 238
(C) of this subdivision intends to use such consumer health data; 239
(E) A statement disclosing that the provision of goods or services 240
shall not be made conditional on such consumer signing such form; 241
(F) A statement disclosing that such consumer has a right to revoke 242
such consumer's consent at any time and a description of how such 243
consumer may revoke such consent; 244
(G) A statement disclosing that any consumer health data sold 245
pursuant to this subsection may be subject to redisclosure by the person 246
described in subparagraph (C) of this subdivision and may no longer be 247
protected under this section following such redisclosure; 248
(H) An expiration date for such consent, which date shall be not later 249
than one year after such consumer signs such form; and 250
(I) Such consumer's signature and the date on which such consumer 251
signs such form. 252
(3) No form required under subparagraph (A) of subdivision (1) of 253
this subsection shall be valid if: 254
(A) The expiration date on such form has passed; 255
(B) Such form does not satisfy the requirements established in 256
subdivision (2) of this subsection; 257
(C) The consumer has revoked such consumer's consent; 258
(D) Such form has been combined with any other document for the 259
purpose of obtaining consent concerning multiple sales, or offers to sell, 260
consumer health data; or 261
(E) The provision of goods or services is conditioned on the consumer 262 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
10 of 31
signing such form. 263
(4) Each person who provides a form to a consumer pursuant to 264
subdivision (2) of this subsection shall provide a signed copy of such 265
form to the consumer who signed such form. 266
(5) Each person who sells or purchases consumer health data in the 267
manner described in this subsection shall retain a copy of each form 268
required under subdivision (2) of this subsection for a period of at least 269
six years beginning on the date the consumer signed such form or the 270
last date such form was effective, whichever is later. 271
(d) A processor may process consumer health data only pursuant to 272
a binding contract between the processor and a regulated entity, which 273
contract shall set forth the processing instructions for, and limit the 274
actions which the processor may take with respect to, the consumer 275
health data such processor processes on behalf of the regulated entity. 276
The processor shall not process consumer health data in a manner that 277
is inconsistent with the terms of such contract. The processor shall assist 278
the regulated entity by taking all appropriate and possible technical and 279
organizational measures that are necessary for such regulated entity to 280
perform such regulated entity's duties under this section. If the 281
processor fails to adhere to the regulated entity's processing instructions 282
or processes consumer health data in a manner that is outside the scope 283
of such contract, such processor shall be deemed to constitute a 284
regulated entity and shall be subject to all provisions of this section 285
concerning regulated entities. 286
(e) Any violation of the provisions of this section shall constitute an 287
unfair trade practice under subsection (a) of section 42-110b of the 288
general statutes and shall be enforced solely by the Attorney General. 289
Nothing in this section shall be construed to create a private right of 290
action or to provide grounds for an action under section 42-110g of the 291
general statutes. 292
Sec. 2. (NEW) (Effective July 1, 2024) (a) For the purposes of this 293 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
11 of 31
section: 294
(1) "Consumer" has the same meaning as provided in section 42-515 295
of the general statutes; 296
(2) "Minor" means any consumer who is younger than eighteen years 297
of age; 298
(3) "Personal data" has the same meaning as provided in section 42-299
515 of the general statutes; and 300
(4) "Social media platform" (A) means a public or semi-public 301
Internet-based service or application that (i) is used by a consumer in 302
this state, (ii) is primarily intended to connect and allow users to socially 303
interact within such service or application, and (iii) enables a user to (I) 304
construct a public or semi-public profile for the purposes of signing into 305
and using such service or application, (II) populate a public list of other 306
users with whom the user shares a social connection within such service 307
or application, and (III) create or post content that is viewable by other 308
users, including, but not limited to, on message boards, in chat rooms, 309
or through a landing page or main feed that presents the user with 310
content generated by other users, and (B) does not include a public or 311
semi-public Internet-based service or application that (i) exclusively 312
provides electronic mail or direct messaging services, or (ii) primarily 313
consists of news, sports, entertainment, electronic commerce or content 314
that is preselected by the provider or for which any chat, comments or 315
interactive functionality is incidental to, directly related to, or 316
dependent on the provision of such content. 317
(b) Not later than ten days after a social media platform receives a 318
request to delete a social media platform account from a minor or, if the 319
minor is younger than sixteen years of age, from a minor's parent or 320
legal guardian, the social media platform shall delete the minor's social 321
media platform account and cease processing such minor's personal 322
data. A social media platform shall establish, and shall describe in a 323
privacy notice, one or more secure and reliable means for submitting a 324 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
12 of 31
request pursuant to this subsection. 325
(c) No social media platform shall establish an account for a minor 326
who is younger than sixteen years of age unless the social media 327
platform has obtained consent from the minor's parent or legal guardian 328
to establish such account. 329
(d) Any violation of the provisions of this section shall constitute an 330
unfair trade practice under subsection (a) of section 42-110b of the 331
general statutes and shall be enforced solely by the Attorney General. 332
Nothing in this section shall be construed to create a private right of 333
action or to provide grounds for an action under section 42-110g of the 334
general statutes. 335
Sec. 3. (NEW) (Effective July 1, 2025) For the purposes of this section 336
and sections 4 to 8, inclusive, of this act: 337
(1) "Adult" means any individual who is at least eighteen years of age; 338
(2) "Algorithm" means any computerized procedure consisting of a 339
set of steps used to accomplish a predetermined objective; 340
(3) "Consent" has the same meaning as provided in section 42-515 of 341
the general statutes; 342
(4) "Consumer" has the same meaning as provided in section 42-515 343
of the general statutes; 344
(5) "Controller" means any person that, alone or jointly with others, 345
determines the purpose and means of processing personal data; 346
(6) "Heightened risk of harm to minors" means processing minors' 347
personal data, including, but not limited to, through use of any 348
algorithm, in a manner that presents any reasonably foreseeable risk of 349
(A) any unfair or deceptive treatment of, or any unlawful disparate 350
impact on, minors, (B) any financial, physical or reputational injury to 351
minors, (C) any physical or other intrusion upon the solitude or 352 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
13 of 31
seclusion, or the private affairs or concerns, of minors if such intrusion 353
would be offensive to a reasonable person, or (D) any other substantial 354
injury to minors; 355
(7) "HIPAA" has the same meaning as provided in section 42-515 of 356
the general statutes; 357
(8) "Minor" means any consumer who is younger than eighteen years 358
of age; 359
(9) "Online service, product or feature" means any service, product or 360
feature that is provided online. "Online service, product or feature" does 361
not include any (A) telecommunications service, as defined in 47 USC 362
153, as amended from time to time, or (B) delivery or use of a physical 363
product; 364
(10) "Person" means an individual, association, company, limited 365
liability company, corporation, partnership, sole proprietorship or trust; 366
(11) "Personal data" has the same meaning as provided in section 42-367
515 of the general statutes; 368
(12) "Precise geolocation data" has the same meaning as provided in 369
section 42-515 of the general statutes; 370
(13) "Process" and "processing" have the same meaning as provided 371
in section 42-515 of the general statutes; 372
(14) "Processor" means any person that, on behalf of a controller, 373
processes personal data; 374
(15) "Profiling" has the same meaning as provided in section 42-515 375
of the general statutes; 376
(16) "Protected health information" has the same meaning as 377
provided in section 42-515 of the general statutes; 378
(17) "Sale of personal data" has the same meaning as provided in 379 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
14 of 31
section 42-515 of the general statutes; 380
(18) "Targeted advertising" (A) means displaying an advertisement to 381
a minor based on profiling, and (B) does not include (i) an advertisement 382
that is (I) based on the context of a minor's current search query, visit to 383
an Internet web site or online application, or (II) directed to a minor in 384
response to the minor's current request for information or feedback, or 385
(ii) processing personal data solely to measure or report advertising 386
frequency, performance or reach; and 387
(19) "Third party" has the same meaning as provided in section 42-388
515 of the general statutes. 389
Sec. 4. (NEW) (Effective July 1, 2025) (a) Each controller that offers any 390
online service, product or feature to consumers whom such controller 391
has actual knowledge, or wilfully disregards, are minors shall use 392
reasonable care to avoid any heightened risk of harm to minors 393
proximately caused by such online service, product or feature. 394
(b) (1) Subject to the consent requirement established in subdivision 395
(3) of this subsection, no controller that offers any online service, 396
product or feature to consumers whom such controller has actual 397
knowledge, or wilfully disregards, are minors shall process any minor's 398
personal data: (A) For the purposes of (i) targeted advertising, (ii) any 399
sale of personal data, or (iii) profiling in furtherance of any decision 400
made by such controller that results in the provision or denial by such 401
controller of any financial or lending services, housing, insurance, 402
education enrollment or opportunity, criminal justice, employment 403
opportunities, health care services or access to essential goods or 404
services; (B) that is not reasonably necessary to provide such online 405
service, product or feature; (C) for any processing purpose other than 406
the purpose that the controller disclosed at the time such controller 407
collected such personal data; (D) for longer than is reasonably necessary 408
to provide such online service, product or feature; or (E) in any 409
circumstances in which such minor's personal data is accessible by, or 410
visible to, any other user of such online service, product or feature. 411 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
15 of 31
(2) Subject to the consent requirement established in subdivision (3) 412
of this subsection, no controller that offers an online service, product or 413
feature to consumers whom such controller has actual knowledge, or 414
wilfully disregards, are minors shall collect a minor's precise 415
geolocation data unless: (A) Such precise geolocation data is necessary 416
for the controller to provide such online service, product or feature and, 417
if such data is necessary to provide such online service, product or 418
feature, such controller may only collect such data for the time necessary 419
to provide such online service, product or feature; and (B) the controller 420
provides to the minor a signal indicating that such controller is 421
collecting such precise geolocation data, which signal shall be 422
conspicuous to such minor for the entire duration of such collection. 423
(3) No controller shall engage in the activities described in 424
subdivisions (1) and (2) of this subsection unless the controller obtains 425
the minor's consent or, if the minor is younger than thirteen years of age, 426
the consent of such minor's parent or legal guardian. A controller that 427
complies with the verifiable parental consent requirements established 428
in the Children's Online Privacy Protection Act of 1998, 15 USC 6501 et 429
seq., and the regulations, rules, guidance and exemptions adopted 430
pursuant to said act, as said act and such regulations, rules, guidance 431
and exemptions may be amended from time to time, shall be deemed to 432
have satisfied any requirement to obtain parental consent under this 433
subdivision. 434
(c) No controller that offers any online service, product or feature to 435
consumers whom such controller has actual knowledge, or wilfully 436
disregards, are minors shall: (1) Use any user interface designed or 437
manipulated with the substantial effect of subverting or impairing user 438
autonomy, decision-making or choice, including, but not limited to, any 439
practice the Federal Trade Commission refers to as a "dark pattern", to 440
lead or encourage any minor to provide any personal data that is not 441
reasonably necessary to provide such online service, product or feature; 442
(2) by default use any system design feature to increase, sustain or 443
extend any minor's use of such online service, product or feature by, 444 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
16 of 31
among other things, automatically playing any media, offering any 445
reward to encourage such minor to spend time using such online 446
service, product or feature or sending notifications to such minor; (3) 447
allow any minor's parent, legal guardian or any other consumer to 448
monitor such minor's online activity unless such controller provides to 449
such minor a signal, which is obvious to such minor, indicating that 450
such minor is being monitored; or (4) allow any adult to contact any 451
minor through any messaging apparatus unless such adult previously 452
established and maintains an ongoing lawful relationship with such 453
minor. 454
Sec. 5. (NEW) (Effective July 1, 2025) (a) Each controller that, on or after 455
July 1, 2025, offers any online service, product or feature to consumers 456
whom such controller has actual knowledge, or wilfully disregards, are 457
minors shall conduct a data protection assessment for such online 458
service, product or feature: (1) In a manner that is consistent with the 459
requirements established in section 42-522 of the general statutes; and 460
(2) that addresses (A) the purpose of such online service, product or 461
feature, (B) the categories of minors' personal data that such online 462
service, product or feature processes, (C) the purposes for which such 463
controller processes minors' personal data with respect to such online 464
service, product or feature, and (D) any heightened risk of harm to 465
minors that is a reasonably foreseeable result of offering such online 466
service, product or feature to minors. 467
(b) Each controller that conducts a data protection assessment 468
pursuant to subsection (a) of this section shall: (1) Review such data 469
protection assessment at least biennially; and (2) maintain 470
documentation concerning such data protection assessment as long as 471
such controller offers the online service, product or feature that is the 472
subject of such assessment to minors. 473
(c) If any controller conducts a data protection assessment pursuant 474
to subsection (a) of this section and determines that the online service, 475
product or feature that is the subject of such assessment poses a 476
heightened risk of harm to minors, such controller shall establish and 477 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
17 of 31
implement a plan to mitigate or eliminate such risk before such 478
controller offers such online service, product or feature to consumers 479
whom such controller has actual knowledge, or wilfully disregards, are 480
minors. 481
Sec. 6. (NEW) (Effective July 1, 2025) (a) A processor shall adhere to 482
the instructions of a controller and shall assist the controller in meeting 483
the controller's obligations under sections 3 to 8, inclusive, of this act. 484
Such assistance shall include providing necessary information to enable 485
the controller to conduct and document data protection assessments. 486
(b) A contract between a controller and a processor shall govern the 487
processor's data processing procedures with respect to processing 488
performed on behalf of the controller. The contract shall be binding and 489
clearly set forth instructions for processing data, the nature and purpose 490
of processing, the type of data subject to processing, the duration of 491
processing and the rights and obligations of both parties. The contract 492
shall also require that the processor: (1) Ensure that each person 493
processing personal data is subject to a duty of confidentiality with 494
respect to the data; (2) at the controller's direction, delete or return all 495
personal data to the controller as requested at the end of the provision 496
of services, unless retention of the personal data is required by law; (3) 497
upon the reasonable request of the controller, make available to the 498
controller all information in its possession necessary to demonstrate the 499
processor's compliance with the obligations in sections 3 to 8, inclusive, 500
of this act; (4) after providing the controller an opportunity to object, 501
engage any subcontractor pursuant to a written contract that requires 502
the subcontractor to meet the obligations of the processor with respect 503
to the personal data; and (5) allow, and cooperate with, reasonable 504
assessments by the controller or the controller's designated assessor, or 505
the processor may arrange for a qualified and independent assessor to 506
conduct an assessment of the processor's policies and technical and 507
organizational measures in support of the obligations under sections 3 508
to 8, inclusive, of this act, using an appropriate and accepted control 509
standard or framework and assessment procedure for such assessments. 510 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
18 of 31
The processor shall provide a report of such assessment to the controller 511
upon request. 512
(c) Nothing in this section shall be construed to relieve a controller or 513
processor from the liabilities imposed on the controller or processor by 514
virtue of such controller's or processor's role in the processing 515
relationship, as described in sections 3 to 8, inclusive, of this act. 516
(d) Determining whether a person is acting as a controller or 517
processor with respect to a specific processing of data is a fact-based 518
determination that depends upon the context in which personal data is 519
to be processed. A person who is not limited in such person's processing 520
of personal data pursuant to a controller's instructions, or who fails to 521
adhere to such instructions, is a controller and not a processor with 522
respect to a specific processing of data. A processor that continues to 523
adhere to a controller's instructions with respect to a specific processing 524
of personal data remains a processor. If a processor begins, alone or 525
jointly with others, determining the purposes and means of the 526
processing of personal data, the processor is a controller with respect to 527
such processing and may be subject to an enforcement action under 528
section 8 of this act. 529
Sec. 7. (NEW) (Effective July 1, 2025) (a) The provisions of sections 1, 3 530
to 6, inclusive, and 8 of this act shall not apply to any: (1) Body, 531
authority, board, bureau, commission, district or agency of this state or 532
of any political subdivision of this state; (2) organization that is exempt 533
from taxation under Section 501(c)(3), 501(c)(4), 501(c)(6) or 501(c)(12) of 534
the Internal Revenue Code of 1986, or any subsequent corresponding 535
internal revenue code of the United States, as amended from time to 536
time; (3) individual who, or school, board, association, limited liability 537
company or corporation that, is licensed or accredited to offer one or 538
more programs of higher learning leading to one or more degrees; (4) 539
national securities association that is registered under 15 USC 78o-3, as 540
amended from time to time; (5) financial institution or data that is 541
subject to Title V of the Gramm-Leach-Bliley Act, 15 USC 6801 et seq., as 542
amended from time to time; (6) covered entity or business associate, as 543 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
19 of 31
defined in 45 CFR 160.103, as amended from time to time; or (7) air 544
carrier, as defined in 49 USC 40102, as amended from time to time, and 545
regulated under the Federal Aviation Act of 1958, 49 USC 40101 et seq., 546
and the Airline Deregulation Act, 49 USC 41713, as said acts may be 547
amended from time to time. 548
(b) The following information and data is exempt from the provisions 549
of sections 1, 3 to 6, inclusive, and 8 of this act: (1) Protected health 550
information; (2) patient-identifying information for the purposes of 42 551
USC 290dd-2, as amended from time to time; (3) identifiable private 552
information for the purposes of the federal policy for the protection of 553
human subjects under 45 CFR 46, as amended from time to time; (4) 554
identifiable private information that is otherwise information collected 555
as part of human subjects research pursuant to the good clinical practice 556
guidelines issued by the International Council for Harmonisation of 557
Technical Requirements for Pharmaceuticals for Human Use, as 558
amended from time to time; (5) the protection of human subjects under 559
21 CFR Parts 6, 50 and 56, as amended from time to time, or personal 560
data used or shared in research, as defined in 45 CFR 164.501, as 561
amended from time to time, that is conducted in accordance with the 562
standards set forth in this subdivision and subdivisions (3) and (4) of 563
this subsection, or other research conducted in accordance with 564
applicable law; (6) information and documents created for the purposes 565
of the Health Care Quality Improvement Act of 1986, 42 USC 11101 et 566
seq., as amended from time to time; (7) patient safety work products for 567
the purposes of section 19a-127o of the general statutes and the Patient 568
Safety and Quality Improvement Act, 42 USC 299b-21 et seq., as 569
amended from time to time; (8) information derived from any of the 570
health care related information listed in this subsection that is de-571
identified in accordance with the requirements for de-identification 572
under HIPAA; (9) information originating from and intermingled so as 573
to be indistinguishable from, or information treated in the same manner 574
as, information that is exempt under this subsection and maintained by 575
a covered entity or business associate, program or qualified service 576
organization, as specified in 42 USC 290dd-2, as amended from time to 577 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
20 of 31
time; (10) information used for public health activities and purposes as 578
authorized by HIPAA, community health activities and population 579
health activities; (11) the collection, maintenance, disclosure, sale, 580
communication or use of any personal information bearing on a 581
consumer's credit worthiness, credit standing, credit capacity, character, 582
general reputation, personal characteristics or mode of living by a 583
consumer reporting agency, furnisher or user that provides information 584
for use in a consumer report, and by a user of a consumer report, but 585
only to the extent that such activity is regulated by and authorized 586
under the Fair Credit Reporting Act, 15 USC 1681 et seq., as amended 587
from time to time; (12) personal data collected, processed, sold or 588
disclosed in compliance with the Driver's Privacy Protection Act of 1994, 589
18 USC 2721 et seq., as amended from time to time; (13) personal data 590
regulated by the Family Educational Rights and Privacy Act, 20 USC 591
1232g et seq., as amended from time to time; (14) personal data collected, 592
processed, sold or disclosed in compliance with the Farm Credit Act, 12 593
USC 2001 et seq., as amended from time to time; (15) data processed or 594
maintained (A) in the course of an individual applying to, employed by 595
or acting as an agent or independent contractor of a controller, processor 596
or third party, to the extent that the data is collected and used within the 597
context of that role, (B) as the emergency contact information of an 598
individual under sections 1, 3 to 6, inclusive, and 8 of this act used for 599
emergency contact purposes, or (C) that is necessary to retain to 600
administer benefits for another individual relating to the individual 601
who is the subject of the information under subdivision (1) of this 602
subsection and used for the purposes of administering such benefits; 603
and (16) personal data collected, processed, sold or disclosed in relation 604
to price, route or service, as such terms are used in the Airline 605
Deregulation Act, 49 USC 40101 et seq., as amended from time to time, 606
by an air carrier subject to said act, to the extent sections 1, 3 to 6, 607
inclusive, and 8 of this act are preempted by 49 USC 41713, as amended 608
from time to time. 609
(c) No provision of this section or section 1, 3 to 6, inclusive, or 8 of 610
this act shall be construed to restrict a controller's or processor's ability 611 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
21 of 31
to: (1) Comply with federal, state or municipal ordinances or 612
regulations; (2) comply with a civil, criminal or regulatory inquiry, 613
investigation, subpoena or summons by federal, state, municipal or 614
other governmental authorities; (3) cooperate with law enforcement 615
agencies concerning conduct or activity that the controller or processor 616
reasonably and in good faith believes may violate federal, state or 617
municipal ordinances or regulations; (4) investigate, establish, exercise, 618
prepare for or defend legal claims; (5) take immediate steps to protect 619
an interest that is essential for the life or physical safety of the minor or 620
another individual, and where the processing cannot be manifestly 621
based on another legal basis; (6) prevent, detect, protect against or 622
respond to security incidents, identity theft, fraud, harassment, 623
malicious or deceptive activities or any illegal activity, preserve the 624
integrity or security of systems or investigate, report or prosecute those 625
responsible for any such action; (7) engage in public or peer-reviewed 626
scientific or statistical research in the public interest that adheres to all 627
other applicable ethics and privacy laws and is approved, monitored 628
and governed by an institutional review board that determines, or 629
similar independent oversight entities that determine, (A) whether the 630
deletion of the information is likely to provide substantial benefits that 631
do not exclusively accrue to the controller or processor, (B) the expected 632
benefits of the research outweigh the privacy risks, and (C) whether the 633
controller or processor has implemented reasonable safeguards to 634
mitigate privacy risks associated with research, including, but not 635
limited to, any risks associated with re-identification; (8) assist another 636
controller, processor or third party with any obligation under section 1, 637
3 to 6, inclusive, or 8 of this act; or (9) process personal data for reasons 638
of public interest in the area of public health, community health or 639
population health, but solely to the extent that such processing is (A) 640
subject to suitable and specific measures to safeguard the rights of the 641
minor whose personal data is being processed, and (B) under the 642
responsibility of a professional subject to confidentiality obligations 643
under federal, state or local law. 644
(d) No obligation imposed on a controller or processor under any 645 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
22 of 31
provision of section 1, 3 to 6, inclusive, or 8 of this act shall be construed 646
to restrict a controller's or processor's ability to collect, use or retain data 647
for internal use to: (1) Conduct internal research to develop, improve or 648
repair products, services or technology; (2) effectuate a product recall; 649
(3) identify and repair technical errors that impair existing or intended 650
functionality; or (4) perform internal operations that are (A) reasonably 651
aligned with the expectations of a minor or reasonably anticipated based 652
on the minor's existing relationship with the controller or processor, or 653
(B) otherwise compatible with processing data in furtherance of the 654
provision of a product or service specifically requested by a minor. 655
(e) No controller or processor shall be required to comply with any 656
provision of section 1, 3 to 6, inclusive, or 8 of this act if compliance with 657
such provision would violate an evidentiary privilege under the laws of 658
this state, and no such provision shall be construed to prevent a 659
controller or processor from providing, as part of a privileged 660
communication, any personal data concerning a minor to any other 661
person who is covered by such evidentiary privilege. 662
(f) No provision of section 1, 3 to 6, inclusive, or 8 of this act shall be 663
construed to: (1) Impose any obligation on a controller that adversely 664
affects the rights or freedoms of any person, including, but not limited 665
to, the rights of any person (A) to freedom of speech or freedom of the 666
press guaranteed in the First Amendment to the United States 667
Constitution, or (B) under section 52-146t of the general statutes; or (2) 668
apply to any individual's processing of personal data in the course of 669
such individual's purely personal or household activities. 670
(g) (1) Any personal data processed by a controller pursuant to this 671
section may be processed to the extent that such processing is: (A) 672
Reasonably necessary and proportionate to the purposes listed in this 673
section; and (B) adequate, relevant and limited to what is necessary in 674
relation to the specific purposes listed in this section. 675
(2) Any controller that collects, uses or retains data pursuant to 676
subsection (d) of this section shall, where applicable, take into account 677 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
23 of 31
the nature and purpose or purposes of such collection, use or retention. 678
Such data shall be subject to reasonable administrative, technical and 679
physical measures to protect the confidentiality, integrity and 680
accessibility of the personal data and to reduce reasonably foreseeable 681
risks of harm to minors concerning such collection, use or retention of 682
personal data. 683
(h) If any controller or processor processes personal data pursuant to 684
an exemption established in subsections (a) to (g), inclusive, of this 685
section, such controller or processor bears the burden of demonstrating 686
that such processing qualifies for such exemption and complies with the 687
requirements established in subsection (g) of this section. 688
Sec. 8. (NEW) (Effective July 1, 2025) (a) Any violation of the 689
provisions of sections 3 to 7, inclusive, of this act shall constitute an 690
unfair trade practice under subsection (a) of section 42-110b of the 691
general statutes and shall be enforced solely by the Attorney General. 692
Nothing in this section or sections 3 to 7, inclusive, of this act shall be 693
construed to create a private right of action or to provide grounds for an 694
action under section 42-110g of the general statutes. 695
(b) (1) During the period beginning July 1, 2025, and ending 696
December 31, 2027, if the Attorney General, in the Attorney General's 697
discretion, determines that a controller or processor has violated any 698
provision of sections 3 to 7, inclusive, of this act but may cure such 699
alleged violation, the Attorney General shall provide written notice to 700
such controller or processor, in a form and manner prescribed by the 701
Attorney General and before the Attorney General commences any 702
action to enforce such provision, disclosing such alleged violation and 703
such provision. 704
(2) (A) Not later than thirty days after a controller or processor 705
receives a notice under subdivision (1) of this subsection, the controller 706
or processor may send a notice to the Attorney General, in a form and 707
manner prescribed by the Attorney General, disclosing that such 708
controller or processor has: (i) Determined that such controller or 709 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
24 of 31
processor did not commit the alleged violation of sections 3 to 7, 710
inclusive, of this act; or (ii) cured such violation and taken measures that 711
are sufficient to prevent further such violations. 712
(B) If the Attorney General receives a notice described in 713
subparagraph (A) of this subdivision and determines, in the Attorney 714
General's discretion, that the controller or processor that sent such 715
notice did not commit the alleged violation or has cured such violation 716
and taken the measures described in subparagraph (A)(ii) of this 717
subdivision, such controller or processor shall not be liable for any civil 718
penalty under subsection (a) of this section. 719
(C) Not later than February 1, 2027, the Attorney General shall submit 720
a report, in accordance with section 11-4a of the general statutes, to the 721
joint standing committee of the General Assembly having cognizance of 722
matters relating to general law. Such report shall disclose: (i) The 723
number of notices the Attorney General has issued pursuant to 724
subdivision (1) of this subsection; (ii) the nature of each violation that 725
was the subject of a notice issued by the Attorney General pursuant to 726
subdivision (1) of this subsection; (iii) the number of violations that were 727
cured pursuant to subparagraphs (A) and (B) of this subdivision; and 728
(iv) any other matter the Attorney General deems relevant for the 729
purposes of such report. 730
(c) Beginning on January 1, 2027, the Attorney General may, in the 731
Attorney General's discretion, provide to a controller or processor an 732
opportunity to cure any alleged violation of the provisions of sections 3 733
to 7, inclusive, of this act in the manner described in subdivisions (1) and 734
(2) of section (b) of this section. In determining whether to grant the 735
controller or processor an opportunity to cure such alleged violation, the 736
Attorney General may consider: (1) The number of such violations that 737
such controller or processor is alleged to have committed; (2) the size 738
and complexity of such controller or processor; (3) the nature and extent 739
of such controller's or processor's processing activities; (4) whether there 740
exists a substantial likelihood that such alleged violation has caused or 741
will cause public injury; (5) the safety of persons or property; and (6) 742 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
25 of 31
whether such alleged violation was likely caused by a human or 743
technical error. 744
Sec. 9. Section 54-33c of the general statutes is repealed and the 745
following is substituted in lieu thereof (Effective October 1, 2023): 746
(a) The applicant for a search warrant shall file the application for the 747
warrant and all affidavits upon which the warrant is based with the 748
clerk of the court for the geographical area within which any person 749
who may be arrested in connection with or subsequent to the execution 750
of the search warrant would be presented with the return of the warrant. 751
Upon the arrest of any person in connection with or subsequent to the 752
execution of the search warrant, the law enforcement agency that 753
arrested the person shall notify the clerk of such court of the return of 754
the warrant by completing a form prescribed by the Chief Court 755
Administrator and filing such form with the clerk together with any 756
applicable uniform arrest report or misdemeanor summons. 757
(b) Except for a warrant for the installation and use of a tracking 758
device: (1) The warrant shall be executed within ten days and returned 759
with reasonable promptness consistent with due process of law and 760
shall be accompanied by a written inventory of all property seized; (2) a 761
copy of such warrant shall be given to the owner or occupant of the 762
dwelling, structure, motor vehicle or place designated in the warrant, or 763
the person named in the warrant; and (3) within forty-eight hours of 764
such search, a copy of the application for the warrant and a copy of all 765
affidavits upon which the warrant is based shall be given to such owner, 766
occupant or person. The judge or judge trial referee may, by order, 767
dispense with the requirement of giving a copy of the affidavits to such 768
owner, occupant or person at such time if the applicant for the warrant 769
files a detailed affidavit with the judge or judge trial referee which 770
demonstrates to the judge or judge trial referee that (A) the personal 771
safety of a confidential informant would be jeopardized by the giving of 772
a copy of the affidavits at such time, or (B) the search is part of a 773
continuing investigation which would be adversely affected by the 774
giving of a copy of the affidavits at such time, or (C) the giving of a copy 775 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
26 of 31
of the affidavits at such time would require disclosure of information or 776
material prohibited from being disclosed by chapter 959a. If a warrant 777
is directed to a provider of an electronic communication service or a 778
remote computing service, as such terms are defined in subsection (a) of 779
section 54-47aa, for records of a subscriber or customer of such provider, 780
the court shall order that the provider not disclose the existence of such 781
warrant to such subscriber or customer or any other person or entity for 782
a period of up to ninety days if the court determines that there is reason 783
to believe that notification of the existence of the warrant may result in 784
(i) endangering the life or physical safety of an individual, (ii) flight from 785
prosecution, (iii) destruction of or tampering with evidence, (iv) 786
intimidation of potential witnesses, or (v) otherwise seriously 787
jeopardizing the investigation. 788
(c) A warrant for the installation and use of a tracking device shall be 789
returned with reasonable promptness consistent with due process of 790
law and after the period authorized for tracking, including any 791
extension period authorized under subsection (d) of section 54-33a, has 792
expired. Within ten days after the use of the tracking device has ended, 793
a copy of the application for the warrant and a copy of all affidavits 794
upon which the warrant is based shall be given to the person who was 795
tracked or the owner of the property to, in or on which the tracking 796
device was installed. The judge or judge trial referee may, by order, 797
dispense with the requirement of giving a copy of the affidavits to the 798
person who was tracked or the owner of the property to, in or on which 799
the tracking device was installed if the applicant for the warrant files a 800
detailed affidavit with the judge or judge trial referee which 801
demonstrates to the judge or judge trial referee that (1) the personal 802
safety of a confidential informant would be jeopardized by the giving of 803
a copy of the affidavits at such time, or (2) the search is part of a 804
continuing investigation which would be adversely affected by the 805
giving of a copy of the affidavits at such time, or (3) the giving of a copy 806
of the affidavits at such time would require disclosure of information or 807
material prohibited from being disclosed by chapter 959a. 808 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
27 of 31
(d) If the judge or judge trial referee dispenses with the requirement 809
of giving a copy of the affidavits at such time pursuant to subsection (b) 810
or (c) of this section, such order shall not affect the right of such owner, 811
occupant or person to obtain such copy at any subsequent time. No such 812
order shall limit the disclosure of such affidavits to the attorney for a 813
person arrested in connection with or subsequent to the execution of a 814
search warrant unless, upon motion of the prosecuting authority within 815
two weeks of such person's arraignment, the court finds that the state's 816
interest in continuing nondisclosure substantially outweighs the 817
defendant's right to disclosure. 818
(e) Any order entered pursuant to subsection (b) or (c) of this section 819
dispensing with the requirement of giving a copy of the affidavits to 820
such owner, occupant or person shall be for a specific period of time, not 821
to exceed (1) two weeks beyond the date the warrant is executed, or (2) 822
with respect to a warrant for the installation and use of a tracking device, 823
two weeks after any extension period authorized under subsection (d) 824
of section 54-33a has expired. Within the applicable time period set forth 825
in subdivision (1) or (2) of this subsection, the prosecuting authority 826
may seek an extension of such period of time. Upon the execution and 827
return of the warrant, affidavits which have been the subject of such an 828
order shall remain in the custody of the clerk's office in a secure location 829
apart from the remainder of the court file. 830
Sec. 10. Section 21a-435 of the general statutes is repealed and the 831
following is substituted in lieu thereof (Effective October 1, 2023): 832
As used in this section, [and] sections 21a-436 to 21a-439, inclusive, 833
and section 11 of this act: 834
(1) "Connecticut user" means a user who provides a Connecticut 835
home address or zip code when registering with an online dating 836
operator or a user who is known or determined by an online dating 837
operator or its online dating platform to be in Connecticut at the time of 838
registration; 839 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
28 of 31
(2) "Criminal background screening" means a name search for an 840
individual's history of criminal convictions that is conducted by 841
searching an (A) available and regularly updated government public 842
record database that in the aggregate provides national coverage for 843
searching an individual's history of criminal convictions; or (B) a 844
regularly updated database maintained by a private vendor that 845
provides national coverage for searching an individual's history of 846
criminal convictions and sexual offender registries; 847
(3) "Criminal conviction" means a conviction for a crime in this state, 848
another state, or under federal law; 849
(4) "Online dating" means the act of using a digital service to initiate 850
relationships with other individuals for the purpose of romance, sex or 851
marriage; 852
(5) "Online dating operator" means a person who operates a software 853
application designed to facilitate online dating; 854
(6) "Online dating platform" means a digital service designed to allow 855
users to interact through the Internet to participate in online dating; and 856
(7) "User" means an individual who uses the online dating services of 857
an online dating operator. 858
Sec. 11. (NEW) (Effective October 1, 2023) An online dating operator 859
shall owe a duty of care to any user of its online dating platform to 860
protect against potential criminal activity of other users, including a 861
duty to notify users if the online dating operator has had a 862
communication with another user determined by the online dating 863
operator to have a higher propensity to commit a crime against 864
individuals. 865
Sec. 12. Section 29-7b of the general statutes is repealed and the 866
following is substituted in lieu thereof (Effective July 1, 2023): 867
(a) There shall be within the Department of Emergency Services and 868 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
29 of 31
Public Protection a Division of Scientific Services. The Commissioner of 869
Emergency Services and Public Protection shall serve as administrative 870
head of such division, and may delegate jurisdiction over the affairs of 871
such division to a deputy commissioner. 872
(b) The Division of Scientific Services shall provide technical 873
assistance to law enforcement agencies in the various areas of scientific 874
investigation. The division shall maintain facilities and services for the 875
examination and analysis of evidentiary materials in areas including, 876
but not limited to, chemistry, arson, firearms, questioned documents, 877
microscopy, serology, toxicology, trace evidence, latent fingerprints, 878
impressions and other similar technology. The facilities, services and 879
personnel of the division shall be available, without charge, to the Office 880
of the Chief Medical Examiner and all duly constituted prosecuting, 881
police and investigating agencies of the state. 882
(c) The Division of Scientific Services: (1) May investigate any 883
physical evidence or evidentiary material related to a crime upon the 884
request of any federal, state or local agency, (2) may conduct or assist in 885
the scientific field investigation at the scene of a crime and provide other 886
technical assistance and training in the various fields of scientific 887
criminal investigation upon request, (3) shall assure the safe custody of 888
evidence during examination, (4) shall forward a written report of the 889
results of an examination of evidence to the agency submitting such 890
evidence, (5) shall render expert court testimony when requested, and 891
(6) shall conduct ongoing research in the areas of the forensic sciences. 892
The Commissioner of Emergency Services and Public Protection or a 893
director designated by the commissioner shall be in charge of the 894
Division of Scientific Services operations and shall establish and 895
maintain a system of case priorities and a procedure for submission of 896
evidence and evidentiary security. The director of the Division of 897
Scientific Services shall be in the unclassified service and shall serve at 898
the pleasure of the commissioner. 899
(d) In accordance with the provisions of sections 4-38d, 4-38e and 4-900
39, all powers and duties of the Department of Public Health under the 901 Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
30 of 31
provisions of sections 14-227a, 14-227c, 15-140u and 21a-283 shall be 902
transferred to the Division of Scientific Services within the Department 903
of Emergency Services and Public Protection. 904
(e) There is established within the Division of Scientific Services the 905
Connecticut Internet Crimes Against Children Task Force, which shall 906
consist of affiliate law enforcement agencies in the state. The task force 907
shall use state and federal moneys appropriated to it in a manner that is 908
consistent with the duties prescribed in 34 USC 21114. 909
This act shall take effect as follows and shall amend the following
sections:
Section 1 July 1, 2025 New section
Sec. 2 July 1, 2024 New section
Sec. 3 July 1, 2025 New section
Sec. 4 July 1, 2025 New section
Sec. 5 July 1, 2025 New section
Sec. 6 July 1, 2025 New section
Sec. 7 July 1, 2025 New section
Sec. 8 July 1, 2025 New section
Sec. 9 October 1, 2023 54-33c
Sec. 10 October 1, 2023 21a-435
Sec. 11 October 1, 2023 New section
Sec. 12 July 1, 2023 29-7b
Statement of Legislative Commissioners:
In Section 1, Subsec. (a) was redrafted to remove the definition of the
unused term "dark patterns" and, in Subsec. (a), Subdivs. (9) to (27),
inclusive, were redesignated Subdivs. (8) to (26), inclusive, and Subdivs.
(7)(A), (13), (21)(B)(ii) and (22) were redrafted for internal consistency,
in Subsec. (b)(3)(B)(ii)(II), "of" was deleted for internal consistency, and
in Subsec. (c)(2), "consumer health data" was changed to "consumer's
consumer health data" for accuracy; and in Section 9(b)(3)(C), "electronic
communications service as defined in subdivision (4) of subsection (a)
of section 54-47aa, or a remote computing service in subdivision (8) of
subsection (a) of section 54-47aa," was changed to "electronic
communication service or a remote computing service, as such terms are
defined in subsection (a) of section 54-47aa," for accuracy and
conciseness. Substitute Bill No. 3
LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2023SB-00003-
R02-SB.docx }
31 of 31
JUD Joint Favorable Subst.