LCO 1 of 4
General Assembly Substitute Bill No. 6002
January Session, 2025
AN ACT SUBJECTING STATE AGENCIES TO THE SAME DATA
PROTECTION AND PRIVACY LAWS AS THE PRIVATE SECTOR.
Be it enacted by the Senate and House of Representatives in General
Assembly convened:
Section 1. Subsection (a) of section 42-517 of the general statutes is 1
repealed and the following is substituted in lieu thereof (Effective January 2
1, 2026): 3
(a) The provisions of sections 42-515 to 42-525, inclusive, do not apply 4
to any: (1) Body, authority, board, bureau, commission, district or 5
agency [of this state or] of any political subdivision of this state; (2) 6
person who has entered into a contract with any body, authority, board, 7
bureau, commission, district or agency described in subdivision (1) of 8
this subsection while such person is processing consumer health data on 9
behalf of such body, authority, board, bureau, commission, district or 10
agency pursuant to such contract; (3) nonprofit organization; (4) private 11
institution of higher education; (5) national securities association that is 12
registered under 15 USC 78o-3 of the Securities Exchange Act of 1934, as 13
amended from time to time; (6) financial institution or data subject to 14
Title V of the Gramm-Leach-Bliley Act, 15 USC 6801 et seq.; (7) covered 15
entity or business associate, as defined in 45 CFR 160.103; (8) tribal 16
nation government organization; or (9) air carrier, as defined in 49 USC 17
40102, as amended from time to time, and regulated under the Federal 18
Aviation Act of 1958, 49 USC 40101 et seq., and the Airline Deregulation 19
Act of 1978, 49 USC 41713, as said acts may be amended from time to 20 Substitute Bill No. 6002
LCO 2 of 4
time. 21
Sec. 2. Section 42-526 of the general statutes is repealed and the 22
following is substituted in lieu thereof (Effective January 1, 2026): 23
(a) (1) Except as provided in subsection (b) of this section, subsections 24
(b) and (c) of section 42-517 and section 42-524, no person shall: (A) 25
Provide any employee or contractor with access to consumer health data 26
unless the employee or contractor is subject to a contractual or statutory 27
duty of confidentiality; (B) provide any processor with access to 28
consumer health data unless such person and processor comply with 29
section 42-521; (C) use a geofence to establish a virtual boundary that is 30
within one thousand seven hundred fifty feet of any mental health 31
facility or reproductive or sexual health facility for the purpose of 32
identifying, tracking, collecting data from or sending any notification to 33
a consumer regarding the consumer's consumer health data; or (D) sell, 34
or offer to sell, consumer health data without first obtaining the 35
consumer's consent. 36
(2) Notwithstanding the provisions of section 42-516, the provisions 37
of subsection (a) of this section, and the provisions of section 42-515, and 38
sections 42-517 to 42-525, inclusive, as amended by this act, concerning 39
consumer health data and consumer health data controllers, apply to 40
persons that conduct business in this state and persons that produce 41
products or services that are targeted to residents of this state. 42
(b) The provisions of subsection (a) of this section shall not apply to 43
any: (1) Body, authority, board, bureau, commission, district or agency 44
[of this state or] of any political subdivision of this state; (2) person who 45
has entered into a contract with any body, authority, board, bureau, 46
commission, district or agency described in subdivision (1) of this 47
subsection while such person is processing consumer health data on 48
behalf of such body, authority, board, bureau, commission, district or 49
agency pursuant to such contract; (3) private institution of higher 50
education; (4) national securities association that is registered under 15 51
USC 78o-3 of the Securities Exchange Act of 1934, as amended from time 52 Substitute Bill No. 6002
LCO 3 of 4
to time; (5) financial institution or data subject to Title V of the Gramm-53
Leach-Bliley Act, 15 USC 6801 et seq.; (6) covered entity or business 54
associate, as defined in 45 CFR 160.103; (7) tribal nation government 55
organization; or (8) air carrier, as defined in 49 USC 40102, as amended 56
from time to time, and regulated under the Federal Aviation Act of 1958, 57
49 USC 40101 et seq., and the Airline Deregulation Act of 1978, 49 USC 58
41713, as said acts may be amended from time to time. 59
Sec. 3. Subsection (a) of section 42-529d of the general statutes is 60
repealed and the following is substituted in lieu thereof (Effective January 61
1, 2026): 62
(a) The provisions of sections 42-529 to 42-529c, inclusive, and section 63
42-529e shall not apply to any: (1) Body, authority, board, bureau, 64
commission, district or agency [of this state or] of any political 65
subdivision of this state; (2) organization that is exempt from taxation 66
under Section 501(c)(3), 501(c)(4), 501(c)(6) or 501(c)(12) of the Internal 67
Revenue Code of 1986, or any subsequent corresponding internal 68
revenue code of the United States, as amended from time to time; (3) 69
individual who, or school, board, association, limited liability company 70
or corporation that, is licensed or accredited to offer one or more 71
programs of higher learning leading to one or more degrees; (4) national 72
securities association that is registered under 15 USC 78o-3, as amended 73
from time to time; (5) financial institution or data that is subject to Title 74
V of the Gramm-Leach-Bliley Act, 15 USC 6801 et seq., as amended from 75
time to time; (6) covered entity or business associate, as defined in 45 76
CFR 160.103, as amended from time to time; (7) tribal nation 77
government organization; or (8) air carrier, as defined in 49 USC 40102, 78
as amended from time to time, and regulated under the Federal 79
Aviation Act of 1958, 49 USC 40101 et seq., and the Airline Deregulation 80
Act of 1978, 49 USC 41713, as said acts may be amended from time to 81
time. 82
Sec. 4. Section 42-516 of the general statutes is repealed and the 83
following is substituted in lieu thereof (Effective January 1, 2026): 84 Substitute Bill No. 6002
LCO 4 of 4
The provisions of sections 42-515 to 42-525, inclusive, apply to (1) 85
persons that conduct business in this state or persons that produce 86
products or services that are targeted to residents of this state and that 87
during the preceding calendar year: [(1)] (A) Controlled or processed 88
the personal data of not less than one hundred thousand consumers, 89
excluding personal data controlled or processed solely for the purpose 90
of completing a payment transaction; or [(2)] (B) controlled or processed 91
the personal data of not less than twenty-five thousand consumers and 92
derived more than twenty-five per cent of their gross revenue from the 93
sale of personal data; and (2) any body, authority, board, bureau, 94
commission, district or agency of this state. 95
This act shall take effect as follows and shall amend the following
sections:
Section 1 January 1, 2026 42-517(a)
Sec. 2 January 1, 2026 42-526
Sec. 3 January 1, 2026 42-529d(a)
Sec. 4 January 1, 2026 42-516
Statement of Legislative Commissioners:
Sections 1(a)(1) and (2), 2(b)(1) and (2) and 3(a)(1) were redrafted and
Section 4 was added for clarity and consistency.
GAE Joint Favorable Subst. -LCO