LCO No. 5102 1 of 30
General Assembly Raised Bill No. 1356
January Session, 2025
LCO No. 5102
Referred to Committee on GENERAL LAW
Introduced by:
(GL)
AN ACT CONCERNING DATA PRIVACY, ONLINE MONITORING,
SOCIAL MEDIA AND DATA BROKERS.
Be it enacted by the Senate and House of Representatives in General
Assembly convened:
Section 1. Section 42-515 of the general statutes is repealed and the 1
following is substituted in lieu thereof (Effective October 1, 2025): 2
As used in this section and sections 42-516 to 42-526, inclusive, as 3
amended by this act, unless the context otherwise requires: 4
(1) "Abortion" means terminating a pregnancy for any purpose other 5
than producing a live birth. 6
(2) "Affiliate" means a legal entity that shares common branding with 7
another legal entity or controls, is controlled by or is under common 8
control with another legal entity. For the purposes of this subdivision, 9
"control" and "controlled" mean (A) ownership of, or the power to vote, 10
more than fifty per cent of the outstanding shares of any class of voting 11
security of a company, (B) control in any manner over the election of a 12
majority of the directors or of individuals exercising similar functions, 13
or (C) the power to exercise controlling influence over the management 14
Raised Bill No. 1356
LCO No. 5102 2 of 30
of a company. 15
(3) "Authenticate" means to use reasonable means to determine that 16
a request to exercise any of the rights afforded under subdivisions (1) to 17
(4), inclusive, of subsection (a) of section 42-518, as amended by this act, 18
is being made by, or on behalf of, the consumer who is entitled to 19
exercise such consumer rights with respect to the personal data at issue. 20
(4) "Biometric data" means data generated by automatic 21
measurements of an individual's biological characteristics, such as a 22
fingerprint, a voiceprint, eye retinas, irises or other unique biological 23
patterns or characteristics that [are used to identify] can be associated 24
with a specific individual. "Biometric data" does not include (A) a digital 25
or physical photograph, (B) an audio or video recording, or (C) any data 26
generated from a digital or physical photograph, or an audio or video 27
recording, unless such data [is] are generated to identify a specific 28
individual. 29
(5) "Business associate" has the same meaning as provided in HIPAA. 30
(6) "Child" has the same meaning as provided in COPPA. 31
(7) "Consent" means a clear affirmative act signifying a consumer's 32
freely given, specific, informed and unambiguous agreement to allow 33
the processing of personal data relating to the consumer. "Consent" may 34
include a written statement, including by electronic means, or any other 35
unambiguous affirmative action. "Consent" does not include (A) 36
acceptance of general or broad terms of use or a similar document that 37
contains descriptions of personal data processing along with other, 38
unrelated information, (B) hovering over, muting, pausing or closing a 39
given piece of content, or (C) agreement obtained through the use of 40
dark patterns. 41
(8) "Consumer" means an individual who is a resident of this state. 42
"Consumer" does not include an individual acting in a commercial or 43
employment context or as an employee, owner, director, officer or 44
Raised Bill No. 1356
LCO No. 5102 3 of 30
contractor of a company, partnership, sole proprietorship, nonprofit or 45
government agency whose communications or transactions with the 46
controller occur solely within the context of that individual's role with 47
the company, partnership, sole proprietorship, nonprofit or government 48
agency. 49
(9) "Consumer health data" means any personal data that a controller 50
uses to identify a consumer's physical or mental health condition, [or] 51
diagnosis or status, and includes, but is not limited to, gender-affirming 52
health data and reproductive or sexual health data. 53
(10) "Consumer health data controller" means any controller that, 54
alone or jointly with others, determines the purpose and means of 55
processing consumer health data. 56
(11) "Controller" means a person who, alone or jointly with others, 57
determines the purpose and means of processing personal data. 58
(12) "COPPA" means the Children's Online Privacy Protection Act of 59
1998, 15 USC 6501 et seq., and the regulations, rules, guidance and 60
exemptions adopted pursuant to said act, as said act and such 61
regulations, rules, guidance and exemptions may be amended from 62
time to time. 63
(13) "Covered entity" has the same meaning as provided in HIPAA. 64
(14) "Dark pattern" means a user interface designed or manipulated 65
with the substantial effect of subverting or impairing user autonomy, 66
decision-making or choice, and includes, but is not limited to, any 67
practice the Federal Trade Commission refers to as a "dark pattern". 68
(15) "Decisions that produce legal or similarly significant effects 69
concerning the consumer" means decisions made by the controller that 70
result in the provision or denial by the controller of financial or lending 71
services, housing, insurance, education enrollment or opportunity, 72
criminal justice, employment opportunities, health care services or 73
Raised Bill No. 1356
LCO No. 5102 4 of 30
access to essential goods or services. 74
(16) "De-identified data" means data that cannot reasonably be used 75
to infer information about, or otherwise be linked to, an identified or 76
identifiable individual, or a device linked to such individual, if the 77
controller that possesses such data (A) takes reasonable measures to 78
ensure that such data cannot be associated with an individual, (B) 79
publicly commits to process such data only in a de-identified fashion 80
and not attempt to re-identify such data, and (C) contractually obligates 81
any recipients of such data to satisfy the criteria set forth in 82
subparagraphs (A) and (B) of this subdivision. 83
(17) "Gender-affirming health care services" has the same meaning as 84
provided in section 52-571n. 85
(18) "Gender-affirming health data" means any personal data 86
concerning an effort made by a consumer to seek, or a consumer's 87
receipt of, gender-affirming health care services. 88
(19) "Geofence" means any technology that uses global positioning 89
coordinates, cell tower connectivity, cellular data, radio frequency 90
identification, wireless fidelity technology data or any other form of 91
location detection, or any combination of such coordinates, connectivity, 92
data, identification or other form of location detection, to establish a 93
virtual boundary. 94
(20) "HIPAA" means the Health Insurance Portability and 95
Accountability Act of 1996, 42 USC 1320d et seq., as amended from time 96
to time. 97
(21) "Identified or identifiable individual" means an individual who 98
can be readily identified, directly or indirectly. 99
(22) "Institution of higher education" means any individual who, or 100
school, board, association, limited liability company or corporation that, 101
is licensed or accredited to offer one or more programs of higher 102
Raised Bill No. 1356
LCO No. 5102 5 of 30
learning leading to one or more degrees. 103
(23) "Know" means to have actual knowledge or knowledge fairly 104
implied on the basis of objective circumstances. 105
[(23)] (24) "Mental health facility" means any health care facility in 106
which at least seventy per cent of the health care services provided in 107
such facility are mental health services. 108
(25) "Neural data" means any information that is generated by 109
measuring the activity of an individual's central or peripheral nervous 110
system. 111
[(24)] (26) "Nonprofit organization" means any organization that is 112
exempt from taxation under Section 501(c)(3), 501(c)(4), 501(c)(6) or 113
501(c)(12) of the Internal Revenue Code of 1986, or any subsequent 114
corresponding internal revenue code of the United States, as amended 115
from time to time. 116
[(25)] (27) "Person" means an individual, association, company, 117
limited liability company, corporation, partnership, sole proprietorship, 118
trust or other legal entity. 119
[(26)] (28) "Personal data" means any information that is linked or 120
reasonably linkable to an identified or identifiable individual. "Personal 121
data" does not include de-identified data or publicly available 122
information. 123
[(27)] (29) "Precise geolocation data" means information derived from 124
technology, including, but not limited to, global positioning system 125
level latitude and longitude coordinates or other mechanisms, that 126
directly identifies the specific location of an individual with precision 127
and accuracy within a radius of one thousand seven hundred fifty feet. 128
"Precise geolocation data" does not include the content of 129
communications or any data generated by or connected to advanced 130
utility metering infrastructure systems or equipment for use by a utility. 131
Raised Bill No. 1356
LCO No. 5102 6 of 30
[(28)] (30) "Process" and "processing" mean any operation or set of 132
operations performed, whether by manual or automated means, on 133
personal data or on sets of personal data, such as the collection, use, 134
storage, disclosure, analysis, deletion or modification of personal data. 135
[(29)] (31) "Processor" means a person who processes personal data 136
on behalf of a controller. 137
[(30)] (32) "Profiling" means any form of automated processing 138
performed on personal data to evaluate, analyze or predict personal 139
aspects related to an identified or identifiable individual's economic 140
situation, health, personal preferences, interests, reliability, behavior, 141
location or movements. 142
[(31)] (33) "Protected health information" has the same meaning as 143
provided in HIPAA. 144
[(32)] (34) "Pseudonymous data" means personal data that cannot be 145
attributed to a specific individual without the use of additional 146
information, provided such additional information is kept separately 147
and is subject to appropriate technical and organizational measures to 148
ensure that the personal data [is] are not attributed to an identified or 149
identifiable individual. 150
[(33)] (35) "Publicly available information" means information that 151
(A) is lawfully made available through federal, state or municipal 152
government records or widely distributed media, [and] or (B) a 153
controller has a reasonable basis to believe a consumer has lawfully 154
made available to the general public. "Publicly available information" 155
does not include any (i) information that is collated and combined to 156
create a consumer profile that is made available to a user of a publicly 157
available Internet web site either in exchange for payment or free of 158
charge, (ii) information that is made available for sale, or (iii) inference 159
that is generated from the information described in subparagraph (B)(i) 160
or (B)(ii) of this subdivision. 161
Raised Bill No. 1356
LCO No. 5102 7 of 30
[(34)] (36) "Reproductive or sexual health care" means any health 162
care-related services or products rendered or provided concerning a 163
consumer's reproductive system or sexual well-being, including, but not 164
limited to, any such service or product rendered or provided concerning 165
(A) an individual health condition, status, disease, diagnosis, diagnostic 166
test or treatment, (B) a social, psychological, behavioral or medical 167
intervention, (C) a surgery or procedure, including, but not limited to, 168
an abortion, (D) a use or purchase of a medication, including, but not 169
limited to, a medication used or purchased for the purposes of an 170
abortion, (E) a bodily function, vital sign or symptom, (F) a 171
measurement of a bodily function, vital sign or symptom, or (G) an 172
abortion, including, but not limited to, medical or nonmedical services, 173
products, diagnostics, counseling or follow-up services for an abortion. 174
[(35)] (37) "Reproductive or sexual health data" means any personal 175
data concerning an effort made by a consumer to seek, or a consumer's 176
receipt of, reproductive or sexual health care. 177
[(36)] (38) "Reproductive or sexual health facility" means any health 178
care facility in which at least seventy per cent of the health care-related 179
services or products rendered or provided in such facility are 180
reproductive or sexual health care. 181
[(37)] (39) "Sale of personal data" means the exchange of personal data 182
for monetary or other valuable consideration by the controller to a third 183
party. "Sale of personal data" does not include (A) the disclosure of 184
personal data to a processor that processes the personal data on behalf 185
of the controller, (B) the disclosure of personal data to a third party for 186
purposes of providing a product or service requested by the consumer, 187
(C) the disclosure or transfer of personal data to an affiliate of the 188
controller, (D) the disclosure of personal data where the consumer 189
directs the controller to disclose the personal data or intentionally uses 190
the controller to interact with a third party, (E) the disclosure of personal 191
data that the consumer (i) intentionally made available to the general 192
public via a channel of mass media, and (ii) did not restrict to a specific 193
Raised Bill No. 1356
LCO No. 5102 8 of 30
audience, or (F) the disclosure or transfer of personal data to a third 194
party as an asset that is part of a merger, acquisition, bankruptcy or 195
other transaction, or a proposed merger, acquisition, bankruptcy or 196
other transaction, in which the third party assumes control of all or part 197
of the controller's assets. 198
[(38)] (40) "Sensitive data" means personal data that includes (A) data 199
revealing (i) racial or ethnic origin, (ii) religious or philosophical beliefs, 200
(iii) a mental or physical health condition, [or] diagnosis, disability or 201
treatment, (iv) sex life, sexual orientation or status as nonbinary or 202
transgender, or (v) citizenship or immigration status, (B) consumer 203
health data, (C) [the processing of] genetic or biometric data [for the 204
purpose of uniquely identifying an individual] or information derived 205
therefrom, (D) personal data collected from [a known] an individual the 206
controller knows or has reason to know is a child, (E) data concerning 207
an individual's status as a victim of crime, as defined in section 1-1k, [or] 208
(F) visual media, including, but not limited to, a photograph, film, 209
videotape or other recorded image, of a body part described in 210
subsection (a) of section 53a-189c, whether clothed in an undergarment 211
or a less than fully opaque covering, (G) precise geolocation data, (H) 212
neural data, (I) financial information, including, but not limited to, a 213
consumer's financial account number, financial account log-in 214
information or credit card or debit card number that, in combination 215
with any required access or security code, password or credential, 216
would allow access to a consumer's financial account, or (J) government-217
issued identification number, including, but not limited to, Social 218
Security number, passport number, state identification card number or 219
driver's license number, that applicable law does not require to be 220
publicly displayed. 221
[(39)] (41) "Targeted advertising" means displaying advertisements to 222
a consumer where the advertisement is selected based on personal data 223
obtained or inferred from that consumer's activities over time and across 224
nonaffiliated Internet web sites or online applications to predict such 225
consumer's preferences or interests. "Targeted advertising" does not 226
Raised Bill No. 1356
LCO No. 5102 9 of 30
include (A) advertisements based on activities within a controller's own 227
Internet web sites or online applications, (B) advertisements based on 228
the context of a consumer's current search query, visit to an Internet web 229
site or online application, (C) advertisements directed to a consumer in 230
response to the consumer's request for information or feedback, or (D) 231
processing personal data solely to measure or report advertising 232
frequency, performance or reach. 233
[(40)] (42) "Third party" means a person, such as a public authority, 234
agency or body, other than the consumer, controller or processor or an 235
affiliate of the processor or the controller. 236
[(41)] (43) "Trade secret" has the same meaning as provided in section 237
35-51. 238
Sec. 2. Section 42-516 of the general statutes is repealed and the 239
following is substituted in lieu thereof (Effective October 1, 2025): 240
The provisions of sections 42-515 to 42-525, inclusive, as amended by 241
this act, apply to persons that: [conduct] (1) Conduct business in this 242
state, or [persons that] produce products or services that are targeted to 243
residents of this state, and [that] during the preceding calendar year [: 244
(1) Controlled] (A) controlled or processed the personal data of not [less] 245
fewer than [one hundred thousand] thirty-five thousand consumers, 246
excluding personal data controlled or processed solely for the purpose 247
of completing a payment transaction, [;] or [(2)] (B) controlled or 248
processed the personal data of not [less] fewer than [twenty-five 249
thousand] ten thousand consumers and derived more than [twenty-250
five] twenty per cent of their gross revenue from the sale of personal 251
data; (2) control or process consumers' sensitive data; or (3) offer 252
consumers' personal data for sale in trade or commerce. 253
Sec. 3. Subsections (a) and (b) of section 42-517 of the general statutes 254
are repealed and the following is substituted in lieu thereof (Effective 255
October 1, 2025): 256
Raised Bill No. 1356
LCO No. 5102 10 of 30
(a) The provisions of sections 42-515 to 42-525, inclusive, as amended 257
by this act, do not apply to any: (1) Body, authority, board, bureau, 258
commission, district or agency of this state or of any political 259
subdivision of this state; (2) person who has entered into a contract with 260
any body, authority, board, bureau, commission, district or agency 261
described in subdivision (1) of this subsection while such person is 262
processing consumer health data on behalf of such body, authority, 263
board, bureau, commission, district or agency pursuant to such contract; 264
(3) [nonprofit organization; (4)] institution of higher education; [(5)] (4) 265
national securities association that is registered under 15 USC 78o-3 of 266
the Securities Exchange Act of 1934, as amended from time to time; [(6) 267
financial institution or data subject to Title V of the Gramm-Leach-Bliley 268
Act, 15 USC 6801 et seq.; (7) covered entity or business associate, as 269
defined in 45 CFR 160.103; (8)] (5) tribal nation government 270
organization; or [(9)] (6) air carrier, as defined in 49 USC 40102, as 271
amended from time to time, and regulated under the Federal Aviation 272
Act of 1958, 49 USC 40101 et seq., and the Airline Deregulation Act of 273
1978, 49 USC 41713, as said acts may be amended from time to time. 274
(b) The following information and data [is] are exempt from the 275
provisions of sections 42-515 to 42-526, inclusive, as amended by this 276
act: (1) Protected health information under HIPAA; (2) patient-277
identifying information for purposes of 42 USC 290dd-2; (3) identifiable 278
private information for purposes of the federal policy for the protection 279
of human subjects under 45 CFR 46; (4) identifiable private information 280
that is otherwise information collected as part of human subjects 281
research pursuant to the good clinical practice guidelines issued by the 282
International Council for Harmonization of Technical Requirements for 283
Pharmaceuticals for Human Use; (5) the protection of human subjects 284
under 21 CFR Parts 6, 50 and 56, or personal data used or shared in 285
research, as defined in 45 CFR 164.501, that is conducted in accordance 286
with the standards set forth in this subdivision and subdivisions (3) and 287
(4) of this subsection, or other research conducted in accordance with 288
applicable law; (6) information and documents created for purposes of 289
Raised Bill No. 1356
LCO No. 5102 11 of 30
the Health Care Quality Improvement Act of 1986, 42 USC 11101 et seq.; 290
(7) patient safety work product for purposes of section 19a-127o and the 291
Patient Safety and Quality Improvement Act, 42 USC 299b-21 et seq., as 292
amended from time to time; (8) information derived from any of the 293
health care-related information listed in this subsection that is de-294
identified in accordance with the requirements for de-identification 295
pursuant to HIPAA; (9) information originating from and intermingled 296
to be indistinguishable with, or information treated in the same manner 297
as, information exempt under this subsection that is maintained by a 298
covered entity or business associate, program or qualified service 299
organization, as specified in 42 USC 290dd-2, as amended from time to 300
time; (10) information used for public health activities and purposes as 301
authorized by HIPAA, community health activities and population 302
health activities; (11) the collection, maintenance, disclosure, sale, 303
communication or use of any personal information bearing on a 304
consumer's credit worthiness, credit standing, credit capacity, character, 305
general reputation, personal characteristics or mode of living by a 306
consumer reporting agency, furnisher or user that provides information 307
for use in a consumer report, and by a user of a consumer report, but 308
only to the extent that such activity is regulated by and authorized 309
under the Fair Credit Reporting Act, 15 USC 1681 et seq., as amended 310
from time to time; (12) personal data collected, processed, sold or 311
disclosed in compliance with the Driver's Privacy Protection Act of 1994, 312
18 USC 2721 et seq., as amended from time to time; (13) personal data 313
regulated by the Family Educational Rights and Privacy Act, 20 USC 314
1232g et seq., as amended from time to time; (14) personal data collected, 315
processed, sold or disclosed in compliance with the Farm Credit Act, 12 316
USC 2001 et seq., as amended from time to time; (15) data processed or 317
maintained (A) in the course of an individual applying to, employed by 318
or acting as an agent or independent contractor of a controller, 319
processor, consumer health data controller or third party, to the extent 320
that the data [is] are collected and used within the context of that role, 321
(B) as the emergency contact information of an individual under 322
sections 42-515 to 42-526, inclusive, as amended by this act, used for 323
Raised Bill No. 1356
LCO No. 5102 12 of 30
emergency contact purposes, or (C) that is necessary to retain to 324
administer benefits for another individual relating to the individual 325
who is the subject of the information under subdivision (1) of this 326
subsection and used for the purposes of administering such benefits; 327
[and] (16) personal data collected, processed, sold or disclosed in 328
relation to price, route or service, as such terms are used in the Federal 329
Aviation Act of 1958, 49 USC 40101 et seq., and the Airline Deregulation 330
Act of 1978, 49 USC 41713, as said acts may be amended from time to 331
time; and (17) data subject to Title V of the Gramm-Leach-Bliley Act, 15 332
USC 6801 et seq., as amended from time to time. 333
Sec. 4. Subsection (a) of section 42-518 of the general statutes is 334
repealed and the following is substituted in lieu thereof (Effective October 335
1, 2025): 336
(a) A consumer shall have the right to: (1) Confirm whether or not a 337
controller is processing the consumer's personal data and access such 338
personal data, including, but not limited to, any inferences derived from 339
such personal data, unless such confirmation or access would require 340
the controller to reveal a trade secret; (2) correct inaccuracies in the 341
consumer's personal data, taking into account the nature of the personal 342
data and the purposes of the processing of the consumer's personal data; 343
(3) delete personal data provided by, or obtained about, the consumer; 344
(4) obtain a copy of the consumer's personal data processed by the 345
controller, in a portable and, to the extent technically feasible, readily 346
usable format that allows the consumer to transmit the data to another 347
controller without hindrance, where the processing is carried out by 348
automated means, provided such controller shall not be required to 349
reveal any trade secret; [and] (5) opt out of the processing of the personal 350
data for purposes of (A) targeted advertising, (B) the sale of personal 351
data, except as provided in subsection (b) of section 42-520, as amended 352
by this act, or (C) profiling in furtherance of [solely] automated 353
decisions that produce legal or similarly significant effects concerning 354
the consumer; and (6) obtain from the controller (A) a list of the third 355
parties to which such controller has disclosed the consumer's personal 356
Raised Bill No. 1356
LCO No. 5102 13 of 30
data, or (B) if such controller does not maintain a list of the third parties 357
to which such controller has disclosed the consumer's personal data, a 358
list of all third parties to which such controller has disclosed personal 359
data. 360
Sec. 5. Subsections (a) to (c), inclusive, of section 42-520 of the general 361
statutes are repealed and the following is substituted in lieu thereof 362
(Effective October 1, 2025): 363
(a) A controller shall: (1) Limit the collection of personal data to what 364
is [adequate, relevant and] reasonably necessary [in relation to the 365
purposes for which such data is processed, as disclosed to] and 366
proportionate to provide or maintain a product or service specifically 367
requested by the consumer; (2) [except as otherwise provided in sections 368
42-515 to 42-525, inclusive,] not process personal data for purposes that 369
are neither reasonably necessary to, nor compatible with, the disclosed 370
purposes for which such personal data [is] are processed, as disclosed 371
to the consumer, unless the controller obtains the consumer's consent; 372
(3) establish, implement and maintain reasonable administrative, 373
technical and physical data security practices to protect the 374
confidentiality, integrity and accessibility of personal data appropriate 375
to the volume and nature of the personal data at issue; (4) not process 376
sensitive data concerning a consumer without obtaining the consumer's 377
consent, or, in the case of the processing of sensitive data concerning a 378
known child, without processing such data in accordance with COPPA; 379
(5) not process personal data in violation of the laws of this state and 380
federal laws that prohibit unlawful discrimination against consumers; 381
(6) provide an effective mechanism for a consumer to revoke the 382
consumer's consent under this section that is at least as easy as the 383
mechanism by which the consumer provided the consumer's consent 384
and, upon revocation of such consent, cease to process the data as soon 385
as practicable, but not later than fifteen days after the receipt of such 386
request; (7) not sell sensitive data unless the controller obtains the 387
consumer's consent; and [(7)] (8) not process the personal data of a 388
consumer for purposes of targeted advertising, or sell the consumer's 389
Raised Bill No. 1356
LCO No. 5102 14 of 30
personal data without the consumer's consent, under circumstances 390
where a controller [has actual knowledge, or wilfully disregards,] 391
knows or should know that the consumer is at least thirteen years of age 392
but younger than sixteen years of age. A controller shall not discriminate 393
against a consumer for exercising any of the consumer rights contained 394
in sections 42-515 to 42-525, inclusive, as amended by this act, including 395
denying goods or services, charging different prices or rates for goods 396
or services or providing a different level of quality of goods or services 397
to the consumer. 398
(b) Nothing in subsection (a) of this section shall be construed to 399
require a controller to provide a product or service that requires the 400
personal data of a consumer which the controller does not collect or 401
maintain, or prohibit a controller from offering a different price, rate, 402
level, quality or selection of goods or services to a consumer, including 403
offering goods or services for no fee, if the offering is in connection with 404
a consumer's voluntary participation in a bona fide loyalty, rewards, 405
premium features, discounts or club card program. 406
(c) A controller shall provide consumers with a reasonably accessible, 407
clear and meaningful privacy notice that includes: (1) The categories of 408
personal data processed by the controller; (2) the purpose for processing 409
personal data; (3) how consumers may exercise their consumer rights, 410
including how a consumer may appeal a controller's decision with 411
regard to the consumer's request; (4) the categories of personal data that 412
the controller shares with third parties, if any; (5) the [categories of third 413
parties] identity of each third party, if any, with which the controller 414
shares personal data; and (6) an active electronic mail address or other 415
online mechanism that the consumer may use to contact the controller. 416
Sec. 6. Section 42-524 of the general statutes is repealed and the 417
following is substituted in lieu thereof (Effective October 1, 2025): 418
(a) Nothing in sections 42-515 to 42-526, inclusive, as amended by this 419
act, shall be construed to restrict a controller's, processor's or consumer 420
Raised Bill No. 1356
LCO No. 5102 15 of 30
health data controller's ability to: (1) Comply with federal, state or 421
municipal ordinances or regulations; (2) comply with a civil, criminal or 422
regulatory inquiry, investigation, subpoena or summons by federal, 423
state, municipal or other governmental authorities; (3) cooperate with 424
law enforcement agencies concerning conduct or activity that the 425
controller, processor or consumer health data controller reasonably and 426
in good faith believes may violate federal, state or municipal ordinances 427
or regulations; (4) investigate, establish, exercise, prepare for or defend 428
legal claims; (5) provide a product or service specifically requested by a 429
consumer; (6) perform under a contract to which a consumer is a party, 430
including fulfilling the terms of a written warranty; (7) take steps at the 431
request of a consumer prior to entering into a contract; (8) take 432
immediate steps to protect an interest that is essential for the life or 433
physical safety of the consumer or another individual, and where the 434
processing cannot be manifestly based on another legal basis; (9) 435
prevent, detect, protect against or respond to security incidents, identity 436
theft, fraud, harassment, malicious or deceptive activities or any illegal 437
activity, preserve the integrity or security of systems or investigate, 438
report or prosecute those responsible for any such action; (10) engage in 439
public or peer-reviewed scientific or statistical research in the public 440
interest that adheres to all other applicable ethics and privacy laws and 441
is approved, monitored and governed by an institutional review board 442
that determines, or similar independent oversight entities that 443
determine, (A) whether the deletion of the information is likely to 444
provide substantial benefits that do not exclusively accrue to the 445
controller or consumer health data controller, (B) the expected benefits 446
of the research outweigh the privacy risks, and (C) whether the 447
controller or consumer health data controller has implemented 448
reasonable safeguards to mitigate privacy risks associated with 449
research, including any risks associated with re-identification; (11) assist 450
another controller, processor, consumer health data controller or third 451
party with any of the obligations under sections 42-515 to 42-526, 452
inclusive, as amended by this act; or (12) process personal data for 453
reasons of public interest in the area of public health, community health 454
Raised Bill No. 1356
LCO No. 5102 16 of 30
or population health, but solely to the extent that such processing is (A) 455
subject to suitable and specific measures to safeguard the rights of the 456
consumer whose personal data [is] are being processed, and (B) under 457
the responsibility of a professional subject to confidentiality obligations 458
under federal, state or local law. 459
(b) The obligations imposed on controllers, processors or consumer 460
health data controllers under sections 42-515 to 42-526, inclusive, as 461
amended by this act, shall not restrict a controller's, processor's or 462
consumer health data controller's ability to collect, use or retain data for 463
internal use to: (1) Conduct internal research to develop, improve or 464
repair products, services or technology; (2) effectuate a product recall; 465
(3) identify and repair technical errors that impair existing or intended 466
functionality; or (4) perform solely internal operations that are 467
reasonably aligned with the expectations of the consumer or reasonably 468
anticipated based on the consumer's existing relationship with the 469
controller or consumer health data controller, or are otherwise 470
compatible with processing data in furtherance of the provision of a 471
product or service specifically requested by a consumer or the 472
performance of a contract to which the consumer is a party. 473
(c) The obligations imposed on controllers, processors or consumer 474
health data controllers under sections 42-515 to 42-526, inclusive, as 475
amended by this act, shall not apply where compliance by the controller, 476
processor or consumer health data controller with said sections would 477
violate an evidentiary privilege under the laws of this state. Nothing in 478
sections 42-515 to 42-526, inclusive, as amended by this act, shall be 479
construed to prevent a controller, processor or consumer health data 480
controller from providing personal data concerning a consumer to a 481
person covered by an evidentiary privilege under the laws of the state 482
as part of a privileged communication. 483
[(d) A controller, processor or consumer health data controller that 484
discloses personal data to a processor or third-party controller in 485
accordance with sections 42-515 to 42-526, inclusive, shall not be deemed 486
Raised Bill No. 1356
LCO No. 5102 17 of 30
to have violated said sections if the processor or third-party controller 487
that receives and processes such personal data violates said sections, 488
provided, at the time the disclosing controller, processor or consumer 489
health data controller disclosed such personal data, the disclosing 490
controller, processor or consumer health data controller did not have 491
actual knowledge that the receiving processor or third-party controller 492
would violate said sections. A third-party controller or processor 493
receiving personal data from a controller, processor or consumer health 494
data controller in compliance with sections 42-515 to 42-526, inclusive, 495
is likewise not in violation of said sections for the transgressions of the 496
controller, processor or consumer health data controller from which 497
such third-party controller or processor receives such personal data.] 498
[(e)] (d) Nothing in sections 42-515 to 42-526, inclusive, as amended 499
by this act, shall be construed to: (1) Impose any obligation on a 500
controller, processor or consumer health data controller that adversely 501
affects the rights or freedoms of any person, including, but not limited 502
to, the rights of any person (A) to freedom of speech or freedom of the 503
press guaranteed in the First Amendment to the United States 504
Constitution, or (B) under section 52-146t; or (2) apply to any person's 505
processing of personal data in the course of such person's purely 506
personal or household activities. 507
[(f)] (e) Personal data processed by a controller or consumer health 508
data controller pursuant to this section may be processed to the extent 509
that such processing is: (1) Reasonably necessary and proportionate to 510
the purposes listed in this section; and (2) adequate, relevant and limited 511
to what is necessary in relation to the specific purposes listed in this 512
section. Personal data collected, used or retained pursuant to subsection 513
(b) of this section shall, where applicable, take into account the nature 514
and purpose or purposes of such collection, use or retention. Such data 515
shall be subject to reasonable administrative, technical and physical 516
measures to protect the confidentiality, integrity and accessibility of the 517
personal data and to reduce reasonably foreseeable risks of harm to 518
consumers relating to such collection, use or retention of personal data. 519
Raised Bill No. 1356
LCO No. 5102 18 of 30
[(g)] (f) If a controller or consumer health data controller processes 520
personal data pursuant to an exemption in this section, the controller or 521
consumer health data controller bears the burden of demonstrating that 522
such processing qualifies for the exemption and complies with the 523
requirements in subsection [(f)] (e) of this section. 524
[(h)] (g) Processing personal data for the purposes expressly 525
identified in this section shall not solely make a legal entity a controller 526
or consumer health data controller with respect to such processing. 527
Sec. 7. Subsections (a) and (b) of section 42-528 of the general statutes 528
are repealed and the following is substituted in lieu thereof (Effective 529
October 1, 2025): 530
(a) For the purposes of this section: 531
(1) "Authenticate" means to use reasonable means and make a 532
commercially reasonable effort to determine whether a request to 533
exercise any right afforded under subsection (b) of this section has been 534
submitted by, or on behalf of, the minor who is entitled to exercise such 535
right; 536
(2) "Consumer" has the same meaning as provided in section 42-515, 537
as amended by this act; 538
(3) "Minor" means any consumer who is younger than eighteen years 539
of age; 540
(4) "Personal data" has the same meaning as provided in section 42-541
515, as amended by this act; 542
(5) "Social media platform" (A) means a public or semi-public 543
Internet-based service or application that (i) is used by a consumer in 544
this state, (ii) is primarily intended to connect and allow users to socially 545
interact within such service or application, and (iii) enables a user to [(I)] 546
construct a public or semi-public profile for the purposes of signing into 547
and using such service or application, [(II) populate a public list of other 548
Raised Bill No. 1356
LCO No. 5102 19 of 30
users with whom the user shares a social connection within such service 549
or application, and (III) create or post content that is viewable by other 550
users, including, but not limited to, on message boards, in chat rooms, 551
or through a landing page or main feed that presents the user with 552
content generated by other users,] and (B) does not include a public or 553
semi-public Internet-based service or application that (i) exclusively 554
provides electronic mail or direct messaging services, (ii) primarily 555
consists of news, sports, entertainment, interactive video games, 556
electronic commerce or content that is preselected by the provider or for 557
which any chat, comments or interactive functionality is incidental to, 558
directly related to, or dependent on the provision of such content, or (iii) 559
is used by and under the direction of an educational entity, including, 560
but not limited to, a learning management system or a student 561
engagement program; and 562
(6) "Unpublish" means to remove a social media platform account 563
from public visibility. 564
(b) (1) Not later than fifteen business days after a social media 565
platform receives a request from a minor or, if the minor is younger than 566
sixteen years of age, from such minor's parent or legal guardian to 567
unpublish such minor's social media platform account, the social media 568
platform shall unpublish such minor's social media platform account. 569
(2) Not later than forty-five business days after a social media 570
platform receives a request from a minor or, if the minor is younger than 571
sixteen years of age, from such minor's parent or legal guardian to delete 572
such minor's social media platform account, the social media platform 573
shall delete such minor's social media platform account and cease 574
processing such minor's personal data except where the preservation of 575
such minor's social media platform account or personal data is 576
otherwise permitted or required by applicable law, including, but not 577
limited to, sections 42-515 to 42-525, inclusive, as amended by this act. 578
A social media platform may extend such forty-five business day period 579
by an additional forty-five business days if such extension is reasonably 580
Raised Bill No. 1356
LCO No. 5102 20 of 30
necessary considering the complexity and number of the consumer's 581
requests, provided the social media platform informs the minor or, if the 582
minor is younger than sixteen years of age, such minor's parent or legal 583
guardian within the initial forty-five business day response period of 584
such extension and the reason for such extension. 585
(3) A social media platform shall establish, and shall describe in a 586
privacy notice, one or more secure and reliable means for submitting a 587
request pursuant to this subsection. A social media platform that 588
provides a mechanism for a minor or, if the minor is younger than 589
sixteen years of age, the minor's parent or legal guardian to initiate a 590
process to delete or unpublish such minor's social media platform 591
account shall be deemed to be in compliance with the provisions of this 592
subsection. 593
(4) No social media platform shall require a minor's parent or legal 594
guardian to create a social media platform account to submit a request 595
pursuant to this subsection. A social media platform may require a 596
minor's parent or legal guardian to use an existing social media platform 597
account to submit such a request, provided such parent or legal 598
guardian has access to the existing social media platform account. 599
Sec. 8. Section 42-529 of the general statutes is repealed and the 600
following is substituted in lieu thereof (Effective October 1, 2025): 601
For the purposes of this section and sections 42-529a to 42-529e, 602
inclusive, as amended by this act: 603
(1) "Adult" means any individual who is at least eighteen years of age; 604
(2) "Consent" has the same meaning as provided in section 42-515, as 605
amended by this act; 606
(3) "Consumer" has the same meaning as provided in section 42-515, 607
as amended by this act; 608
(4) "Controller" has the same meaning as provided in section 42-515, 609
Raised Bill No. 1356
LCO No. 5102 21 of 30
as amended by this act; 610
(5) "Heightened risk of harm to minors" means processing minors' 611
personal data in a manner that presents any reasonably foreseeable risk 612
of (A) any unfair or deceptive treatment of, or any unlawful disparate 613
impact on, minors, (B) any financial, physical or reputational injury to 614
minors, or (C) any physical or other intrusion upon the solitude or 615
seclusion, or the private affairs or concerns, of minors if such intrusion 616
would be offensive to a reasonable person; 617
(6) "HIPAA" has the same meaning as provided in section 42-515, as 618
amended by this act; 619
(7) "Know" has the same meaning as provided in section 42-515, as 620
amended by this act; 621
[(7)] (8) "Minor" means any consumer who is younger than eighteen 622
years of age; 623
[(8)] (9) "Online service, product or feature" means any service, 624
product or feature that is provided online. "Online service, product or 625
feature" does not include any (A) telecommunications service, as 626
defined in 47 USC 153, as amended from time to time, (B) broadband 627
Internet access service, as defined in 47 CFR 54.400, as amended from 628
time to time, or (C) delivery or use of a physical product; 629
[(9)] (10) "Person" has the same meaning as provided in section 42-630
515, as amended by this act; 631
[(10)] (11) "Personal data" has the same meaning as provided in 632
section 42-515, as amended by this act; 633
[(11)] (12) "Precise geolocation data" has the same meaning as 634
provided in section 42-515, as amended by this act; 635
[(12)] (13) "Process" and "processing" have the same meaning as 636
provided in section 42-515, as amended by this act; 637
Raised Bill No. 1356
LCO No. 5102 22 of 30
[(13)] (14) "Processor" has the same meaning as provided in section 638
42-515, as amended by this act; 639
[(14)] (15) "Profiling" has the same meaning as provided in section 42-640
515, as amended by this act; 641
[(15)] (16) "Protected health information" has the same meaning as 642
provided in section 42-515, as amended by this act; 643
[(16)] (17) "Sale of personal data" has the same meaning as provided 644
in section 42-515, as amended by this act; 645
[(17)] (18) "Targeted advertising" has the same meaning as provided 646
in section 42-515, as amended by this act; and 647
[(18)] (19) "Third party" has the same meaning as provided in section 648
42-515, as amended by this act. 649
Sec. 9. Section 42-529a of the general statutes is repealed and the 650
following is substituted in lieu thereof (Effective October 1, 2025): 651
(a) Each controller that offers any online service, product or feature 652
to consumers whom such controller [has actual knowledge, or wilfully 653
disregards,] knows or should know are minors shall use reasonable care 654
to avoid any heightened risk of harm to minors caused by such online 655
service, product or feature. [In any enforcement action brought by the 656
Attorney General pursuant to section 42-529e, there shall be a rebuttable 657
presumption that a controller used reasonable care as required under 658
this section if the controller complied with the provisions of section 42-659
529b concerning data protection assessments.] 660
(b) (1) [Subject to the consent requirement established in subdivision 661
(3) of this subsection, no] No controller that offers any online service, 662
product or feature to consumers whom such controller [has actual 663
knowledge, or wilfully disregards,] knows or should know are minors 664
shall: (A) Process any minor's personal data (i) for the purposes of (I) 665
targeted advertising, (II) any sale of personal data, or (III) profiling in 666
Raised Bill No. 1356
LCO No. 5102 23 of 30
furtherance of any [fully] automated decision made by such controller 667
that produces any legal or similarly significant effect concerning the 668
provision or denial by such controller of any financial or lending 669
services, housing, insurance, education enrollment or opportunity, 670
criminal justice, employment opportunity, health care services or access 671
to essential goods or services, (ii) unless such processing is reasonably 672
necessary to provide such online service, product or feature, (iii) for any 673
processing purpose (I) other than the processing purpose that the 674
controller disclosed at the time such controller collected such personal 675
data, or (II) that is reasonably necessary for, and compatible with, the 676
processing purpose described in subparagraph (A)(iii)(I) of this 677
subdivision, or (iv) for longer than is reasonably necessary to provide 678
such online service, product or feature; or (B) use any system design 679
feature to significantly increase, sustain or extend any minor's use of 680
such online service, product or feature. The provisions of this 681
subdivision shall not apply to any service or application that is used by 682
and under the direction of an educational entity, including, but not 683
limited to, a learning management system or a student engagement 684
program. 685
(2) [Subject to the consent requirement established in subdivision (3) 686
of this subsection, no] No controller that offers an online service, 687
product or feature to consumers whom such controller [has actual 688
knowledge, or wilfully disregards,] knows or should know are minors 689
shall collect a minor's precise geolocation data unless: (A) Such precise 690
geolocation data [is reasonably] are strictly necessary for the controller 691
to provide such online service, product or feature and, if such data [is] 692
are necessary to provide such online service, product or feature, such 693
controller may only collect such data for the time necessary to provide 694
such online service, product or feature; and (B) the controller provides 695
to the minor a signal indicating that such controller is collecting such 696
precise geolocation data, which signal shall be available to such minor 697
for the entire duration of such collection. 698
[(3) No controller shall engage in the activities described in 699
Raised Bill No. 1356
LCO No. 5102 24 of 30
subdivisions (1) and (2) of this subsection unless the controller obtains 700
the minor's consent or, if the minor is younger than thirteen years of age, 701
the consent of such minor's parent or legal guardian. A controller that 702
complies with the verifiable parental consent requirements established 703
in the Children's Online Privacy Protection Act of 1998, 15 USC 6501 et 704
seq., and the regulations, rules, guidance and exemptions adopted 705
pursuant to said act, as said act and such regulations, rules, guidance 706
and exemptions may be amended from time to time, shall be deemed to 707
have satisfied any requirement to obtain parental consent under this 708
subdivision.] 709
(c) (1) No controller that offers any online service, product or feature 710
to consumers whom such controller [has actual knowledge, or wilfully 711
disregards,] knows or should know are minors shall: (A) Provide any 712
consent mechanism that is designed to substantially subvert or impair, 713
or is manipulated with the effect of substantially subverting or 714
impairing, user autonomy, decision-making or choice; or (B) except as 715
provided in subdivision (2) of this subsection, offer any direct 716
messaging apparatus for use by minors without providing readily 717
accessible and easy-to-use safeguards to limit the ability of adults to 718
send unsolicited communications to minors with whom they are not 719
connected. 720
(2) The provisions of subparagraph (B) of subdivision (1) of this 721
subsection shall not apply to services where the predominant or 722
exclusive function is: (A) Electronic mail; or (B) direct messaging 723
consisting of text, photos or videos that are sent between devices by 724
electronic means, where messages are (i) shared between the sender and 725
the recipient, (ii) only visible to the sender and the recipient, and (iii) not 726
posted publicly. 727
Sec. 10. Subsection (a) of section 42-529b of the general statutes is 728
repealed and the following is substituted in lieu thereof (Effective October 729
1, 2025): 730
Raised Bill No. 1356
LCO No. 5102 25 of 30
(a) Each controller that [, on or after October 1, 2024,] offers any online 731
service, product or feature to consumers whom such controller [has 732
actual knowledge, or wilfully disregards,] knows or should know are 733
minors shall conduct a data protection assessment for such online 734
service, product or feature: (1) In a manner that is consistent with the 735
requirements established in section 42-522; and (2) that addresses (A) 736
the purpose of such online service, product or feature, (B) the categories 737
of minors' personal data that such online service, product or feature 738
processes, (C) the purposes for which such controller processes minors' 739
personal data with respect to such online service, product or feature, 740
and (D) any heightened risk of harm to minors that is a reasonably 741
foreseeable result of offering such online service, product or feature to 742
minors. 743
Sec. 11. Subsection (d) of section 42-529d of the general statutes is 744
repealed and the following is substituted in lieu thereof (Effective October 745
1, 2025): 746
(d) No obligation imposed on a controller or processor under any 747
provision of sections 42-529 to 42-529c, inclusive, as amended by this 748
act, or section 42-529e shall be construed to restrict a controller's or 749
processor's ability to collect, use or retain data for internal use to: (1) 750
Conduct internal research to develop, improve or repair products, 751
services or technology; (2) effectuate a product recall; (3) identify and 752
repair technical errors that impair existing or intended functionality; or 753
(4) perform solely internal operations that are (A) reasonably aligned 754
with the expectations of a minor or reasonably anticipated based on the 755
minor's existing relationship with the controller or processor, or (B) 756
otherwise compatible with processing data in furtherance of the 757
provision of a product or service specifically requested by a minor. 758
Sec. 12. (NEW) (Effective October 1, 2025) (a) As used in this section: 759
(1) "Brokered personal data" means any personal data that are 760
categorized or organized for the purpose of enabling a data broker to 761
Raised Bill No. 1356
LCO No. 5102 26 of 30
sell or license such personal data to another person; 762
(2) "Business" (A) means (i) a person who regularly engages in 763
commercial activities for the purpose of generating income, (ii) a bank, 764
Connecticut credit union, federal credit union, out-of-state bank, out-of-765
state trust company or out-of-state credit union, as said terms are 766
defined in section 36a-2 of the general statutes, and (iii) any other person 767
that controls, is controlled by or is under common control with a person 768
described in subparagraph (A)(i) or (A)(ii) of this subdivision, and (B) 769
does not include any body, authority, board, bureau, commission, 770
district or agency of this state or of any political subdivision of this state; 771
(3) "Consumer" has the same meaning as provided in section 42-515 772
of the general statutes, as amended by this act; 773
(4) "Data broker" means any business or, if such business is an entity, 774
any portion of such business that sells or licenses brokered personal data 775
to another person; 776
(5) "Department" means the Department of Consumer Protection; 777
(6) "License" (A) means to grant access to, or distribute, personal data 778
in exchange for consideration, and (B) does not include any use of 779
personal data for the sole benefit of the person who provided such 780
personal data if such person maintains control over the use of such 781
personal data; 782
(7) "Person" has the same meaning as provided in section 42-515 of 783
the general statutes, as amended by this act; and 784
(8) "Personal data" (A) means any data concerning a consumer that, 785
either alone or in combination with any other data that are sold or 786
licensed by a data broker to another person, can reasonably be 787
associated with the consumer, and (B) includes, but is not limited to, (i) 788
a consumer's name or the name of any member of the consumer's 789
immediate family or household, (ii) a consumer's address or the address 790
Raised Bill No. 1356
LCO No. 5102 27 of 30
of any member of the consumer's immediate family or household, (iii) a 791
consumer's birth date or place of birth, (iv) the maiden name of a 792
consumer's mother, (v) biometric data, as defined in section 42-515 of 793
the general statutes, as amended by this act, concerning a consumer, and 794
(vi) a consumer's Social Security number or any other government-795
issued identification number issued to the consumer. 796
(b) (1) Except as provided in subdivision (4) of this subsection and 797
subsection (d) of this section, no data broker shall sell or license 798
brokered personal data in this state unless the data broker is actively 799
registered with the Department of Consumer Protection in accordance 800
with the provisions of this subsection. A data broker who desires to sell 801
or license brokered personal data in this state shall submit an 802
application to the department in a form and manner prescribed by the 803
Commissioner of Consumer Protection. Each application for 804
registration as a data broker shall be accompanied by a registration fee 805
in the amount of six hundred dollars. Each registration issued pursuant 806
to this subsection shall expire on December thirty-first of the year in 807
which such registration was issued and may be renewed for successive 808
one-year terms upon application made in the manner set forth in this 809
subsection and payment of a registration renewal fee in the amount of 810
six hundred dollars. 811
(2) Except as provided in subdivision (4) of this subsection, each 812
application submitted to the department pursuant to subdivision (1) of 813
this subsection shall include: 814
(A) The applicant's name, mailing address, electronic mail address 815
and telephone number; 816
(B) The address of the applicant's primary Internet web site; and 817
(C) A statement by the applicant disclosing the measures the 818
applicant shall take to ensure that no personal data is sold or licensed in 819
violation of the provisions of sections 42-515 to 42-525, inclusive, of the 820
general statutes, as amended by this act. 821
Raised Bill No. 1356
LCO No. 5102 28 of 30
(3) The department shall make all information that an applicant 822
submits to the department pursuant to subdivision (2) of this subsection 823
publicly available on the department's Internet web site. 824
(4) The department may approve and renew an application for 825
registration as a data broker in accordance with the terms of an 826
agreement between the department and the Nationwide Multistate 827
Licensing System. 828
(c) No data broker shall sell or license any personal data in violation 829
of the provisions of sections 42-515 to 42-525, inclusive, of the general 830
statutes, as amended by this act. Each data broker shall implement 831
measures to ensure that the data broker does not sell or license any 832
personal data in violation of the provisions of sections 42-515 to 42-525, 833
inclusive, of the general statutes, as amended by this act. 834
(d) (1) The provisions of this section shall not apply to: (A) A 835
consumer reporting agency, as defined in 15 USC 1681a(f), as amended 836
from time to time, a person that furnishes information to a consumer 837
reporting agency, as provided in 15 USC 1681s-2, as amended from time 838
to time, or a user of a consumer report, as defined in 15 USC 1681a(d), 839
as amended from time to time, to the extent that the consumer reporting 840
agency, person or user engages in activities that are subject to regulation 841
under the Fair Credit Reporting Act, 15 USC 1681 et seq., as amended 842
from time to time; (B) a financial institution, an affiliate or a nonaffiliated 843
third party, as said terms are defined in 15 USC 6809, as amended from 844
time to time, to the extent that the financial institution, affiliate or 845
nonaffiliated third party engages in activities that are subject to 846
regulation under Title V of the Gramm-Leach-Bliley Act, 15 USC 6801 et 847
seq., and the regulations adopted thereunder, as said act and regulations 848
may be amended from time to time; (C) a business that collects 849
information concerning a consumer if the consumer (i) is a customer, 850
subscriber or user of goods or services sold or offered by the business, 851
(ii) is in a contractual relationship with the business, (iii) is an investor 852
in the business, (iv) is a donor to the business, or (v) otherwise maintains 853
Raised Bill No. 1356
LCO No. 5102 29 of 30
a relationship with the business that is similar to the relationships 854
described in subparagraphs (C)(i) to (C)(iv), inclusive, of this 855
subdivision; or (D) a business that performs services for, or acts as an 856
agent or on behalf of, a business described in subparagraph (C) of this 857
subdivision. 858
(2) No provision of this section shall be construed to prohibit an 859
unregistered data broker from engaging in any sale or licensing of 860
brokered personal data if such sale or licensing exclusively involves: (A) 861
Publicly available information (i) concerning a consumer's business or 862
profession, or (ii) sold or licensed as part of a service that provides alerts 863
for health or safety purposes; (B) information that is lawfully available 864
from any federal, state or local government record; (C) providing digital 865
access to any (i) journal, book, periodical, newspaper, magazine or news 866
media, or (ii) educational, academic or instructional work; (D) 867
developing or maintaining an electronic commerce service or software; 868
(E) providing directory assistance or directory information services as, 869
or on behalf of, a telecommunications carrier; or (F) a one-time or 870
occasional disposition of the assets of a business, or any portion of a 871
business, as part of a transfer of control over the assets of the business 872
that is not part of the ordinary conduct of such business or portion of 873
such business. 874
(e) The Commissioner of Consumer Protection may adopt 875
regulations, in accordance with the provisions of chapter 54 of the 876
general statutes, to implement the provisions of this section. 877
(f) The Commissioner of Consumer Protection, after providing notice 878
and conducting a hearing in accordance with the provisions of chapter 879
54 of the general statutes, may impose a civil penalty of not more than 880
five hundred dollars per day for each violation of this section. The sum 881
of civil penalties imposed on a data broker pursuant to this subsection 882
shall not exceed ten thousand dollars during any calendar year. 883
Raised Bill No. 1356
LCO No. 5102 30 of 30
This act shall take effect as follows and shall amend the following
sections:
Section 1 October 1, 2025 42-515
Sec. 2 October 1, 2025 42-516
Sec. 3 October 1, 2025 42-517(a) and (b)
Sec. 4 October 1, 2025 42-518(a)
Sec. 5 October 1, 2025 42-520(a) to (c)
Sec. 6 October 1, 2025 42-524
Sec. 7 October 1, 2025 42-528(a) and (b)
Sec. 8 October 1, 2025 42-529
Sec. 9 October 1, 2025 42-529a
Sec. 10 October 1, 2025 42-529b(a)
Sec. 11 October 1, 2025 42-529d(d)
Sec. 12 October 1, 2025 New section
Statement of Purpose:
To (1) amend various laws concerning (A) consumer data privacy and
online monitoring by (i) defining and redefining various terms, (ii)
modifying the applicability threshold for controllers and processors, (iii)
modifying the entity-level and data-level exemptions, and (iv) imposing
additional requirements regarding disclosures and sales of personal
data, sensitive data and consumer health data, (B) social media by (i)
redefining "social media platform", and (ii) prohibiting a social media
platform from requiring a parent to establish an account to submit
certain requests concerning a minor, and (C) youth data privacy and
online monitoring by (i) defining "know", (ii) eliminating a rebuttable
presumption, and (iii) modifying the scope of permissible controller
conduct, and (2) provide for the registration and regulation of data
brokers.
[Proposed deletions are enclosed in brackets. Proposed additions are indicated by underline, except
that when the entire text of a bill or resolution or a section of a bill or resolution is new, it is not
underlined.]