LCO 1 of 31
General Assembly Substitute Bill No. 1356
January Session, 2025
AN ACT CONCERNING DATA PRIVACY, ONLINE MONITORING,
SOCIAL MEDIA, DATA BROKERS AND CONNECTED VEHICLE
SERVICES.
Be it enacted by the Senate and House of Representatives in General
Assembly convened:
Section 1. Section 42-515 of the general statutes is repealed and the 1
following is substituted in lieu thereof (Effective October 1, 2025): 2
As used in this section and sections 42-516 to 42-526, inclusive, as 3
amended by this act, unless the context otherwise requires: 4
(1) "Abortion" means terminating a pregnancy for any purpose other 5
than producing a live birth. 6
(2) "Affiliate" means a legal entity that shares common branding with 7
another legal entity or controls, is controlled by or is under common 8
control with another legal entity. For the purposes of this subdivision, 9
"control" and "controlled" mean (A) ownership of, or the power to vote, 10
more than fifty per cent of the outstanding shares of any class of voting 11
security of a company, (B) control in any manner over the election of a 12
majority of the directors or of individuals exercising similar functions, 13
or (C) the power to exercise controlling influence over the management 14
of a company. 15
(3) "Authenticate" means to use reasonable means to determine that 16 Substitute Bill No. 1356
LCO 2 of 31
a request to exercise any of the rights afforded under subdivisions (1) to 17
(4), inclusive, of subsection (a) of section 42-518, as amended by this act, 18
is being made by, or on behalf of, the consumer who is entitled to 19
exercise such consumer rights with respect to the personal data at issue. 20
(4) "Biometric data" means data generated by automatic 21
measurements of an individual's biological characteristics, such as a 22
fingerprint, a voiceprint, eye retinas, irises or other unique biological 23
patterns or characteristics that [are used to identify] can be associated 24
with a specific individual. "Biometric data" does not include (A) a digital 25
or physical photograph, (B) an audio or video recording, or (C) any data 26
generated from a digital or physical photograph, or an audio or video 27
recording, unless such data [is] are generated to identify a specific 28
individual. 29
(5) "Business associate" has the same meaning as provided in HIPAA. 30
(6) "Child" has the same meaning as provided in COPPA. 31
(7) "Consent" means a clear affirmative act signifying a consumer's 32
freely given, specific, informed and unambiguous agreement to allow 33
the processing of personal data relating to the consumer. "Consent" may 34
include a written statement, including by electronic means, or any other 35
unambiguous affirmative action. "Consent" does not include (A) 36
acceptance of general or broad terms of use or a similar document that 37
contains descriptions of personal data processing along with other, 38
unrelated information, (B) hovering over, muting, pausing or closing a 39
given piece of content, or (C) agreement obtained through the use of 40
dark patterns. 41
(8) "Consumer" means an individual who is a resident of this state. 42
"Consumer" does not include an individual acting in a commercial or 43
employment context or as an employee, owner, director, officer or 44
contractor of a company, partnership, sole proprietorship, nonprofit or 45
government agency whose communications or transactions with the 46
controller occur solely within the context of that individual's role with 47
the company, partnership, sole proprietorship, nonprofit or government 48 Substitute Bill No. 1356
LCO 3 of 31
agency. 49
(9) "Consumer health data" means any personal data that a controller 50
uses to identify a consumer's physical or mental health condition, [or] 51
diagnosis or status, and includes, but is not limited to, gender-affirming 52
health data and reproductive or sexual health data. 53
(10) "Consumer health data controller" means any controller that, 54
alone or jointly with others, determines the purpose and means of 55
processing consumer health data. 56
(11) "Controller" means a person who, alone or jointly with others, 57
determines the purpose and means of processing personal data. 58
(12) "COPPA" means the Children's Online Privacy Protection Act of 59
1998, 15 USC 6501 et seq., and the regulations, rules, guidance and 60
exemptions adopted pursuant to said act, as said act and such 61
regulations, rules, guidance and exemptions may be amended from 62
time to time. 63
(13) "Covered entity" has the same meaning as provided in HIPAA. 64
(14) "Dark pattern" means a user interface designed or manipulated 65
with the substantial effect of subverting or impairing user autonomy, 66
decision-making or choice, and includes, but is not limited to, any 67
practice the Federal Trade Commission refers to as a "dark pattern". 68
(15) "Decisions that produce legal or similarly significant effects 69
concerning the consumer" means decisions made by the controller that 70
result in the provision or denial by the controller of financial or lending 71
services, housing, insurance, education enrollment or opportunity, 72
criminal justice, employment opportunities, health care services or 73
access to essential goods or services. 74
(16) "De-identified data" means data that cannot reasonably be used 75
to infer information about, or otherwise be linked to, an identified or 76
identifiable individual, or a device linked to such individual, if the 77
controller that possesses such data (A) takes reasonable measures to 78 Substitute Bill No. 1356
LCO 4 of 31
ensure that such data cannot be associated with an individual, (B) 79
publicly commits to process such data only in a de-identified fashion 80
and not attempt to re-identify such data, and (C) contractually obligates 81
any recipients of such data to satisfy the criteria set forth in 82
subparagraphs (A) and (B) of this subdivision. 83
(17) "Gender-affirming health care services" has the same meaning as 84
provided in section 52-571n. 85
(18) "Gender-affirming health data" means any personal data 86
concerning an effort made by a consumer to seek, or a consumer's 87
receipt of, gender-affirming health care services. 88
(19) "Geofence" means any technology that uses global positioning 89
coordinates, cell tower connectivity, cellular data, radio frequency 90
identification, wireless fidelity technology data or any other form of 91
location detection, or any combination of such coordinates, connectivity, 92
data, identification or other form of location detection, to establish a 93
virtual boundary. 94
(20) "HIPAA" means the Health Insurance Portability and 95
Accountability Act of 1996, 42 USC 1320d et seq., as amended from time 96
to time. 97
(21) "Identified or identifiable individual" means an individual who 98
can be readily identified, directly or indirectly. 99
(22) "Institution of higher education" means any individual who, or 100
school, board, association, limited liability company or corporation that, 101
is licensed or accredited to offer one or more programs of higher 102
learning leading to one or more degrees. 103
(23) "Mental health facility" means any health care facility in which at 104
least seventy per cent of the health care services provided in such facility 105
are mental health services. 106
(24) "Neural data" means any information that is generated by 107
measuring the activity of an individual's central or peripheral nervous 108 Substitute Bill No. 1356
LCO 5 of 31
system. 109
[(24)] (25) "Nonprofit organization" means any organization that is 110
exempt from taxation under Section 501(c)(3), 501(c)(4), 501(c)(6) or 111
501(c)(12) of the Internal Revenue Code of 1986, or any subsequent 112
corresponding internal revenue code of the United States, as amended 113
from time to time. 114
[(25)] (26) "Person" means an individual, association, company, 115
limited liability company, corporation, partnership, sole proprietorship, 116
trust or other legal entity. 117
[(26)] (27) "Personal data" means any information that is linked or 118
reasonably linkable to an identified or identifiable individual. "Personal 119
data" does not include de-identified data or publicly available 120
information. 121
[(27)] (28) "Precise geolocation data" means information derived from 122
technology, including, but not limited to, global positioning system 123
level latitude and longitude coordinates or other mechanisms, that 124
directly identifies the specific location of an individual with precision 125
and accuracy within a radius of one thousand seven hundred fifty feet. 126
"Precise geolocation data" does not include the content of 127
communications or any data generated by or connected to advanced 128
utility metering infrastructure systems or equipment for use by a utility. 129
[(28)] (29) "Process" and "processing" mean any operation or set of 130
operations performed, whether by manual or automated means, on 131
personal data or on sets of personal data, such as the collection, use, 132
storage, disclosure, analysis, deletion or modification of personal data. 133
[(29)] (30) "Processor" means a person who processes personal data 134
on behalf of a controller. 135
[(30)] (31) "Profiling" means any form of automated processing 136
performed on personal data to evaluate, analyze or predict personal 137
aspects related to an identified or identifiable individual's economic 138 Substitute Bill No. 1356
LCO 6 of 31
situation, health, personal preferences, interests, reliability, behavior, 139
location or movements. 140
[(31)] (32) "Protected health information" has the same meaning as 141
provided in HIPAA. 142
[(32)] (33) "Pseudonymous data" means personal data that cannot be 143
attributed to a specific individual without the use of additional 144
information, provided such additional information is kept separately 145
and is subject to appropriate technical and organizational measures to 146
ensure that the personal data [is] are not attributed to an identified or 147
identifiable individual. 148
[(33)] (34) "Publicly available information" means information that 149
(A) is lawfully made available through federal, state or municipal 150
government records or widely distributed media, [and] or (B) a 151
controller has a reasonable basis to believe a consumer has lawfully 152
made available to the general public. "Publicly available information" 153
does not include any (i) information that is collated and combined to 154
create a consumer profile that is made available to a user of a publicly 155
available Internet web site either in exchange for payment or free of 156
charge, (ii) information that is made available for sale, or (iii) inference 157
that is generated from the information described in subparagraph (B)(i) 158
or (B)(ii) of this subdivision. 159
[(34)] (35) "Reproductive or sexual health care" means any health 160
care-related services or products rendered or provided concerning a 161
consumer's reproductive system or sexual well-being, including, but not 162
limited to, any such service or product rendered or provided concerning 163
(A) an individual health condition, status, disease, diagnosis, diagnostic 164
test or treatment, (B) a social, psychological, behavioral or medical 165
intervention, (C) a surgery or procedure, including, but not limited to, 166
an abortion, (D) a use or purchase of a medication, including, but not 167
limited to, a medication used or purchased for the purposes of an 168
abortion, (E) a bodily function, vital sign or symptom, (F) a 169
measurement of a bodily function, vital sign or symptom, or (G) an 170 Substitute Bill No. 1356
LCO 7 of 31
abortion, including, but not limited to, medical or nonmedical services, 171
products, diagnostics, counseling or follow-up services for an abortion. 172
[(35)] (36) "Reproductive or sexual health data" means any personal 173
data concerning an effort made by a consumer to seek, or a consumer's 174
receipt of, reproductive or sexual health care. 175
[(36)] (37) "Reproductive or sexual health facility" means any health 176
care facility in which at least seventy per cent of the health care-related 177
services or products rendered or provided in such facility are 178
reproductive or sexual health care. 179
[(37)] (38) "Sale of personal data" means the exchange of personal data 180
for monetary or other valuable consideration by the controller to a third 181
party. "Sale of personal data" does not include (A) the disclosure of 182
personal data to a processor that processes the personal data on behalf 183
of the controller, (B) the disclosure of personal data to a third party for 184
purposes of providing a product or service requested by the consumer, 185
(C) the disclosure or transfer of personal data to an affiliate of the 186
controller, (D) the disclosure of personal data where the consumer 187
directs the controller to disclose the personal data or intentionally uses 188
the controller to interact with a third party, (E) the disclosure of personal 189
data that the consumer (i) intentionally made available to the general 190
public via a channel of mass media, and (ii) did not restrict to a specific 191
audience, or (F) the disclosure or transfer of personal data to a third 192
party as an asset that is part of a merger, acquisition, bankruptcy or 193
other transaction, or a proposed merger, acquisition, bankruptcy or 194
other transaction, in which the third party assumes control of all or part 195
of the controller's assets. 196
[(38)] (39) "Sensitive data" means personal data that includes (A) data 197
revealing (i) racial or ethnic origin, (ii) religious beliefs, (iii) a mental or 198
physical health condition, [or] diagnosis, disability or treatment, (iv) sex 199
life, sexual orientation or status as nonbinary or transgender, or (v) 200
citizenship or immigration status, (B) consumer health data, (C) [the 201
processing of] genetic or biometric data [for the purpose of uniquely 202 Substitute Bill No. 1356
LCO 8 of 31
identifying an individual] or information derived therefrom, (D) 203
personal data collected from [a known] an individual the controller has 204
actual knowledge, or knowledge fairly implied on the basis of objective 205
circumstances, is a child, (E) data concerning an individual's status as a 206
victim of crime, as defined in section 1-1k, [or] (F) precise geolocation 207
data, (G) neural data, (H) financial information that reveals a consumer's 208
financial account number, financial account log-in information or credit 209
card or debit card number that, in combination with any required access 210
or security code, password or credential, would allow access to a 211
consumer's financial account, or (I) government-issued identification 212
number, including, but not limited to, Social Security number, passport 213
number, state identification card number or driver's license number, 214
that applicable law does not require to be publicly displayed. 215
[(39)] (40) "Targeted advertising" means displaying advertisements to 216
a consumer where the advertisement is selected based on personal data 217
obtained or inferred from that consumer's activities over time and across 218
nonaffiliated Internet web sites or online applications to predict such 219
consumer's preferences or interests. "Targeted advertising" does not 220
include (A) advertisements based on activities within a controller's own 221
Internet web sites or online applications, (B) advertisements based on 222
the context of a consumer's current search query, visit to an Internet web 223
site or online application, (C) advertisements directed to a consumer in 224
response to the consumer's request for information or feedback, or (D) 225
processing personal data solely to measure or report advertising 226
frequency, performance or reach. 227
[(40)] (41) "Third party" means a person, such as a public authority, 228
agency or body, other than the consumer, controller or processor or an 229
affiliate of the processor or the controller. 230
[(41)] (42) "Trade secret" has the same meaning as provided in section 231
35-51. 232
Sec. 2. Section 42-516 of the general statutes is repealed and the 233
following is substituted in lieu thereof (Effective October 1, 2025): 234 Substitute Bill No. 1356
LCO 9 of 31
The provisions of sections 42-515 to 42-525, inclusive, as amended by 235
this act, apply to persons that: [conduct] (1) Conduct business in this 236
state, or [persons that] produce products or services that are targeted to 237
residents of this state, and [that] during the preceding calendar year [: 238
(1) Controlled] (A) controlled or processed the personal data of not [less] 239
fewer than [one hundred thousand] thirty-five thousand consumers, 240
excluding personal data controlled or processed solely for the purpose 241
of completing a payment transaction, [;] or [(2)] (B) controlled or 242
processed the personal data of not [less] fewer than [twenty-five 243
thousand] ten thousand consumers and derived more than [twenty-244
five] twenty per cent of their gross revenue from the sale of personal 245
data; (2) control or process consumers' sensitive data; or (3) offer 246
consumers' personal data for sale in trade or commerce. 247
Sec. 3. Subsections (a) and (b) of section 42-517 of the general statutes 248
are repealed and the following is substituted in lieu thereof (Effective 249
October 1, 2025): 250
(a) The provisions of sections 42-515 to 42-525, inclusive, as amended 251
by this act, do not apply to any: (1) Body, authority, board, bureau, 252
commission, district or agency of this state or of any political 253
subdivision of this state; (2) person who has entered into a contract with 254
any body, authority, board, bureau, commission, district or agency 255
described in subdivision (1) of this subsection while such person is 256
processing consumer health data on behalf of such body, authority, 257
board, bureau, commission, district or agency pursuant to such contract; 258
(3) [nonprofit organization; (4)] institution of higher education; [(5)] (4) 259
national securities association that is registered under 15 USC 78o-3 of 260
the Securities Exchange Act of 1934, as amended from time to time; [(6) 261
financial institution or data subject to Title V of the Gramm-Leach-Bliley 262
Act, 15 USC 6801 et seq.; (7) covered entity or business associate, as 263
defined in 45 CFR 160.103; (8)] (5) tribal nation government 264
organization; or [(9)] (6) air carrier, as defined in 49 USC 40102, as 265
amended from time to time, and regulated under the Federal Aviation 266
Act of 1958, 49 USC 40101 et seq., and the Airline Deregulation Act of 267
1978, 49 USC 41713, as said acts may be amended from time to time. 268 Substitute Bill No. 1356
LCO 10 of 31
(b) The following information and data [is] are exempt from the 269
provisions of sections 42-515 to 42-526, inclusive, as amended by this 270
act: (1) Protected health information under HIPAA; (2) patient-271
identifying information for purposes of 42 USC 290dd-2; (3) identifiable 272
private information for purposes of the federal policy for the protection 273
of human subjects under 45 CFR 46; (4) identifiable private information 274
that is otherwise information collected as part of human subjects 275
research pursuant to the good clinical practice guidelines issued by the 276
International Council for Harmonization of Technical Requirements for 277
Pharmaceuticals for Human Use; (5) the protection of human subjects 278
under 21 CFR Parts 6, 50 and 56, or personal data used or shared in 279
research, as defined in 45 CFR 164.501, that is conducted in accordance 280
with the standards set forth in this subdivision and subdivisions (3) and 281
(4) of this subsection, or other research conducted in accordance with 282
applicable law; (6) information and documents created for purposes of 283
the Health Care Quality Improvement Act of 1986, 42 USC 11101 et seq.; 284
(7) patient safety work product for purposes of section 19a-127o and the 285
Patient Safety and Quality Improvement Act, 42 USC 299b-21 et seq., as 286
amended from time to time; (8) information derived from any of the 287
health care-related information listed in this subsection that is de-288
identified in accordance with the requirements for de-identification 289
pursuant to HIPAA; (9) information originating from and intermingled 290
to be indistinguishable with, or information treated in the same manner 291
as, information exempt under this subsection that is maintained by a 292
covered entity or business associate, program or qualified service 293
organization, as specified in 42 USC 290dd-2, as amended from time to 294
time; (10) information used for public health activities and purposes as 295
authorized by HIPAA, community health activities and population 296
health activities; (11) the collection, maintenance, disclosure, sale, 297
communication or use of any personal information bearing on a 298
consumer's credit worthiness, credit standing, credit capacity, character, 299
general reputation, personal characteristics or mode of living by a 300
consumer reporting agency, furnisher or user that provides information 301
for use in a consumer report, and by a user of a consumer report, but 302
only to the extent that such activity is regulated by and authorized 303 Substitute Bill No. 1356
LCO 11 of 31
under the Fair Credit Reporting Act, 15 USC 1681 et seq., as amended 304
from time to time; (12) personal data collected, processed, sold or 305
disclosed in compliance with the Driver's Privacy Protection Act of 1994, 306
18 USC 2721 et seq., as amended from time to time; (13) personal data 307
regulated by the Family Educational Rights and Privacy Act, 20 USC 308
1232g et seq., as amended from time to time; (14) personal data collected, 309
processed, sold or disclosed in compliance with the Farm Credit Act, 12 310
USC 2001 et seq., as amended from time to time; (15) data processed or 311
maintained (A) in the course of an individual applying to, employed by 312
or acting as an agent or independent contractor of a controller, 313
processor, consumer health data controller or third party, to the extent 314
that the data [is] are collected and used within the context of that role, 315
(B) as the emergency contact information of an individual under 316
sections 42-515 to 42-526, inclusive, as amended by this act, used for 317
emergency contact purposes, or (C) that is necessary to retain to 318
administer benefits for another individual relating to the individual 319
who is the subject of the information under subdivision (1) of this 320
subsection and used for the purposes of administering such benefits; 321
[and] (16) personal data collected, processed, sold or disclosed in 322
relation to price, route or service, as such terms are used in the Federal 323
Aviation Act of 1958, 49 USC 40101 et seq., and the Airline Deregulation 324
Act of 1978, 49 USC 41713, as said acts may be amended from time to 325
time; and (17) data subject to Title V of the Gramm-Leach-Bliley Act, 15 326
USC 6801 et seq., as amended from time to time. 327
Sec. 4. Subsections (a) and (b) of section 42-518 of the general statutes 328
are repealed and the following is substituted in lieu thereof (Effective 329
October 1, 2025): 330
(a) A consumer shall have the right to: (1) Confirm whether or not a 331
controller is processing the consumer's personal data and access such 332
personal data, including, but not limited to, any inferences about the 333
consumer derived from such personal data, unless such confirmation or 334
access would require the controller to reveal a trade secret; (2) correct 335
inaccuracies in the consumer's personal data, taking into account the 336
nature of the personal data and the purposes of the processing of the 337 Substitute Bill No. 1356
LCO 12 of 31
consumer's personal data; (3) delete personal data provided by, or 338
obtained about, the consumer; (4) obtain a copy of the consumer's 339
personal data processed by the controller, in a portable and, to the extent 340
technically feasible, readily usable format that allows the consumer to 341
transmit the data to another controller without hindrance, where the 342
processing is carried out by automated means, provided such controller 343
shall not be required to reveal any trade secret; [and] (5) opt out of the 344
processing of the personal data for purposes of (A) targeted advertising, 345
(B) the sale of personal data, except as provided in subsection (b) of 346
section 42-520, or (C) profiling in furtherance of [solely] automated 347
decisions that produce legal or similarly significant effects concerning 348
the consumer; and (6) obtain from the controller (A) a list of the third 349
parties to which such controller has sold the consumer's personal data, 350
or (B) if such controller does not maintain a list of the third parties to 351
which such controller has sold the consumer's personal data, a list of all 352
third parties to which such controller has sold personal data. 353
(b) A consumer may exercise rights under this section by a secure and 354
reliable means established by the controller and described to the 355
consumer in the controller's privacy notice. A consumer may designate 356
an authorized agent in accordance with section 42-519 to exercise the 357
rights of such consumer to opt out of the processing of such consumer's 358
personal data for purposes of subdivision (5) of subsection (a) of this 359
section on behalf of the consumer. In the case of processing personal 360
data of a [known] consumer who the controller has actual knowledge, 361
or knowledge fairly implied on the basis of objective circumstances, is a 362
child, the parent or legal guardian may exercise such consumer rights 363
on the child's behalf. In the case of processing personal data concerning 364
a consumer subject to a guardianship, conservatorship or other 365
protective arrangement, the guardian or the conservator of the 366
consumer may exercise such rights on the consumer's behalf. 367
Sec. 5. Subsection (a) of section 42-520 of the general statutes is 368
repealed and the following is substituted in lieu thereof (Effective October 369
1, 2025): 370 Substitute Bill No. 1356
LCO 13 of 31
(a) A controller shall: (1) Limit the collection of personal data to what 371
is [adequate, relevant and] reasonably necessary [in relation to the 372
purposes for which such data is processed, as disclosed to] and 373
proportionate to provide or maintain a product or service specifically 374
requested by the consumer; (2) [except as otherwise provided in sections 375
42-515 to 42-525, inclusive,] not process personal data for purposes that 376
are neither reasonably necessary to, nor compatible with, the disclosed 377
purposes for which such personal data [is] are processed, as disclosed 378
to the consumer, unless the controller obtains the consumer's consent; 379
(3) establish, implement and maintain reasonable administrative, 380
technical and physical data security practices to protect the 381
confidentiality, integrity and accessibility of personal data appropriate 382
to the volume and nature of the personal data at issue; (4) not process 383
sensitive data concerning a consumer without obtaining the consumer's 384
consent, or, in the case of the processing of sensitive data concerning a 385
[known] consumer who the controller has actual knowledge, or 386
knowledge fairly implied on the basis of objective circumstances, is a 387
child, without processing such data in accordance with COPPA; (5) not 388
process personal data in violation of the laws of this state and federal 389
laws that prohibit unlawful discrimination against consumers; (6) 390
provide an effective mechanism for a consumer to revoke the 391
consumer's consent under this section that is at least as easy as the 392
mechanism by which the consumer provided the consumer's consent 393
and, upon revocation of such consent, cease to process the data as soon 394
as practicable, but not later than fifteen days after the receipt of such 395
request; (7) not sell the sensitive data of a consumer without the 396
consumer's consent; and [(7)] (8) not process the personal data of a 397
consumer for purposes of targeted advertising, or sell the consumer's 398
personal data without the consumer's consent, under circumstances 399
where a controller has actual knowledge, or [wilfully disregards] 400
knowledge fairly implied on the basis of objective circumstances, that 401
the consumer is at least thirteen years of age but younger than sixteen 402
years of age. A controller shall not discriminate against a consumer for 403
exercising any of the consumer rights contained in sections 42-515 to 42-404
525, inclusive, as amended by this act, including denying goods or 405 Substitute Bill No. 1356
LCO 14 of 31
services, charging different prices or rates for goods or services or 406
providing a different level of quality of goods or services to the 407
consumer. 408
Sec. 6. Subsections (a) to (d), inclusive, of section 42-524 of the general 409
statutes are repealed and the following are substituted in lieu thereof 410
(Effective October 1, 2025): 411
(a) Nothing in sections 42-515 to 42-526, inclusive, as amended by this 412
act, shall be construed to restrict a controller's, processor's or consumer 413
health data controller's ability to: (1) Comply with federal, state or 414
municipal ordinances or regulations; (2) comply with a civil, criminal or 415
regulatory inquiry, investigation, subpoena or summons by federal, 416
state, municipal or other governmental authorities; (3) cooperate with 417
law enforcement agencies concerning conduct or activity that the 418
controller, processor or consumer health data controller reasonably and 419
in good faith believes may violate federal, state or municipal ordinances 420
or regulations; (4) investigate, establish, exercise, prepare for or defend 421
legal claims; (5) provide a product or service specifically requested by a 422
consumer; (6) perform under a contract to which a consumer is a party, 423
including fulfilling the terms of a written warranty; (7) take steps at the 424
request of a consumer prior to entering into a contract; (8) take 425
immediate steps to protect an interest that is essential for the life or 426
physical safety of the consumer or another individual, and where the 427
processing cannot be manifestly based on another legal basis; (9) 428
prevent, detect, protect against or respond to security incidents, identity 429
theft, fraud, harassment, malicious or deceptive activities or any illegal 430
activity, preserve the integrity or security of systems or investigate, 431
report or prosecute those responsible for any such action; (10) engage in 432
public or peer-reviewed scientific or statistical research in the public 433
interest that adheres to all other applicable ethics and privacy laws and 434
is approved, monitored and governed by an institutional review board 435
that determines, or similar independent oversight entities that 436
determine, (A) whether the deletion of the information is likely to 437
provide substantial benefits that do not exclusively accrue to the 438
controller or consumer health data controller, (B) the expected benefits 439 Substitute Bill No. 1356
LCO 15 of 31
of the research outweigh the privacy risks, and (C) whether the 440
controller or consumer health data controller has implemented 441
reasonable safeguards to mitigate privacy risks associated with 442
research, including any risks associated with re-identification; (11) assist 443
another controller, processor, consumer health data controller or third 444
party with any of the obligations under sections 42-515 to 42-526, 445
inclusive, as amended by this act; or (12) process personal data for 446
reasons of public interest in the area of public health, community health 447
or population health, but solely to the extent that such processing is (A) 448
subject to suitable and specific measures to safeguard the rights of the 449
consumer whose personal data [is] are being processed, and (B) under 450
the responsibility of a professional subject to confidentiality obligations 451
under federal, state or local law. 452
(b) The obligations imposed on controllers, processors or consumer 453
health data controllers under sections 42-515 to 42-526, inclusive, as 454
amended by this act, shall not restrict a controller's, processor's or 455
consumer health data controller's ability to collect, use or retain data for 456
internal use to: (1) Conduct internal research to develop, improve or 457
repair products, services or technology; (2) effectuate a product recall; 458
(3) identify and repair technical errors that impair existing or intended 459
functionality; or (4) perform solely internal operations that are 460
reasonably aligned with the expectations of the consumer or reasonably 461
anticipated based on the consumer's existing relationship with the 462
controller or consumer health data controller, or are otherwise 463
compatible with processing data in furtherance of the provision of a 464
product or service specifically requested by a consumer or the 465
performance of a contract to which the consumer is a party. 466
(c) The obligations imposed on controllers, processors or consumer 467
health data controllers under sections 42-515 to 42-526, inclusive, as 468
amended by this act, shall not apply where compliance by the controller, 469
processor or consumer health data controller with said sections would 470
violate an evidentiary privilege under the laws of this state. Nothing in 471
sections 42-515 to 42-526, inclusive, as amended by this act, shall be 472
construed to prevent a controller, processor or consumer health data 473 Substitute Bill No. 1356
LCO 16 of 31
controller from providing personal data concerning a consumer to a 474
person covered by an evidentiary privilege under the laws of the state 475
as part of a privileged communication. 476
(d) A controller, processor or consumer health data controller that 477
discloses personal data to a processor or third-party controller in 478
accordance with sections 42-515 to 42-526, inclusive, as amended by this 479
act, shall not be deemed to have violated said sections if the processor 480
or third-party controller that receives and processes such personal data 481
violates said sections, provided, at the time the disclosing controller, 482
processor or consumer health data controller disclosed such personal 483
data, the disclosing controller, processor or consumer health data 484
controller did not have actual knowledge, or knowledge fairly implied 485
on the basis of objective circumstances, that the receiving processor or 486
third-party controller would violate said sections. A third-party 487
controller or processor receiving personal data from a controller, 488
processor or consumer health data controller in compliance with 489
sections 42-515 to 42-526, inclusive, as amended by this act, is likewise 490
not in violation of said sections for the transgressions of the controller, 491
processor or consumer health data controller from which such third-492
party controller or processor receives such personal data. 493
Sec. 7. Subsections (a) and (b) of section 42-528 of the general statutes 494
are repealed and the following is substituted in lieu thereof (Effective 495
October 1, 2025): 496
(a) For the purposes of this section: 497
(1) "Authenticate" means to use reasonable means and make a 498
commercially reasonable effort to determine whether a request to 499
exercise any right afforded under subsection (b) of this section has been 500
submitted by, or on behalf of, the minor who is entitled to exercise such 501
right; 502
(2) "Consumer" has the same meaning as provided in section 42-515, 503
as amended by this act; 504 Substitute Bill No. 1356
LCO 17 of 31
(3) "Minor" means any consumer who is younger than eighteen years 505
of age; 506
(4) "Personal data" has the same meaning as provided in section 42-507
515, as amended by this act; 508
(5) "Social media platform" (A) means a public or semi-public 509
Internet-based service or application that (i) is used by a consumer in 510
this state, (ii) is primarily intended to connect and allow users to socially 511
interact within such service or application, and (iii) enables a user to [(I)] 512
construct a public or semi-public profile for the purposes of signing into 513
and using such service or application, [(II) populate a public list of other 514
users with whom the user shares a social connection within such service 515
or application, and (III) create or post content that is viewable by other 516
users, including, but not limited to, on message boards, in chat rooms, 517
or through a landing page or main feed that presents the user with 518
content generated by other users,] and (B) does not include a public or 519
semi-public Internet-based service or application that (i) exclusively 520
provides electronic mail or direct messaging services, (ii) primarily 521
consists of news, sports, entertainment, interactive video games, 522
electronic commerce or content that is preselected by the provider or for 523
which any chat, comments or interactive functionality is incidental to, 524
directly related to, or dependent on the provision of such content, or (iii) 525
is used by and under the direction of an educational entity, including, 526
but not limited to, a learning management system or a student 527
engagement program; and 528
(6) "Unpublish" means to remove a social media platform account 529
from public visibility. 530
(b) (1) Not later than fifteen business days after a social media 531
platform receives a request from a minor or, if the minor is younger than 532
sixteen years of age, from such minor's parent or legal guardian to 533
unpublish such minor's social media platform account, the social media 534
platform shall unpublish such minor's social media platform account. 535
(2) Not later than forty-five business days after a social media 536 Substitute Bill No. 1356
LCO 18 of 31
platform receives a request from a minor or, if the minor is younger than 537
sixteen years of age, from such minor's parent or legal guardian to delete 538
such minor's social media platform account, the social media platform 539
shall delete such minor's social media platform account and cease 540
processing such minor's personal data except where the preservation of 541
such minor's social media platform account or personal data is 542
otherwise permitted or required by applicable law, including, but not 543
limited to, sections 42-515 to 42-525, inclusive, as amended by this act. 544
A social media platform may extend such forty-five business day period 545
by an additional forty-five business days if such extension is reasonably 546
necessary considering the complexity and number of the consumer's 547
requests, provided the social media platform informs the minor or, if the 548
minor is younger than sixteen years of age, such minor's parent or legal 549
guardian within the initial forty-five business day response period of 550
such extension and the reason for such extension. 551
(3) A social media platform shall establish, and shall describe in a 552
privacy notice, one or more secure and reliable means for submitting a 553
request pursuant to this subsection. A social media platform that 554
provides a mechanism for a minor or, if the minor is younger than 555
sixteen years of age, the minor's parent or legal guardian to initiate a 556
process to delete or unpublish such minor's social media platform 557
account shall be deemed to be in compliance with the provisions of this 558
subsection. 559
(4) No social media platform shall require a minor's parent or legal 560
guardian to create a social media platform account to submit a request 561
pursuant to this subsection. A social media platform may require a 562
minor's parent or legal guardian to use an existing social media platform 563
account to submit such a request, provided such parent or legal 564
guardian has access to the existing social media platform account. 565
Sec. 8. Section 42-529a of the general statutes is repealed and the 566
following is substituted in lieu thereof (Effective October 1, 2025): 567
(a) Each controller that offers any online service, product or feature 568 Substitute Bill No. 1356
LCO 19 of 31
to consumers whom such controller has actual knowledge, or [wilfully 569
disregards] knowledge fairly implied on the basis of objective 570
circumstances, are minors shall use reasonable care to avoid any 571
heightened risk of harm to minors caused by such online service, 572
product or feature. [In any enforcement action brought by the Attorney 573
General pursuant to section 42-529e, there shall be a rebuttable 574
presumption that a controller used reasonable care as required under 575
this section if the controller complied with the provisions of section 42-576
529b concerning data protection assessments.] 577
(b) (1) [Subject to the consent requirement established in subdivision 578
(3) of this subsection, no] No controller that offers any online service, 579
product or feature to consumers whom such controller has actual 580
knowledge, or [wilfully disregards] knowledge fairly implied on the 581
basis of objective circumstances, are minors shall: (A) Process any 582
minor's personal data (i) for the purposes of (I) targeted advertising, (II) 583
any sale of personal data, or (III) profiling in furtherance of any [fully] 584
automated decision made by such controller that produces any legal or 585
similarly significant effect concerning the provision or denial by such 586
controller of any financial or lending services, housing, insurance, 587
education enrollment or opportunity, criminal justice, employment 588
opportunity, health care services or access to essential goods or services, 589
(ii) unless such processing is reasonably necessary to provide such 590
online service, product or feature, (iii) for any processing purpose (I) 591
other than the processing purpose that the controller disclosed at the 592
time such controller collected such personal data, or (II) that is 593
reasonably necessary for, and compatible with, the processing purpose 594
described in subparagraph (A)(iii)(I) of this subdivision, or (iv) for 595
longer than is reasonably necessary to provide such online service, 596
product or feature; or (B) use any system design feature to significantly 597
increase, sustain or extend any minor's use of such online service, 598
product or feature. The provisions of this subdivision shall not apply to 599
any service or application that is used by and under the direction of an 600
educational entity, including, but not limited to, a learning management 601
system or a student engagement program. 602 Substitute Bill No. 1356
LCO 20 of 31
(2) [Subject to the consent requirement established in subdivision (3) 603
of this subsection, no] No controller that offers an online service, 604
product or feature to consumers whom such controller has actual 605
knowledge, or [wilfully disregards] knowledge fairly implied on the 606
basis of objective circumstances, are minors shall collect a minor's 607
precise geolocation data unless: (A) Such precise geolocation data [is 608
reasonably] are strictly necessary for the controller to provide such 609
online service, product or feature and, if such data [is] are necessary to 610
provide such online service, product or feature, such controller may 611
only collect such data for the time necessary to provide such online 612
service, product or feature; and (B) the controller provides to the minor 613
a signal indicating that such controller is collecting such precise 614
geolocation data, which signal shall be available to such minor for the 615
entire duration of such collection. 616
[(3) No controller shall engage in the activities described in 617
subdivisions (1) and (2) of this subsection unless the controller obtains 618
the minor's consent or, if the minor is younger than thirteen years of age, 619
the consent of such minor's parent or legal guardian. A controller that 620
complies with the verifiable parental consent requirements established 621
in the Children's Online Privacy Protection Act of 1998, 15 USC 6501 et 622
seq., and the regulations, rules, guidance and exemptions adopted 623
pursuant to said act, as said act and such regulations, rules, guidance 624
and exemptions may be amended from time to time, shall be deemed to 625
have satisfied any requirement to obtain parental consent under this 626
subdivision.] 627
(c) (1) No controller that offers any online service, product or feature 628
to consumers whom such controller has actual knowledge, or [wilfully 629
disregards] knowledge fairly implied on the basis of objective 630
circumstances, are minors shall: (A) Provide any consent mechanism 631
that is designed to substantially subvert or impair, or is manipulated 632
with the effect of substantially subverting or impairing, user autonomy, 633
decision-making or choice; or (B) except as provided in subdivision (2) 634
of this subsection, offer any direct messaging apparatus for use by 635
minors without providing readily accessible and easy-to-use safeguards 636 Substitute Bill No. 1356
LCO 21 of 31
to limit the ability of adults to send unsolicited communications to 637
minors with whom they are not connected. 638
(2) The provisions of subparagraph (B) of subdivision (1) of this 639
subsection shall not apply to services where the predominant or 640
exclusive function is: (A) Electronic mail; or (B) direct messaging 641
consisting of text, photos or videos that are sent between devices by 642
electronic means, where messages are (i) shared between the sender and 643
the recipient, (ii) only visible to the sender and the recipient, and (iii) not 644
posted publicly. 645
Sec. 9. Subsection (a) of section 42-529b of the general statutes is 646
repealed and the following is substituted in lieu thereof (Effective October 647
1, 2025): 648
(a) Each controller that [, on or after October 1, 2024,] offers any online 649
service, product or feature to consumers whom such controller has 650
actual knowledge, or [wilfully disregards] knowledge fairly implied on 651
the basis of objective circumstances, are minors shall conduct a data 652
protection assessment for such online service, product or feature: (1) In 653
a manner that is consistent with the requirements established in section 654
42-522; and (2) that addresses (A) the purpose of such online service, 655
product or feature, (B) the categories of minors' personal data that such 656
online service, product or feature processes, (C) the purposes for which 657
such controller processes minors' personal data with respect to such 658
online service, product or feature, and (D) any heightened risk of harm 659
to minors that is a reasonably foreseeable result of offering such online 660
service, product or feature to minors. 661
Sec. 10. Subsection (d) of section 42-529d of the general statutes is 662
repealed and the following is substituted in lieu thereof (Effective October 663
1, 2025): 664
(d) No obligation imposed on a controller or processor under any 665
provision of sections 42-529 to 42-529c, inclusive, or section 42-529e shall 666
be construed to restrict a controller's or processor's ability to collect, use 667
or retain data for internal use to: (1) Conduct internal research to 668 Substitute Bill No. 1356
LCO 22 of 31
develop, improve or repair products, services or technology; (2) 669
effectuate a product recall; (3) identify and repair technical errors that 670
impair existing or intended functionality; or (4) perform solely internal 671
operations that are (A) reasonably aligned with the expectations of a 672
minor or reasonably anticipated based on the minor's existing 673
relationship with the controller or processor, or (B) otherwise 674
compatible with processing data in furtherance of the provision of a 675
product or service specifically requested by a minor. 676
Sec. 11. (NEW) (Effective October 1, 2025) (a) As used in this section: 677
(1) "Brokered personal data" means any personal data that are 678
categorized or organized for the purpose of enabling a data broker to 679
sell or license such personal data to another person; 680
(2) "Business" (A) means (i) a person who regularly engages in 681
commercial activities for the purpose of generating income, (ii) a bank, 682
Connecticut credit union, federal credit union, out-of-state bank, out-of-683
state trust company or out-of-state credit union, as said terms are 684
defined in section 36a-2 of the general statutes, and (iii) any other person 685
that controls, is controlled by or is under common control with a person 686
described in subparagraph (A)(i) or (A)(ii) of this subdivision, and (B) 687
does not include any body, authority, board, bureau, commission, 688
district or agency of this state or of any political subdivision of this state; 689
(3) "Consumer" has the same meaning as provided in section 42-515 690
of the general statutes, as amended by this act; 691
(4) "Data broker" means any business or, if such business is an entity, 692
any portion of such business that sells or licenses brokered personal data 693
to another person; 694
(5) "Department" means the Department of Consumer Protection; 695
(6) "License" (A) means to grant access to, or distribute, personal data 696
in exchange for consideration, and (B) does not include any use of 697
personal data for the sole benefit of the person who provided such 698 Substitute Bill No. 1356
LCO 23 of 31
personal data if such person maintains control over the use of such 699
personal data; 700
(7) "Person" has the same meaning as provided in section 42-515 of 701
the general statutes, as amended by this act; and 702
(8) "Personal data" (A) means any data concerning a consumer that, 703
either alone or in combination with any other data that are sold or 704
licensed by a data broker to another person, can reasonably be 705
associated with the consumer, and (B) includes, but is not limited to, (i) 706
a consumer's name or the name of any member of the consumer's 707
immediate family or household, (ii) a consumer's address or the address 708
of any member of the consumer's immediate family or household, (iii) a 709
consumer's birth date or place of birth, (iv) the maiden name of a 710
consumer's mother, (v) biometric data, as defined in section 42-515 of 711
the general statutes, as amended by this act, concerning a consumer, and 712
(vi) a consumer's Social Security number or any other government-713
issued identification number issued to the consumer. 714
(b) (1) Except as provided in subdivision (4) of this subsection and 715
subsection (d) of this section, no data broker shall sell or license 716
brokered personal data in this state unless the data broker is actively 717
registered with the Department of Consumer Protection in accordance 718
with the provisions of this subsection. A data broker who desires to sell 719
or license brokered personal data in this state shall submit an 720
application to the department in a form and manner prescribed by the 721
Commissioner of Consumer Protection. Each application for 722
registration as a data broker shall be accompanied by a registration fee 723
in the amount of six hundred dollars. Each registration issued pursuant 724
to this subsection shall expire on December thirty-first of the year in 725
which such registration was issued and may be renewed for successive 726
one-year terms upon application made in the manner set forth in this 727
subsection and payment of a registration renewal fee in the amount of 728
six hundred dollars. 729
(2) Except as provided in subdivision (4) of this subsection, each 730 Substitute Bill No. 1356
LCO 24 of 31
application submitted to the department pursuant to subdivision (1) of 731
this subsection shall include: 732
(A) The applicant's name, mailing address, electronic mail address 733
and telephone number; 734
(B) The address of the applicant's primary Internet web site; and 735
(C) A statement by the applicant disclosing the measures the 736
applicant shall take to ensure that no personal data is sold or licensed in 737
violation of the provisions of sections 42-515 to 42-525, inclusive, of the 738
general statutes, as amended by this act. 739
(3) The department shall make all information that an applicant 740
submits to the department pursuant to subdivision (2) of this subsection 741
publicly available on the department's Internet web site. 742
(4) The department may approve and renew an application for 743
registration as a data broker in accordance with the terms of an 744
agreement between the department and the Nationwide Multistate 745
Licensing System. 746
(c) No data broker shall sell or license any personal data in violation 747
of the provisions of sections 42-515 to 42-525, inclusive, of the general 748
statutes, as amended by this act. Each data broker shall implement 749
measures to ensure that the data broker does not sell or license any 750
personal data in violation of the provisions of sections 42-515 to 42-525, 751
inclusive, of the general statutes, as amended by this act. 752
(d) (1) The provisions of this section shall not apply to: (A) A 753
consumer reporting agency, as defined in 15 USC 1681a(f), as amended 754
from time to time, a person that furnishes information to a consumer 755
reporting agency, as provided in 15 USC 1681s-2, as amended from time 756
to time, or a user of a consumer report, as defined in 15 USC 1681a(d), 757
as amended from time to time, to the extent that the consumer reporting 758
agency, person or user engages in activities that are subject to regulation 759
under the Fair Credit Reporting Act, 15 USC 1681 et seq., as amended 760 Substitute Bill No. 1356
LCO 25 of 31
from time to time; (B) a financial institution, an affiliate or a nonaffiliated 761
third party, as said terms are defined in 15 USC 6809, as amended from 762
time to time, to the extent that the financial institution, affiliate or 763
nonaffiliated third party engages in activities that are subject to 764
regulation under Title V of the Gramm-Leach-Bliley Act, 15 USC 6801 et 765
seq., and the regulations adopted thereunder, as said act and regulations 766
may be amended from time to time; (C) a business that collects 767
information concerning a consumer if the consumer (i) is a customer, 768
subscriber or user of goods or services sold or offered by the business, 769
(ii) is in a contractual relationship with the business, (iii) is an investor 770
in the business, (iv) is a donor to the business, or (v) otherwise maintains 771
a relationship with the business that is similar to the relationships 772
described in subparagraphs (C)(i) to (C)(iv), inclusive, of this 773
subdivision; or (D) a business that performs services for, or acts as an 774
agent or on behalf of, a business described in subparagraph (C) of this 775
subdivision. 776
(2) No provision of this section shall be construed to prohibit an 777
unregistered data broker from engaging in any sale or licensing of 778
brokered personal data if such sale or licensing exclusively involves: (A) 779
Publicly available information (i) concerning a consumer's business or 780
profession, or (ii) sold or licensed as part of a service that provides alerts 781
for health or safety purposes; (B) information that is lawfully available 782
from any federal, state or local government record; (C) providing digital 783
access to any (i) journal, book, periodical, newspaper, magazine or news 784
media, or (ii) educational, academic or instructional work; (D) 785
developing or maintaining an electronic commerce service or software; 786
(E) providing directory assistance or directory information services as, 787
or on behalf of, a telecommunications carrier; or (F) a one-time or 788
occasional disposition of the assets of a business, or any portion of a 789
business, as part of a transfer of control over the assets of the business 790
that is not part of the ordinary conduct of such business or portion of 791
such business. 792
(e) The Commissioner of Consumer Protection may adopt 793
regulations, in accordance with the provisions of chapter 54 of the 794 Substitute Bill No. 1356
LCO 26 of 31
general statutes, to implement the provisions of this section. 795
(f) The Commissioner of Consumer Protection, after providing notice 796
and conducting a hearing in accordance with the provisions of chapter 797
54 of the general statutes, may impose a civil penalty of not more than 798
five hundred dollars per day for each violation of subsections (b) to (d), 799
inclusive, of this section. The sum of civil penalties imposed on a data 800
broker pursuant to this subsection shall not exceed ten thousand dollars 801
during any calendar year. 802
Sec. 12. (NEW) (Effective January 1, 2026) (a) As used in this section: 803
(1) "Abuser" means an individual who (A) is identified by a survivor 804
pursuant to subsection (b) of this section, and (B) has committed, or 805
allegedly committed, a covered act against the survivor making the 806
connected vehicle services request; 807
(2) "Account holder" means an individual who is (A) a party to a 808
contract with a covered provider that involves a connected vehicle 809
service, or (B) a subscriber, customer or registered user of a connected 810
vehicle service; 811
(3) "Connected vehicle service" means any capability provided by or 812
on behalf of a motor vehicle manufacturer that enables a person to 813
remotely obtain data from, or send commands to, a covered vehicle, 814
including, but not limited to, any such capability provided by way of a 815
software application that is designed to be operated on a mobile device; 816
(4) "Connected vehicle service request" means a request by a survivor 817
to terminate or disable an abuser's access to a connected vehicle service; 818
(5) "Covered act" means conduct that constitutes (A) a crime 819
described in Section 40002(a) of the Violence Against Women Act of 820
1994, 34 USC 12291(a), as amended from time to time, (B) an act or 821
practice described in 22 USC 7102(11) or (12), as amended from time to 822
time, or (C) a crime, act or practice that is (i) similar to a crime, act or 823
practice described in subparagraph (A) or (B) of this subdivision, and 824 Substitute Bill No. 1356
LCO 27 of 31
(ii) prohibited under federal, state or tribal law; 825
(6) "Covered connected vehicle services account" means an account 826
or other means by which a person enrolls in, or obtains access to, a 827
connected vehicle service; 828
(7) "Covered provider" means a motor vehicle manufacturer, or an 829
entity acting on behalf of a motor vehicle manufacturer, that provides a 830
connected vehicle service; 831
(8) "Covered vehicle" means a motor vehicle that is (A) the subject of 832
a connected vehicle request, and (B) identified by a survivor pursuant 833
to subsection (b) of this section; 834
(9) "Emergency situation" means a situation that, if allowed to 835
continue, poses an imminent risk of death or serious bodily harm; 836
(10) "In-vehicle interface" means a feature or mechanism installed in 837
a motor vehicle that allows an individual within the motor vehicle to 838
terminate or disable connected vehicle services; 839
(11) "Person" means an individual, association, company, limited 840
liability company, corporation, partnership, sole proprietorship, trust or 841
other legal entity; and 842
(12) "Survivor" means an individual (A) who is eighteen years of age 843
or older, and (B) against whom a covered act has been committed or 844
allegedly committed. 845
(b) A survivor may submit a connected vehicle service request to a 846
covered provider pursuant to this subsection. Each connected vehicle 847
service request submitted pursuant to this subsection shall, at a 848
minimum, include (1) the vehicle identification number of the covered 849
vehicle, (2) the name of the abuser, and (3) (A) proof that the survivor is 850
the sole owner of the covered vehicle, (B) if the survivor is not the sole 851
owner of the covered vehicle, proof that the survivor is legally entitled 852
to exclusive possession of the covered vehicle, which proof may take the 853
form of a court order awarding exclusive possession of the covered 854 Substitute Bill No. 1356
LCO 28 of 31
vehicle to the survivor, or (C) if the abuser owns the covered vehicle, in 855
whole or in part, a dissolution of marriage decree, restraining order or 856
temporary restraining order (i) naming the abuser, and (ii) (I) granting 857
exclusive possession of the covered vehicle to the survivor, or (II) 858
restricting the abuser's use of a connected vehicle service against the 859
survivor. 860
(c) (1) Not later than two business days after a survivor submits a 861
connected vehicle service request to a covered provider pursuant to 862
subsection (b) of this section, the covered provider shall take one or 863
more of the following actions requested by the survivor in the connected 864
vehicle service request, regardless of whether the abuser identified in 865
the connected vehicle service request is an account holder: (A) 866
Terminate or disable the covered connected vehicle services account 867
associated with such abuser; (B) (i) terminate or disable the covered 868
connected vehicle services account associated with the covered vehicle, 869
including, but not limited to, by resetting or deleting any data or 870
wireless connection with respect to the covered vehicle, and (ii) provide 871
instructions to the survivor on how to reestablish a covered connected 872
vehicle services account; (C) (i) terminate or disable covered connected 873
vehicle services for the covered vehicle, including, but not limited to, by 874
resetting or deleting any data or wireless connection with respect to the 875
covered vehicle, and (ii) provide instructions to the survivor on how to 876
reestablish connected vehicle services; or (D) if the motor vehicle has an 877
in-vehicle interface, provide information to the survivor concerning (i) 878
the availability of the in-vehicle interface, and (ii) how to terminate or 879
disable connected vehicle services using the in-vehicle interface. 880
(2) After the covered provider has taken action pursuant to 881
subdivision (1) of this subsection, the covered provider shall deny any 882
request made by the abuser to obtain any data that (A) were generated 883
by the connected vehicle service after the abuser's access to such 884
connected vehicle service was terminated or disabled in response to the 885
connected vehicle service request, and (B) are maintained by the covered 886
provider. 887 Substitute Bill No. 1356
LCO 29 of 31
(3) The covered provider shall not refuse to take action pursuant to 888
subdivision (1) of this subsection on the basis that any requirement, 889
other than a requirement established in subsection (b) of this section, has 890
not been satisfied, including, but not limited to, any requirement that 891
provides for (A) payment of any fee, penalty or other charge, (B) 892
maintaining or extending the term of the covered connected vehicle 893
services account, (C) obtaining approval from any account holder other 894
than the survivor, or (D) increasing the rate charged for the connected 895
vehicle service. 896
(4) (A) If the covered provider intends to provide any formal notice 897
to the abuser regarding any action set forth in subdivision (1) of this 898
subsection, the covered provider shall first notify the survivor of the 899
date on which the covered provider intends to provide such notice to 900
the abuser. 901
(B) The covered provider shall take reasonable steps to ensure that 902
the covered provider only provides formal notice to the abuser, 903
pursuant to subparagraph (A) of this subdivision, (i) at least three days 904
after the covered provider notified the survivor pursuant to 905
subparagraph (A) of this subdivision, and (ii) after the covered provider 906
has terminated or disabled the abuser's access to the connected vehicle 907
service. 908
(5) (A) The covered provider shall not be required to take any action 909
pursuant to subdivision (1) of this subsection if the covered provider 910
cannot operationally or technically effectuate such action. 911
(B) If the covered provider cannot operationally or technically 912
effectuate any action as set forth in subparagraph (A) of this subdivision, 913
the covered provider shall promptly notify the survivor who submitted 914
the connected vehicle service request that the covered provider cannot 915
operationally or technically effectuate such action, which notice shall, at 916
a minimum, disclose whether the covered provider's inability to 917
operationally or technically effectuate such action can be remedied and, 918
if so, any steps the survivor can take to assist the covered provider in 919 Substitute Bill No. 1356
LCO 30 of 31
remedying such inability. 920
(d) (1) The covered provider and each officer, director, employee, 921
vendor or agent of the covered provider shall treat all information 922
submitted by the survivor under subsection (b) of this section as 923
confidential, and shall securely dispose of such information not later 924
than ninety days after the survivor submitted such information. 925
(2) The covered provider shall not disclose any information 926
submitted by the survivor under subsection (b) of this section to a third 927
party unless (A) the covered provider has obtained affirmative consent 928
from the survivor to disclose such information to the third party, or (B) 929
disclosing such information to the third party is necessary to effectuate 930
the connected vehicle service request. 931
(3) Nothing in subdivision (1) of this subsection shall be construed to 932
prohibit the covered provider from maintaining, for longer than the 933
period specified in subdivision (1) of this subsection, a record that 934
verifies that the survivor fulfilled the conditions of the connected vehicle 935
service request as set forth in subsection (b) of this section, provided 936
such record is limited to what is reasonably necessary and proportionate 937
to verify that the survivor fulfilled such conditions. 938
(e) The survivor shall take reasonable steps to notify the covered 939
provider of any change in the ownership or possession of the covered 940
vehicle that materially affects the need for the covered provider to take 941
action pursuant to subdivision (1) of subsection (c) of this section. 942
(f) The requirements established in this section shall not prohibit or 943
prevent a covered provider from terminating or disabling an abuser's 944
access to a connected vehicle service in an emergency situation after 945
receiving a connected vehicle service request. 946
(g) Each covered provider shall publicly post, on such covered 947
provider's Internet web site, a statement describing how a survivor may 948
submit a connected vehicle service request to such covered provider. 949 Substitute Bill No. 1356
LCO 31 of 31
This act shall take effect as follows and shall amend the following
sections:
Section 1 October 1, 2025 42-515
Sec. 2 October 1, 2025 42-516
Sec. 3 October 1, 2025 42-517(a) and (b)
Sec. 4 October 1, 2025 42-518(a) and (b)
Sec. 5 October 1, 2025 42-520(a)
Sec. 6 October 1, 2025 42-524(a) to (d)
Sec. 7 October 1, 2025 42-528(a) and (b)
Sec. 8 October 1, 2025 42-529a
Sec. 9 October 1, 2025 42-529b(a)
Sec. 10 October 1, 2025 42-529d(d)
Sec. 11 October 1, 2025 New section
Sec. 12 January 1, 2026 New section
Statement of Legislative Commissioners:
In Section 11(f), "subsections (b) to (d), inclusive, of" was added before
"this section" for consistency with standard drafting conventions; and in
Section 12(g), "to such covered provider" was added after "request" for
clarity.
GL Joint Favorable Subst.