The Connecticut Governor recently amended the Connecticut Data Privacy Act (CTDPA), the state's comprehensive consumer privacy law, to include obligations and restrictions on collecting, processing, sharing, and selling of consumer sensitive and consumer health data. I think that many of the current slate of state privacy laws provide exemptions for nonprofits and businesses collecting data under certain thresholds. However, the CTDPA amendments do not mirror such exceptions. The new provisions regulate any entity that processes health data about Connecticut residents.
As the amendments went into effect on October 1, 2023, companies should reevaluate their compliance programs to focus on the privacy and security of consumer health data.