Broadening Sensitive Data Scope in State Legislation

Connecticut amended its comprehensive privacy law. Here are the changes that may require new practices.   The State of Connecticut - Office of the Governor signed the amendment to the #DataPrivacy law last week, and it takes effect July 1, 2026. Changes include: 🔸Adding sensitive data types: mental or physical health disability and treatment info; financial, credit, or debit account or card numbers with required codes or passwords; government identification numbers; and info about a minor (<18). 🔸Expanding individual rights to permit access to inferences derived from personal data, and to confirm whether personal data is processed for profiling to make decisions that produce legal or similarly significant effects. If it is, there are new rights regarding the profiling, including to question results, understand reasoning, review personal data used, and correct data used and have the decision reevaluated. 🔸Detailed new documented assessment requirements for profiling for purposes of making decisions that produce legal or similarly significant effects. 🔸Requiring privacy policies to indicate whether personal data is used for training large language models (for #ArtificialIntelligence). 🔸Requiring companies to provide, upon consumer request, a list of the third parties personal data is sold to. 🔸Requiring consent sell sensitive data. 🔸Prohibiting personal data of minors from being sold or used for targeted #OnlineAdvertising. Consent is no longer a basis for such sales or usage.   The law will also apply more broadly to companies that: process any personal data of more than 35,000 consumers; process any sensitive personal data (other than for payment transactions); or sell personal data.   As next steps before the law takes effect next July: ✔️ Confirm all the data types indicated are treated as sensitive in in your company's policies and procedures, including those that trigger data protection assessments. With California still considering regulations, this will be the first state to require a documented data protection assessment when government identification numbers are processed. ✔️ If your company makes in-scope profiling decisions, update assessment processes (such as those currently used for Colorado) to include required elements, and revise individual rights processes to address the new requirements. ✔️ Update individual rights processes to allow consumers to receive lists of all third parties that personal data is sold to (leverage Oregon processes as appropriate). ✔️ Address the new #privacy policy content requirements in your next privacy policy review and update. ✔️ Confirm sensitive data types will not be sold without consent, such as in targeted advertising efforts. ✔️ If your company deals with personal data of minors, plan to omit such data from targeted advertising efforts, or from practices that constitute "sales".

Connecticut's General Law Committee has introduced an amendment to the state's highly influential consumer privacy law (SB 1356). The most interesting provision is the proposed modification to the law's data minimization standard. The bill would limit the collection of personal data to what is reasonably necessary to maintain a specifically requested product or service, but leave the opt-in consent regime in place for processing sensitive data. Significantly, Connecticut's proposal is the mirror image of the proposed amendment to the Maryland Online Data Protection Act that I posted about last week (HB 1365), which would return Maryland to a notice regime for collecting personal data, but leave the law's unique "strictly necessary" data minimization framework in place for the processing sensitive data. Other key elements of Connecticut's proposed privacy law amendment: ➡️ Broadening the "actually knowledge or willfully disregards" standard for protecting minors' data to "knowledge fairly implied on the basis of objective circumstances" ➡️ Broadening the definition of biometric data to a 'can identify' standard from a 'used to identify' standard. ➡️ Broadening the definition of "sensitive data" with various categories found in other state laws. ➡️ Lowering the applicability threshold to cover businesses the process the process data of more than 35,000 residents (down from 100k) or that process any sensitive data ➡️ Expanding the applicability to nonprofit organizations and switching from an entity-level to data-level carveout for the federal GLBA. ➡️ Creating an Oregon-style right to access a list of third parties to whom a business has disclosed personal data AND requiring the disclosure of the specific third parties and organization shares data with in an organization's privacy notice. ➡️ Tweaks to the scope of the right to opt-out of significant profiling decision's and the law's internal operations exception.

On 22 May, the State Administration of Market Regulation and the Standardisation Administration of China jointly issued a new set of national standards on security requirements for collecting and processing sensitive personal information (GB/T 45574-2025). These national standards will come into effect on November 1, 2025. These new standards aim to offer long-awaited, practical guidance for handling sensitive personal information. Key highlights include: (1) Further defining the scope of sensitive personal information by cross referencing several other national standards and TC260 guidelines. Besides the common types of sensitive personal information like biometric, religious, health, financial, precise geolocation and whereabouts information, and information of children under 14, the aggregation or combination of non-sensitive personal information can be considered sensitive PI, if the aggregated/combined information could significantly harm the reputation, safety, or financial situation of the affected data subjects. (2) Mandating separate consent for data collection and providing a convenient way for consent withdrawal. Bundled consent is forbidden. The standards include a sample consent template. (3) Special protection for collecting and processing children's information. For instance, making public the special privacy policy for collecting children's information, responding more promptly to requests for copying, correcting, and deleting children's information. (4) Imposing stricter organisational and technical measures for handling sensitive personal information. This includes no forced collection of sensitive information, encrypting data during storage and transfer, appointing a designated person-in-charge when collecting and processing sensitive data of over 100,000 people, deleting sensitive information after related services are completed, and not using data scraping or other automated means to collect sensitive information. (5) Absolutely prohibiting the use of sensitive information for "boxing", discriminatory message-pushing, and fraud. A ton of sensitive personal information is collected and processed in various industries such as finance, healthcare, pharmaceuticals, education, tourism, hospitality, transportation, among others. Comprehending the requirements and implications of these new guidelines on sensitive personal information is vital for better compliance, building customer confidence, and managing risks for business operations in the China market. #personaldata #PII #sensitive #biometric #financialdata #healthdata #childrendata #locationdata #compliance #security #DPO picture credit to Pixabay.

Too many Ohioans don’t realize how much personal information is collected by state government, and how easily it could be shared with federal agencies like ICE without your consent. That’s why I’m introducing a bill with Rep. Christine Cockley, MPA to stop sensitive personal data from being sold or handed over to private brokers or federal enforcement agencies unless there’s a clear, lawful reason and informed consent from the person it belongs to. Here’s what the bill does: 🔒 Limits Data Sharing State agencies and officials would not be allowed to disclose your sensitive personal information to private companies or federal agencies without your informed consent, or a warrant, court order, or subpoena. 💼 Closes Loopholes Around Data Brokers Right now, agencies can sometimes share or sell your data to private data brokers. This bill makes that practice illegal unless the use is clearly permitted by law. 📋 Defines Your Rights and Your Data The bill adopts the definitions from the Fair Credit Reporting Act and applies them more broadly, ensuring that information such as your name, date of birth, Social Security number, phone numbers, immigration status, and facial recognition data receives meaningful protections. 🛡 Stops ICE from Accessing Your Data by Default If an Ohio agency has your information, such as from a driver’s license application, the unemployment system, or health reporting, this bill ensures it isn’t shared with federal immigration authorities unless required by law, and you are informed.