Connecticut: Sectoral Exceptions Regulated by Other Laws

Sectoral exceptions in the Connecticut Data Privacy Act (CDPA) are designed to prevent duplicative regulation by exempting entities and data types already subject to stringent data protection standards under other federal or sectoral laws. This approach ensures industries such as healthcare, finance, and research are not overburdened with overlapping compliance requirements.

Text of Relevant Provisions

CDPA Sec.3(b)(12):

"(b) The following information and data is exempt from the provisions of sections 1 to 11, inclusive, of this act: (12) personal data collected, processed, sold or disclosed in compliance with the Driver's Privacy Protection Act of 1994, 18 USC 2721 et seq. ..."

CDPA Sec.3(b)(16):

"(b) The following information and data is exempt from the provisions of sections 1 to 11, inclusive, of this act: (16) personal data collected, processed, sold or disclosed in relation to price, route or service, as such terms are used in the Airline Deregulation Act, 49 USC 40101 et seq. ... by an air carrier subject to said act, to the extent sections 1 to 11, inclusive, of this act are preempted by the Airline Deregulation Act, 49 USC 41713 ..."

CDPA Sec.3(a)(4):

"(a) The provisions of sections 1 to 11, inclusive, of this act do not apply to any: (4) national securities association that is registered under 15 USC 78o-3 of the Securities Exchange Act of 1934 ..."

CDPA Sec.3(a)(5):

"(a) The provisions of sections 1 to 11, inclusive, of this act do not apply to any: (5) financial institution or data subject to Title V of the Gramm-Leach-Bliley Act, 15 USC 6801 et seq. ..."

CDPA Sec.3(b)(11):

"(b) The following information and data is exempt from the provisions of sections 1 to 11, inclusive, of this act: (11) the collection, maintenance, disclosure, sale, communication or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living by a consumer reporting agency, furnisher or user that provides information for use in a consumer report, and by a user of a consumer report, but only to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act, 15 USC 1681 et seq. ..."

CDPA Sec.3(b)(14):

"(b) The following information and data is exempt from the provisions of sections 1 to 11, inclusive, of this act: (14) personal data collected, processed, sold or disclosed in compliance with the Farm Credit Act, 12 USC 2001 et seq. ..."

CDPA Sec.3(b)(1):

"(b) The following information and data is exempt from the provisions of sections 1 to 11, inclusive, of this act: (1) Protected health information under HIPAA;"

CDPA Sec.3(b)(3):

"(b) The following information and data is exempt from the provisions of sections 1 to 11, inclusive, of this act: (3) identifiable private information for purposes of the federal policy for the protection of human subjects under 45 CFR 46 ..."

CDPA Sec.3(b)(4):

"(b) The following information and data is exempt from the provisions of sections 1 to 11, inclusive, of this act: (4) identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the International Council for Harmonization of Technical Requirements for Pharmaceuticals for Human Use ..."

CDPA Sec.3(b)(6):

"(b) The following information and data is exempt from the provisions of sections 1 to 11, inclusive, of this act: (6) information and documents created for purposes of the Health Care Quality Improvement Act of 1986, 42 USC 11101 et seq. ..."

CDPA Sec.3(b)(7):

"(b) The following information and data is exempt from the provisions of sections 1 to 11, inclusive, of this act: (7) patient safety work product for purposes of section 19a-127o of the general statutes and the Patient Safety and Quality Improvement Act, 42 USC 299b-21 et seq. ..."

CDPA Sec.3(b)(2):

"(b) The following information and data is exempt from the provisions of sections 1 to 11, inclusive, of this act: (2) patient-identifying information for purposes of 42 USC 290dd-2 ..."

CDPA Sec.3(b)(8):

"(b) The following information and data is exempt from the provisions of sections 1 to 11, inclusive, of this act: (8) information derived from any of the health care related information listed in this subsection that is de-identified in accordance with the requirements for de-identification pursuant to HIPAA ..."

CDPA Sec.3(b)(9):

"(b) The following information and data is exempt from the provisions of sections 1 to 11, inclusive, of this act: (9) information originating from and intermingled to be indistinguishable with, or information treated in the same manner as, information exempt under this subsection that is maintained by a covered entity or business associate, program or qualified service organization, as specified in 42 USC 290dd-2 ..."

CDPA Sec.3(b)(10):

"(b) The following information and data is exempt from the provisions of sections 1 to 11, inclusive, of this act: (10) information used for public health activities and purposes as authorized by HIPAA, community health activities and population health activities ..."

CDPA Sec.3(a)(6):

"(a) The provisions of sections 1 to 11, inclusive, of this act do not apply to any: (6) covered entity or business associate, as defined in 45 CFR 160.103."

Analysis of Provisions

The Connecticut Data Privacy Act (CDPA) integrates multiple sectoral exceptions to avoid duplicative regulation and recognize existing federal and sector-specific privacy standards. These exceptions reflect the principle that industries already adhering to stringent data protection laws should not face overlapping regulatory burdens.

Driver's Privacy Protection Act:

CDPA Sec.3(b)(12) exempts personal data collected under the Driver's Privacy Protection Act:

"personal data collected, processed, sold or disclosed in compliance with the Driver's Privacy Protection Act of 1994, 18 USC 2721 et seq. ..."

This exemption recognizes the rigorous data protection standards already imposed by federal law on motor vehicle records.

Airline Deregulation Act:

CDPA Sec.3(b)(16) exempts data related to airline services:

"personal data collected, processed, sold or disclosed in relation to price, route or service, as such terms are used in the Airline Deregulation Act, 49 USC 40101 et seq. ..."

This ensures that airline carriers are not subject to additional state-level data protection requirements that could conflict with federal regulations.

Securities Exchange Act:

CDPA Sec.3(a)(4) exempts national securities associations:

"The provisions ... do not apply to any ... national securities association that is registered under 15 USC 78o-3 of the Securities Exchange Act of 1934 ..."

This exemption aligns with the federal regulation of securities associations.

Gramm-Leach-Bliley Act:

CDPA Sec.3(a)(5) exempts financial institutions:

"The provisions ... do not apply to any ... financial institution or data subject to Title V of the Gramm-Leach-Bliley Act, 15 USC 6801 et seq. ..."

Recognizing the comprehensive privacy and data protection requirements under the Gramm-Leach-Bliley Act, this exemption avoids duplicative compliance efforts for financial institutions.

Fair Credit Reporting Act:

CDPA Sec.3(b)(11) exempts activities regulated by the Fair Credit Reporting Act:

"the collection, maintenance, disclosure, sale, communication or use of any personal information ... by a consumer reporting agency ... regulated by and authorized under the Fair Credit Reporting Act, 15 USC 1681 et seq. ..."

This exemption prevents conflicts with federal regulations governing consumer credit information.

Farm Credit Act:

CDPA Sec.3(b)(14) exempts personal data under the Farm Credit Act:

"personal data collected, processed, sold or disclosed in compliance with the Farm Credit Act, 12 USC 2001 et seq. ..."

This recognizes the specific privacy protections already provided under the Farm Credit Act.

Health Information:

Multiple provisions (Sec.3(b)(1), Sec.3(b)(2), Sec.3(b)(3), Sec.3(b)(4), Sec.3(b)(6), Sec.3(b)(7), Sec.3(b)(8), Sec.3(b)(9), Sec.3(b)(10), Sec.3(a)(6)) collectively exempt various types of health information, including HIPAA-protected data, patient safety work products

, and information used for public health activities.

"Protected health information under HIPAA;"

These exemptions ensure that health data already covered by robust federal laws, such as HIPAA, the Health Care Quality Improvement Act, and the Patient Safety and Quality Improvement Act, are not subject to additional state-level regulations.

Implications

For businesses operating in Connecticut, these sectoral exceptions mean:

• Automotive and Aviation Industries: Companies dealing with vehicle or airline data can follow federal regulations without additional state-level compliance.
• Financial Institutions: Exemption from the CDPA allows these entities to adhere strictly to the Gramm-Leach-Bliley Act and avoid redundant regulatory requirements.
• Healthcare Providers and Researchers: Extensive exemptions for health-related data reduce compliance burdens, allowing these entities to focus on federal privacy standards such as HIPAA and the Health Care Quality Improvement Act.
• Credit Reporting Agencies: Activities governed by the Fair Credit Reporting Act are exempt, ensuring that consumer credit information is managed according to existing federal regulations.

These exemptions streamline compliance, ensuring that businesses are not subjected to overlapping regulations, and allowing them to focus on adhering to specific federal standards applicable to their sectors.