Go to:

Connecticut State Privacy Protection Rights

Connecticut statewide privacy links:

Sponsored

Introduction to Connecticut Privacy Rights

Connecticut has emerged as one of the most privacy-forward states in the nation, consistently implementing robust protections that go beyond federal requirements. The Constitution State has established a comprehensive framework of privacy laws that protect residents' personal information across multiple domains—from consumer data and health records to employment information and government transparency.

Connecticut's privacy landscape reflects a careful balance between public access to government records and individual privacy rights. The state's Freedom of Information Act (FOIA), codified in Connecticut General Statutes §§ 1-200 through 1-242, is recognized as one of the strongest open records laws in the country, yet it includes thoughtful exemptions designed to protect personal privacy. Meanwhile, the Connecticut Data Privacy Act (CTDPA), which became law in 2022 and took effect on July 1, 2023, positions Connecticut as only the fifth state to enact comprehensive consumer data privacy legislation.

Compared to other states, Connecticut stands out for its proactive approach to emerging privacy challenges. While many states have piecemeal privacy protections addressing specific sectors, Connecticut has built a multi-layered system that covers consumer data rights, breach notification requirements, employee privacy, biometric data, and children's online privacy. The state's Attorney General has been particularly active in enforcing privacy protections, bringing actions against companies that mishandle Connecticut residents' data. This combination of strong statutory protections and active enforcement makes Connecticut a leader in privacy rights, comparable to California, Virginia, and Colorado in the breadth of protections offered to residents.

Connecticut's State Privacy Laws

Connecticut's privacy protections are established through multiple statutes that address different aspects of personal information security and use. Understanding these laws is essential for residents seeking to protect their privacy and exercise their rights.

Connecticut Data Privacy Act (CTDPA)

The Connecticut Data Privacy Act, codified in Connecticut General Statutes § 42-520 through § 42-524, represents the state's most comprehensive consumer privacy legislation. Effective July 1, 2023, the CTDPA applies to businesses that control or process the personal data of at least 100,000 Connecticut consumers annually (excluding data processed solely for payment transactions) or control or process personal data of at least 25,000 Connecticut consumers and derive more than 25% of gross revenue from the sale of personal data.

The CTDPA grants Connecticut residents five fundamental privacy rights: the right to access personal data, the right to correct inaccuracies in personal data, the right to delete personal data, the right to obtain a copy of personal data in a portable format, and the right to opt out of the processing of personal data for purposes of targeted advertising, sale of personal data, or profiling. Businesses must respond to consumer requests within 45 days, with a possible 45-day extension if reasonably necessary.

Data Breach Notification Requirements

Connecticut's data breach notification law, found in Connecticut General Statutes § 36a-701b, is one of the most stringent in the nation. Any person who owns or licenses computerized data containing personal information must notify Connecticut residents when their personal information has been, or is reasonably believed to have been, accessed by an unauthorized person.

The law requires notification "without unreasonable delay" but no later than the timeframe established by the investigation. Connecticut law does not specify an exact number of days for notification, instead requiring that notice be provided as expeditiously as possible following discovery of the breach. However, notification may be delayed if a law enforcement agency determines that it would impede a criminal investigation. The notification must include specific elements: the date or estimated date of the breach, a description of the personal information compromised, contact information for the entity experiencing the breach, and information about available assistance and remedial measures.

For breaches affecting 500 or more Connecticut residents, businesses must also notify the state Attorney General without unreasonable delay. The penalty for willful violation can reach $5,000 per violation.

Employee Privacy Rights

Connecticut provides substantial workplace privacy protections under multiple statutes. Connecticut General Statutes § 31-48d prohibits employers from requiring or requesting employees or applicants to provide usernames, passwords, or other authentication information for accessing personal online accounts, including social media. This law, enacted in 2015, was among the first of its kind nationally.

Additionally, Connecticut General Statutes § 31-128f restricts employer electronic monitoring of employees. Employers must provide prior written notice to all employees who may be subject to electronic monitoring in the workplace. This notice must be given at the time of hiring and must acknowledge that they have received notice of such monitoring. The law defines electronic monitoring broadly to include the collection of information through electronic means concerning employees' activities or communications by telephone, wire, computer, or any other electronic device.

Financial Privacy Protections

Connecticut enforces financial privacy through several mechanisms. The state has adopted provisions consistent with the federal Gramm-Leach-Bliley Act, but Connecticut General Statutes § 36a-42 provides additional protections specific to state-chartered financial institutions. Connecticut residents have the right to opt out of information sharing between affiliated companies and must receive annual privacy notices from their financial institutions explaining information-sharing practices.

Biometric Information Privacy

Connecticut Public Act No. 22-15, effective October 1, 2022, establishes specific requirements for the collection and use of biometric information. The law, found in Connecticut General Statutes § 42-520, requires businesses to inform individuals in writing of the specific purpose and length of time for which biometric information is being collected, stored, and used. Businesses must obtain written consent before collecting biometric identifiers and are prohibited from selling, leasing, or trading biometric information without consent.

Freedom of Information / Open Records in Connecticut

Connecticut's Freedom of Information Act (FOIA), established under Connecticut General Statutes §§ 1-200 through 1-242, provides some of the strongest public records access rights in the United States. The law is premised on the principle that government records should be accessible to the public except where specific exemptions apply.

Coverage and Scope

The Connecticut FOIA applies to all "public agencies," which includes state agencies, political subdivisions of the state, any authority, board, commission, official or agency created by the General Assembly or a political subdivision, and any other agency or office of the state or local government. The law covers virtually all records maintained by these agencies, with "public records" defined broadly as any recorded data or information relating to the conduct of the public's business.

Exemptions Specific to Connecticut

Connecticut's FOIA includes approximately 30 categories of exemptions designed to protect specific privacy and governmental interests. Key privacy-related exemptions include: personnel, medical, and similar files where disclosure would constitute an invasion of personal privacy (§ 1-210(b)(2)); records of law enforcement agencies not otherwise available to the public which disclose the identity of informants (§ 1-210(b)(3)); test questions, scoring keys, and other examination data used in licensing or employment (§ 1-210(b)(6)); and Social Security numbers (§ 1-210(b)(17)).

Additional exemptions protect records of child abuse or neglect investigations (§ 1-210(b)(4)), adoption records (§ 1-210(b)(5)), and video surveillance recordings from within secure areas of correctional facilities or law enforcement lockups (§ 1-210(b)(20)).

How to Request Records

Connecticut law requires no specific form for FOIA requests, though many agencies provide request forms for convenience. Requests may be submitted in writing, orally, or electronically, depending on the agency's policies. The request should reasonably describe the records sought and should be directed to the agency's FOIA officer or the custodian of records.

Public agencies must respond to FOIA requests promptly. Specifically, agencies must provide requested records within four business days or notify the requester that additional time is needed and provide the records within a reasonable time thereafter. If the agency denies a request, it must provide written notification of the denial and cite the specific exemption relied upon.

Fee Schedules

Connecticut law limits the fees agencies may charge for public records. Under § 1-212, agencies may charge only for the actual cost of copying, not for search or retrieval time for most records. The first 50 pages of paper copies must be provided at no charge; thereafter, agencies may charge up to 50 cents per page. For electronic records, agencies may charge only the cost of the storage device or transmission. Some agencies have established specific fee schedules approved by the Freedom of Information Commission.

Appeals Process

Connecticut provides a robust appeals process through the Freedom of Information Commission (FOIC), an independent state agency located at 165 Capitol Avenue, Hartford, CT 06106. If a FOIA request is denied or if an agency fails to respond within the required timeframe, requesters may file an appeal with the FOIC within 30 days. The Commission conducts contested case hearings and issues binding decisions. Appeals from FOIC decisions may be taken to Superior Court. Connecticut's FOIC is unique among states in providing free, accessible administrative review of denied records requests.

HIPAA and Health Privacy

Health privacy in Connecticut is governed by both federal HIPAA regulations and state-specific protections that often provide stronger safeguards than federal law requires.

The Health Insurance Portability and Accountability Act (HIPAA) establishes baseline privacy protections for protected health information (PHI) nationwide, including in Connecticut. HIPAA applies to covered entities—healthcare providers, health plans, and healthcare clearinghouses—as well as their business associates. Under HIPAA, Connecticut residents have the right to access their medical records, request corrections, receive an accounting of disclosures, and file complaints with the U.S. Department of Health and Human Services Office for Civil Rights.

Connecticut-Specific Health Privacy Protections

Connecticut law provides additional health privacy protections beyond HIPAA in several key areas. Connecticut General Statutes § 20-7c restricts the disclosure of patient information by healthcare providers and requires patient authorization for most disclosures. This statute applies more broadly than HIPAA, covering healthcare providers who may not be HIPAA covered entities.

Connecticut General Statutes § 19a-25 provides particularly strong protections for HIV/AIDS-related information, requiring specific written consent for disclosure and imposing criminal penalties for unauthorized disclosure. Similarly, § 17a-688 through § 17a-689 establish strict confidentiality requirements for substance abuse treatment records, often exceeding federal 42 CFR Part 2 protections.

Mental health records receive heightened protection under Connecticut General Statutes § 52-146d through § 52-146s, which establish a psychotherapist-patient privilege that prevents disclosure of communications between patients and mental health professionals except in limited circumstances defined by statute.

Protecting Medical Records in Connecticut

Connecticut residents can take specific steps to protect their medical records. Patients should request copies of their healthcare provider's Notice of Privacy Practices, which explains how medical information may be used and disclosed. Residents can request restrictions on uses and disclosures, though providers are not required to agree except in specific circumstances. Connecticut residents can also request that healthcare providers communicate with them through alternative means or at alternative locations to protect privacy. To report violations, residents can file complaints with both the Connecticut Department of Public Health (410 Capitol Avenue, Hartford, CT 06134) and the federal Office for Civil Rights.

Consumer Data Privacy Rights

Connecticut residents possess extensive rights regarding the collection, use, and sale of their personal data under the Connecticut Data Privacy Act and other consumer protection statutes.

Rights Under the Connecticut Data Privacy Act

Under the CTDPA (Connecticut General Statutes § 42-520 et seq.), Connecticut consumers have the right to confirm whether a controller is processing their personal data and to access that data. Consumers can correct inaccuracies in their personal data and can request deletion of personal data provided by or obtained about the consumer. The law also grants consumers the right to obtain a copy of their personal data in a portable and readily usable format that allows the consumer to transmit the data to another controller without hindrance.

Critically, Connecticut residents have the right to opt out of the processing of personal data for targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects. Businesses must provide clear and conspicuous methods for exercising these opt-out rights, and they may not discriminate against consumers for exercising their privacy rights.

Exercising Your Rights

To exercise CTDPA rights, Connecticut residents should submit requests directly to businesses through the methods those businesses designate for receiving such requests. Businesses must respond within 45 days of receipt, with a possible 45-day extension if reasonably necessary. If a business denies a consumer request, the consumer may appeal the decision by submitting a request through the business's designated appeal process. If the appeal is denied, consumers may file a complaint with the Connecticut Attorney General.

Data Broker Rights and Removal

While Connecticut does not have a comprehensive data broker registry like Vermont or California, Connecticut residents can remove their information from data brokers using their rights under the CTDPA and through direct opt-out requests. Major data brokers operating in Connecticut include Spokeo, Whitepages, BeenVerified, Intelius, and MyLife. Each maintains opt-out processes on their websites, typically requiring verification of identity and the specific information to be removed.

Connecticut residents should systematically search for their information on these sites and submit opt-out requests individually. The process typically takes 30-90 days per site. For persistent listings, residents can invoke their CTDPA deletion rights if the broker meets the law's applicability thresholds.

Credit Report Rights Under FCRA

The federal Fair Credit Reporting Act (FCRA) provides Connecticut residents with the right to access free annual credit reports from each of the three major credit bureaus—Equifax, Experian, and TransUnion—through AnnualCreditReport.com. Connecticut residents can dispute inaccurate information on credit reports, and bureaus must investigate disputes within 30 days.

Connecticut General Statutes § 36a-701a provides additional protections by requiring consumer reporting agencies to implement security freezes at no charge. Connecticut residents can freeze and unfreeze their credit files to prevent identity thieves from opening new accounts in their names. The freeze must be implemented within one business day of receiving a request and lifted within one hour if requested electronically or by phone, or within three business days if requested by mail.

Employment Background Checks & Privacy

Connecticut has implemented some of the nation's most protective laws governing employment background checks and the use of criminal records in hiring decisions.

Ban-the-Box Legislation

Connecticut's "ban-the-box" law, codified in Connecticut General Statutes § 31-51i and § 46a-80, prohibits most employers from inquiring about a job applicant's criminal history on an initial employment application. Employers may not inquire about criminal history until the applicant has been deemed otherwise qualified for the position and has been selected for an interview. State contractors and certain employers with one or more employees are covered by this law.

The law prohibits employers from inquiring about erased criminal records and from discriminating based on arrests not leading to conviction or criminal charges that have been dismissed or nullified. Employers who conduct criminal background checks must provide applicants with notice and an opportunity to review and contest the accuracy of any criminal history information before taking adverse employment action.

What Employers Can and Cannot Access

Under Connecticut General Statutes § 46a-80(b), employers may not deny employment solely because of a prior conviction unless the conviction is directly related to the employment sought or the employer can demonstrate that denial is necessary because of business necessity. The law requires individualized assessment of the nature of the crime, the time elapsed since conviction, the nature of the job sought, and evidence of rehabilitation.

Connecticut law also restricts consideration of certain criminal records. Employers cannot inquire about or consider erased records, arrests not leading to conviction, or convictions that have been pardoned. Under § 54-142a, many first-time offenders for certain crimes can have their records erased after a waiting period, and these erased records must be treated as if they never occurred for employment purposes.

Background Check Requirements

When employers conduct background checks using consumer reporting agencies, they must comply with both the federal Fair Credit Reporting Act and Connecticut-specific requirements. Under the FCRA, employers must obtain written consent before procuring a background check, provide pre-adverse action notice if they intend to take adverse action based on the report, and provide final adverse action notice if they ultimately deny employment.

Connecticut General Statutes § 31-128g requires employers who use credit reports for employment purposes to certify in writing to the consumer reporting agency that they have provided required notices to the employee or applicant and will not use the information in violation of state or federal law.

Criminal Record Accessibility Timeframes

The length of time criminal records remain accessible in Connecticut varies by offense type and disposition. Arrest records not leading to conviction may be erased after a waiting period: 13 months for most dismissed charges, three years for nolled (not prosecuted) charges. Conviction records for certain misdemeanors may be erased after three to five years, depending on the offense. Felony convictions may be eligible for erasure after seven to ten years, with exceptions for serious violent crimes.

Disputing Inaccurate Records

Connecticut residents who discover inaccurate information in employment background checks have multiple avenues for dispute. Under the FCRA, individuals can dispute inaccuracies directly with the consumer reporting agency, which must investigate within 30 days. Individuals can also dispute records with the Connecticut State Police Bureau of Identification, which maintains criminal history records. Requests for correction should be submitted in writing to: Connecticut State Police, Bureau of Identification, 1111 Country Club Road, Middletown, CT 06457. If errors involve court records, individuals should petition the court that entered the record to correct the error.

Protecting Yourself in Connecticut

Connecticut residents can take concrete steps to protect their privacy and personal information through a combination of legal rights and practical measures.

Step 1: Opt Out of People-Search Sites

Begin by identifying which people-search websites display your information. Search for your name, phone number, and address on major sites including Spokeo, Whitepages, BeenVerified, Intelius, MyLife, PeopleFinders, and TruthFinder. Once located, visit each site's opt-out page:

Document each opt-out request with screenshots and confirmation emails. If sites do not remove your information within their stated timeframes (typically 72 hours to 14 days), you can file complaints with the Connecticut Attorney General's office or invoke your deletion rights under the CTDPA if applicable.

Step 2: Freeze Your Credit

Under Connecticut General Statutes § 36a-701a, you can freeze your credit files at no charge with all three major credit bureaus. Contact each bureau directly:

You'll receive a PIN or password to lift the freeze when needed. Connecticut law requires bureaus to implement freezes within one business day and to lift them within one hour if requested electronically.

Step 3: Request Record Sealing/Expungement

Connecticut uses the term "erasure" rather than expungement. To request erasure of criminal records, determine your eligibility under Connecticut General Statutes § 46b-146 (for certain juvenile records) or § 54-142a (for adult criminal records). Obtain a copy of your criminal history from the Connecticut State Police Bureau of Identification to verify what records exist.

File a petition for erasure with the clerk of the Superior Court in the geographical area where the arrest or conviction occurred. The petition should include your personal information, details of the arrest or conviction, and the statutory basis for erasure. There is no filing fee for erasure petitions. The court will schedule a hearing, and the State's Attorney may object. If granted, the court orders all criminal justice agencies to erase the records.

Step 4: Exercise Your CTDPA Rights

Systematically exercise your rights under the Connecticut Data Privacy Act with companies that collect your data. Submit requests to access what data companies hold about you, correct inaccuracies, and delete data where appropriate. Opt out of targeted advertising and data sales through company-provided mechanisms, typically found in privacy policies or account settings.

Step 5: Monitor Your Privacy Regularly

Establish a quarterly privacy review routine. Check your credit reports (free annually from each bureau), search for your information on people-search sites, review privacy settings on social media and online accounts, and monitor for data breaches affecting companies you do business with. Sign up for breach notification services and consider identity theft protection services if you've been affected by data breaches.

Key Connecticut Contacts

Maintain contact information for key privacy-related agencies:

Connecticut Data Breach Notification

Connecticut's data breach notification law, Connecticut General Statutes § 36a-701b, establishes comprehensive requirements for entities that experience unauthorized access to personal information.

Who Must Notify

Any person who owns or licenses computerized data containing personal information must provide notice following a breach. "Personal information" is defined as an individual's first name or initial and last name in combination with any of the following: Social Security number, driver's license number, state identification card number, account number or credit/debit card number with any security code or password that would permit access to the account, or account numbers or credit/debit card numbers if circumstances exist wherein such information could be used without additional identifying information.

The law applies to persons who conduct business in Connecticut and own or license such data, as well as persons who maintain such data on behalf of others (data processors). If a data processor experiences a breach, it must notify the data owner, who then bears responsibility for notifying affected individuals.

Notification Timeframe

Connecticut law requires notification "without unreasonable delay" following discovery of the breach or when the person reasonably believes a breach has occurred. Unlike some states that specify exact timeframes (such as 30 or 60 days), Connecticut's standard is flexible but demanding. Courts and the Attorney General evaluate reasonableness based on the circumstances, including the nature of the breach, the time required to investigate, and the need to implement security measures.

Notification may be delayed if a law enforcement agency determines that notification will impede a criminal investigation. Law enforcement must inform the entity in writing of this determination, and notification must occur within seven business days after law enforcement determines that notification will no longer compromise the investigation.

Content of Notification

Breach notifications must include specific information: the date or estimated date of the breach, a general description of what occurred, the type of personal information compromised, the company's contact information, contact information for the major consumer reporting agencies, and advice on steps individuals can take to protect themselves from potential harm.

Attorney General Notification

When a breach affects 500 or more Connecticut residents, the entity experiencing the breach must notify the Connecticut Attorney General without unreasonable delay. This notification should be provided concurrently with notice to affected individuals and should include the same information provided to individuals, plus the approximate number of affected Connecticut residents.

Penalties for Violations

Violations of Connecticut's breach notification law can result in significant penalties. Any person who knows or should have known that notification was required and willfully fails to provide such notice may be liable for a civil penalty of not more than $5,000 per violation. The Attorney General may bring actions to enforce the statute and seek injunctive relief. Additionally, violations may constitute unfair trade practices under Connecticut General Statutes § 42-110a et seq., exposing violators to additional penalties and potential class action liability.

Children's Privacy (Connecticut)

Connecticut provides robust protections for children's privacy through both state-specific legislation and enforcement of federal laws.

COPPA Compliance in Connecticut

The federal Children's Online Privacy Protection Act (COPPA) applies nationwide, including in Connecticut. COPPA requires operators of websites and online services directed to children under 13, or operators with actual knowledge they are collecting information from children under 13, to obtain verifiable parental consent before collecting personal information. Connecticut's Attorney General actively enforces COPPA violations affecting Connecticut children, bringing actions against companies that illegally collect children's data.

Connecticut-Specific Child Privacy Laws

Connecticut has enacted state-level protections that extend beyond COPPA. Public Act 21-191, effective July 1, 2022, prohibits online service providers that create profiles on child users from using that information for targeted advertising to children or selling children's personal information. This prohibition applies regardless of whether parental consent was obtained, providing stronger protections than federal law in this specific context.

Connecticut General Statutes § 10-234aa through § 10-234dd regulate student data privacy in educational technology contexts. These statutes prohibit operators of educational technology from selling student information, using student data for targeted advertising, or creating profiles of students except for educational purposes. School districts must ensure contracts with technology providers include privacy protections, and parents have rights to access and correct their children's educational records.

School Records and FERPA

The federal Family Educational Rights and Privacy Act (FERPA) protects student education records in Connecticut schools. FERPA grants parents the right to inspect and review their children's education records maintained by schools, request corrections to inaccurate records, and control disclosure of personally identifiable information from education records.

Connecticut law complements FERPA through Connecticut General Statutes § 10-15b, which establishes confidentiality for student records and limits disclosure. Parents can access their children's records by submitting written requests to school administrators. Schools must respond within a reasonable time, not to exceed 45 days. If parents believe records contain inaccurate information, they can request a hearing before the school board to challenge the content.

Frequently Asked Questions

How do I remove my personal information from public records in Connecticut?

Complete removal from public records is generally not possible, as Connecticut's Freedom of Information Act requires government transparency. However, you can limit exposure by: (1) opting out of people-search websites that republish public records; (2) requesting redaction of sensitive information like Social Security numbers from certain court documents under Connecticut Practice Book rules; (3) petitioning for erasure of criminal records under Connecticut General Statutes § 54-142a if eligible; and (4) requesting that government agencies withhold your address from public records in cases involving domestic violence or similar safety concerns under § 1-217. For property records, some municipalities offer address confidentiality programs for victims of domestic violence.

Can I sue a company that violates my privacy rights under Connecticut law?

The Connecticut Data Privacy Act does not provide a private right of action for individual consumers. Only the Connecticut Attorney General can enforce the CTDPA. However, you can file a complaint with the Attorney General's office at (860) 808-5318 or through their website. For other privacy violations, you may have private lawsuit rights under different statutes: the Connecticut Unfair Trade Practices Act (CUTPA) § 42-110a may provide a basis for suit if the privacy violation constitutes an unfair trade practice; violation of the breach notification statute may support a negligence claim if you suffer harm; and violation of specific statutes like the social media password protection law (§ 31-48d) or electronic monitoring law (§ 31-128f) may support civil actions. Consult an attorney to evaluate whether your specific situation supports a private lawsuit.

How long does it take to get a criminal record erased in Connecticut?

The timeline for erasure depends on several factors. Eligibility waiting periods vary by case type: arrests not leading to conviction may be erased after 13 months for dismissed cases or three years for nolled cases; certain misdemeanor convictions after three to five years; and certain felony convictions after seven to ten years. Once eligible, the petition process typically takes 3-6 months from filing to final court order. After filing your petition with the Superior Court clerk, the court schedules a hearing (usually within 60-90 days), the State's Attorney may file an objection, and if the court grants erasure, agencies have 60 days to complete the erasure process. Complex cases involving multiple charges or objections may take longer. You can check eligibility using the Connecticut Judicial Branch's erasure eligibility tool or consult with an attorney.

What should I do immediately after receiving notice of a data breach affecting my information?

Take these immediate steps: (1) Review the breach notice carefully to understand what information was compromised; (2) If Social Security numbers were exposed, immediately place fraud alerts with all three credit bureaus by calling any one bureau (they notify the others): Equifax (800-525-6285), Experian (888-397-3742), or TransUnion (800-680-7289); (3) Implement a credit freeze with all three bureaus under Connecticut General Statutes § 36a-701a; (4) Monitor your credit reports closely for unauthorized accounts (you're entitled to free reports from each bureau at AnnualCreditReport.com); (5) Change passwords for any affected accounts; (6) Monitor financial accounts for unauthorized transactions; (7) Consider enrolling in credit monitoring services if offered by the breached company; (8) File a complaint with the Connecticut Attorney General if the company failed to provide timely notice; and (9) Document all communications and steps taken in case you need to dispute fraudulent charges or accounts later.

Can my employer monitor my email and internet use at work in Connecticut?

Yes, but with important limitations. Connecticut General Statutes § 31-48d requires employers to provide prior written notice to employees who may be subject to electronic monitoring in the workplace. Employers must give this notice at the time of hiring for new employees and to existing employees before implementing monitoring. The notice must inform employees that their electronic communications and internet use may be monitored. While the law does not prohibit monitoring, it requires transparency. Employers can monitor email, internet use, computer activity, and telephone communications if proper notice has been provided. However, monitoring of areas where employees have a reasonable expectation of privacy (such as bathrooms or changing rooms) remains prohibited. Employees who believe their employer is conducting monitoring without providing required notice can file complaints with the Connecticut Department of Labor or consult an employment attorney. The statute does not apply to processes designed to manage the type or volume of incoming or outgoing electronic mail or telephone voice mail or internet usage, that are not targeted to monitor specific individuals.

How do I access my medical records in Connecticut, and can I prevent others from seeing them?

Under Connecticut General Statutes § 20-7c and HIPAA regulations, you have the right to access your medical records by submitting a written request to your healthcare provider. Providers must respond within 30 days under HIPAA (Connecticut law allows a reasonable time). Providers may charge reasonable copying fees—generally up to $0.65 per page for the first 20 pages, $0.50 per page for pages 21-100, and $0.25 per page thereafter, plus actual postage costs. To prevent unauthorized access: (1) Request a copy of your provider's Notice of Privacy Practices and review how they share information; (2) Request restrictions on disclosures, though providers are not required to agree except when you pay out-of-pocket in full for a service and request they not share information with your health plan; (3) Request confidential communications through alternative means or locations; (4) Review who has accessed your records by requesting an accounting of disclosures; (5) For particularly sensitive records (HIV/AIDS, mental health, substance abuse), know

Last reviewed: Apr 2, 2026 Updated: Apr 2, 2026