The Connecticut Data Privacy Act (CTDPA) has introduced new compliance requirements that impact fitness clubs, gyms, and wellness centers operating in the state. The law, which became effective on July 1, 2023, and was amended in October 2023, establishes strict consumer data protection rules, particularly for businesses that handle sensitive health information.

For health clubs, compliance is essential to avoid penalties and maintain consumer trust. Below, we outline the key changes, the types of health data affected, and the health clubs to which the law applies.

Applicability of the CTDPA to Fitness Clubs

The CTDPA applies to health clubs and wellness businesses that meet at least one of the following thresholds:

1. The business processes the personal data of at least 100,000 Connecticut consumers annually, excluding data collected solely for payment transactions.
2. The business processes the personal data of at least 25,000 Connecticut consumers and derives at least 25 percent of its gross revenue from selling consumer data.

Businesses covered under this law include large gym chains and boutique studios if they meet the data processing threshold. The CTDPA further applies to health and wellness centers that collect and store consumer health data, as well as digital fitness platforms and fitness applications operating in Connecticut.

The law does not apply to small, independent gyms that do not collect or process significant amounts of consumer data, personal trainers who do not store extensive client information, or medical fitness facilities governed by the Health Insurance Portability and Accountability Act (HIPAA), such as hospitals and physical therapy centers.

If a health club collects consumer health data, tracks workouts, or engages in data-driven marketing, it must determine whether it meets the CTDPA thresholds and take necessary compliance measures.

Types of Data Covered Under the CTDPA

The CTDPA applies to sensitive personal data collected by health clubs, including:

• Biometric data, such as fingerprints, facial recognition scans, and retina scans used for identity verification and gym access.
• Health and medical history, including pre-existing conditions, injuries, medications, and pregnancy status provided during membership enrollment or personal training assessments.
• Fitness and performance data, including body composition analysis, workout history, heart rate monitoring, and cardiovascular assessments.
• Nutritional information, including dietary preferences, meal plans, and supplement use recorded during nutrition counseling sessions.
• Mental health and behavioral data, such as self-reported stress levels, sleep patterns, and wellness tracking.
• Payment and insurance details, such as information collected for employer-sponsored wellness programs or health insurance reimbursement.
• Location and movement data, including gym check-in records, geofencing data, and wearable device integrations.

Sensitive health data is subject to heightened security and privacy protections under the CTDPA. Health clubs must ensure that they collect and process this data in compliance with the law’s requirements.

Key Compliance Requirements for Fitness Clubs

1. Obtain Explicit Consumer Consent
   Health clubs must obtain clear, informed consent before collecting or processing biometric data, health records, or fitness tracking information.
2. Update Privacy Policies
   Businesses must implement a consumer-friendly privacy policy that explicitly outlines what health data is collected, how it is stored and used, and how consumers can request data deletion.
3. Allow Consumers to Opt Out
   Beginning January 1, 2025, fitness clubs must comply with global opt-out signals from consumers who do not wish for their data to be used for advertising or data sales.
4. Limit Data Collection
   Businesses should collect only the minimum amount of consumer health data necessary for their operations. The use of location-based fitness tracking must be limited and should require consumer consent.
5. Conduct Data Protection Assessments
   Prior to engaging in targeted advertising, biometric tracking, or large-scale data processing, health clubs must conduct an internal privacy impact assessment to evaluate compliance with the law.
6. Enhance Data Security Measures
   Health clubs must implement robust cybersecurity measures to prevent unauthorized access to sensitive health data, as well as data breaches and misuse.
7. Establish Consumer Data Access and Deletion Procedures
   The CTDPA grants consumers the right to access, correct, and request deletion of their personal data. Fitness clubs must establish a process to respond to such requests within 45 days.

Conclusion

With Connecticut’s updated privacy laws in full effect, health clubs must review their data collection practices, update privacy policies, and ensure compliance to avoid legal penalties. Health clubs that process consumer health data must be particularly diligent in adhering to the law’s requirements, as enforcement actions from the Connecticut Attorney General’s Office have already begun.

Proactive compliance not only helps avoid regulatory fines but also strengthens consumer trust and business reputation. Health clubs should consult legal counsel or data privacy experts to assess their compliance obligations under the CTDPA.

Tags: Connecticut Data Privacy Act, Fitness Clubs, Health and Fitness