Update: On April 28, 2022, the Connecticut House passed a comprehensive privacy bill that cleared the Connecticut Senate last week, paving the way for Connecticut to become the fifth state with a comprehensive privacy law. The bill still needs to be signed into law by Governor Lamont.
The Connecticut proposal shares many similarities with the laws already set to go into effect in 2023 but seems to have the most in common with Virginia’s Consumer Data Protection Act. Like the Virginia law, the Connecticut proposal does not allow for any rulemaking for the attorney general’s office (which has exclusive enforcement authority). It does, however, allow for the creation of a working group that would make recommendations to the legislature as to potential amendments to the law (which also happened with Virginia). One notable difference between the Connecticut proposal and the Virginia law is that the relevant exemptions for data regulated under certain federal laws seem to be narrower in Connecticut (e.g., there are not any broad-based exemptions for covered entities or business associates regulated under HIPAA; the relevant HIPAA exemption instead applies to protected health information regulated under HIPAA).
While businesses would have to account for some of the technical differences in the Connecticut proposal if it were to go into effect, most of the compliance efforts that businesses have taken to comply with California, Virginia, Colorado, and Utah would also apply to Connecticut. It does not create many new data processing obligations for businesses. Companies should also keep an eye out for federal privacy proposals, as a fifth law may increase the appetite for comprehensive privacy legislation in Congress.
Below are key provisions of the Connecticut Act:
- Applies to persons that conduct business in Connecticut or that produce products or services that are targeted to Connecticut residents and that during the preceding calendar year: (1) controlled or processed the personal data of at least 100,000 consumers (excluding personal data controlled or processed to complete payment transactions); or (2) controlled or processed the personal data at least 25,000 consumers and derived more than 25% gross revenue from the sale of personal data.
- Exempts various entities and information types, including certain government entities; covered entities and business associates under HIPAA; information governed by HIPAA; financial institutions or data subject to certain GLBA provisions; nonprofit organizations; institutions of higher education; and personal data regulated by FERPA.
- Creates individual rights for consumers, including 1) the right to confirm whether a controller is processing their personal data, and the right to access their personal data; 2) the right to correct inaccuracies in their personal data; 3) the right to delete the personal data provided to the controller; 4) the right to obtain a copy of their personal data in a format that is portable, readily usable, and allows the consumer to transmit the data to another controller without hindrance; and 5) the right to opt out of the processing of their personal data for the purposes of a) targeting advertising, b) the sale of personal data, or c) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
- Mandates that controllers provide consumers with a privacy notice with the following information: 1) the categories of personal data processed; 2) the purposes for which the categories of personal data are processed; 3) how consumers may exercise a right; 4) the categories of personal data that the controller shares with third parties; 5) the categories of third parties with whom the controller shares personal data; and 6) an active electronic mail address or other online mechanism that the consumer may use to contact the controller.
- Incorporates privacy by design principles, including requiring controllers to (1) limit the collection of data to what is adequate, relevant and reasonably necessary in relation to the purpose for which data is processed (as disclosed to customers), (2) not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which the data is being processed (unless the controller obtains consent), and (3) establish, implement, and maintain data security practices, among other requirements.
- Creates requirements for the processing of “sensitive data,” including requiring that controllers obtain the consumer’s consent.
- Requires that controllers comply with opt-out requests received from consumer’s authorized agent, which can include a global device setting or browser setting.
- Does not create a private right of action. Violations are only enforceable by the Connecticut AG’s office.
- Creates a sixty-day cure period once AG provides written notice of alleged violation, between the period of July 1, 2023 to December 31, 2024. Starting January 1, 2025, the bill provides the AG discretion to provide an opportunity to correct an alleged violation.
- Violations of the law would be treated as unfair trade practices under Connecticut law.
- Does not create any rulemaking authority for the Connecticut Attorney General; creates a working group to make recommendations to amend the law to the Connecticut legislature.
- Major provisions of the bill go into effect on July 1, 2023.