After failed attempts in years past, on April 28, 2022, Connecticut became the fifth state to pass a consumer data privacy bill. It is headed to the Governor’s desk for signature, and he is expected to sign. Entitled “An Act Concerning Personal Data Privacy and Online Monitoring,” it enjoyed bipartisan support passing unanimously in the Senate and by a vote of 144-5 in the House.
Why? Because this bill’s primary sponsor, Senator James Maroney, took the time and put in the effort to ensure that all stakeholders were involved in the drafting and refining process. In my opinion, this is neither a consumer-friendly bill, nor a business-friendly bill. It is a consumer protection bill that balances the rights and obligations of consumers and businesses.
Is it perfect? No, but it’s a good place to start. Also, it illustrates the evolutionary process of state consumer privacy laws and represents the kind of consumer protection legislation I think we should expect to see on a federal level.
The Act does not yet have an acronym and I think that “CTPDPOMA” is simply too much. So, I will call it the CTDPA. Here’s a very high-level overview of the CTDPA, which is 27 pages long.
Effective Date and Scope
The CTDPA takes effect on July 1, 2023. There is one provision that requires the acceptance of global opt-out signals no later than January 1, 2025. By way of comparison, the consumer privacy laws in Colorado, Virginia and Utah also take effect in 2023, as does the California Privacy Rights Act, which replaces the California Consumer Privacy Act.
Who must comply? The CTDPA applies to individuals or legal entities doing business in Connecticut or producing products or services targeted to Connecticut residents if they meet either of the thresholds below. In the previous calendar year, they controlled or processed the personal data of at least:
- 100,000 CT residents, excluding data used solely for completing a payment transaction OR
- 25,000 CT residents and derived more than 25% of gross revenue from the sale of personal data.
“Personal data,” under the CTDPA means “any information that is linked or reasonably linkable to an identified or identifiable individual.” It does not include de-identified data or publicly available information.
Exemptions
The CTDPA has extensive exemptions at both an entity level and a data level. The following entities do not need to comply with the CTDPA: the State or its agencies, non-profits, institutions of higher education, national securities associations registered under 15 U.S.C. 78o-3 of the Securities Exchange Act, financial institutions subject to the Gramm-Leach Bliley Act, or covered entities or business associates under the Health Insurance Portability and Accountability Act (HIPAA). There are also 16 data-level exemptions including categories of data such as financial, health and educational information protected under other laws, research information, and employment information as well as others.
[Update June 2023 – The legislature added three additional entity level exemptions: (1) an individual or entity that enters a contract with the State or its agencies to process consumer health data on behalf of the State or its agencies; (2) tribal nation government organizations; and (3) air carriers as defined under federal law.]Consumer Rights
The CTDPA provides five consumer rights that are largely in line with most consumer privacy laws. Those rights are:
- Right to Know and Access. This allows a consumer to confirm whether or not a business is processing the consumer’s personal data and to access that data;
- Right to Correct. A consumer has the right to correct inaccuracies in the consumer’s personal data;
- Right to Delete. A consumer has a right to have personal data deleted;
- Right to Portability. This allows a consumer to obtain a copy of their personal data processed by the business and transmit it elsewhere; and
- Right to Opt-Out. A consumer has the right to opt-out of the processing of the personal data for purposes of (A) targeted advertising, (B) selling the data, or (C) profiling that can adversely affect the consumer.
Business Obligations
Businesses subject to the CTDPA must take the following steps to ensure protection of consumers’ personal data:
- Provide consumers with “a reasonably accessible, clear and meaningful privacy notice” outlining the data that is collected, used, and shared and how consumers can exercise rights.
- Limit the collection of personal data to what is necessary and use it only for the purposes disclosed in the Privacy Notice unless the consumer consents.
- Implement reasonable data security safeguards to protect the confidentiality, integrity and accessibility of personal data.
- Do not process sensitive data without the required consent.
- Provide an effective mechanism for consumers to exercise rights.
- Do not sell or use for targeted advertising the personal data of minors ages 13 to 15 without consent. This requirement extends the existing rules under the federal law that protects children under the age of 13.
- Do not discriminate against consumers for exercising rights.
- Engage in contracts with entities that will process personal data on behalf of the business.
- Perform a data protection assessment for processing activities that present a heightened risk of harm to the consumer.
Enforcement
The Connecticut Attorney General’s office will enforce the CTDPA. For the first 18 months, if a violation of the CTDPA can be cured, the AG’s office must provide the business 60 days to remedy the violation. As of January 1, 2025, the AG’s office may grant an opportunity to cure in its discretion. Unlike other states, there is no minimum or maximum penalty, but any violation will constitute a violation of the Connecticut Unfair Trade Practices Act.
Finally, there is no private right of action under the CTDPA.
Stay tuned. There is much more to come on this subject!