This week, on Tuesday May 10, 2022, Connecticut Gov. Ned Lamont approved Connecticut Senate Bill 6, an Act Concerning Personal Data Privacy and Online Monitoring (the "Connecticut Privacy Act"). Governor Lamont’s approval makes Connecticut the 5th state to pass a comprehensive data privacy law joining California, Utah, Virginia, and Colorado. The Connecticut Privacy Act is set to become effective on July 1, 2023. The passage of the Connecticut Privacy Act continues the trend in the U.S. for states to individually address consumer rights and business obligations relating to consumer data, in the absence of uniform legislation from Congress. Businesses will have to continue to navigate this increasingly complex data privacy framework in developing a compliant data privacy program.
Who does the Connecticut Privacy Act apply to?
Subject to certain exemptions, the Connecticut Privacy Act imposes certain obligations on persons who either:
- conduct business in Connecticut; or
- produce products or services that are targeted to the residents of Connecticut;
and who during the preceding calendar year:
- controlled or processed the personal data of at least 100,000 thousand Connecticut residents (not including personal data controlled or processed for the sole purpose of completing a payment transaction); or
- controlled or processed the personal data of at least 25,000 Connecticut residents and derived over 25% of their gross revenue from the sale of personal data.
In addition to an exemption personal data collected to process payment transactions, the Act also exempts personal data that are subject to various federal sectoral privacy laws and categorical exemptions for certain entities including state agencies, nonprofits, financial institutions subject to the GLBA, and covered entities and business associates subject to HIPAA.
What does the Connecticut Privacy Act apply to?
The Connecticut Privacy Act applies to "personal data", which is defined as "any information that is linked or reasonably linkable to an identified or identifiable individual," not including de-identified data or publicly available information.
Notably, the definition of publicly available information in the Connecticut Privacy Act is broad, extending not only to information lawfully made available by federal, state or municipal government records, but also that which is made available in widely distributed media. In both cases, however, this exemption requires the Controller to have a reasonable basis to believe the consumer has lawfully made this information available to the general public.
Who does the Connecticut Privacy Act apply to?
The Connecticut Privacy Act imposes obligations on both controllers1 and processors2 of personal data. Controllers are required to:&
- limit the collection of personal data to what is adequate, relevant, and reasonably necessary to achieve the purposes for which it was collected and disclosed to the consumer;
- refrain from processing personal data for reasons that are not reasonably necessary to achieve, nor consistent with the purposes disclosed to consumers. Controllers may process personal data for other purposes where they obtain the consumer's consent3;
- establish, implement, and maintain reasonable data security practices consistent with the type and volume of personal data the controller processes;
- obtain consent prior to processing any sensitive data4
- provide consumers with an effective mechanism by which a consumer may revoke their consent and cease processing the applicable personal data within 15 days of such a revocation;
- where a controller has actual knowledge and willfully disregards a consumer is at least 13 years old but younger than 16 years old, obtain the consumer's consent prior to processing such consumer's personal data for the purpose of targeted advertising or selling personal data;
- provide consumers with a reasonably accessible, clear and meaningful privacy notice, which includes certain required disclosures; including a conspicuous disclosure concerning whether the controller sells consumer data or processes personal data for targeted advertising and a mechanism for a consumer to opt-out; and
- provide a clear and conspicuous link on the controller's website that allows consumers to opt out of target advertising or the sale of personal data, and no later than January 1, 2025, allowing a consumer to opt out via technology that sends a preference signal to the controller.
In addition, the relationship between a processor and controller must be governed by a contract, which sets out the instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. Additionally, the contract must also include a number of specifically enumerated provisions, including those that impose confidentiality, deletion, compliance monitoring, and subprocessor management obligations.
Who does the Connecticut Privacy Act protect?
The Connecticut Privacy Act provides consumers ("Connecticut residents") with the right to (1) confirm the processing of their personal data and access such data, (2) correct any inaccuracies in their personal data, (3) delete personal data, (4) obtain a copy of the personal data that are processed, and (5) opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, and profiling5.
With regard to consumers, Controllers must:
- provide a secure and reliable means by which a consumer may exercise their rights, along with a description of such rights in the controller's privacy notice;
- respond to consumer requests within 45-days of the request and without charge to the consumer; and
- establish a process by which consumers may appeal a controller's refusal to respond to a request.
Key aspects of the Connecticut Privacy Act
- The Connecticut Act permits consumers to opt-out of the processing of personal data for targeted advertising, the sale of personal data, and profiling. Like other privacy laws, controllers may utilize a link on their website to provide such option to consumers. However, and notably, beginning January 1, 2025, the Connecticut Act requires controllers to implement a mechanism recognizing opt-out preference signals for targeted advertising and sales.
- The Connecticut Act requires controllers to conduct and document data protection assessments for each of the controllers processing activities that presents a heightened risk of harm to a consumer. Notably, the Connecticut Attorney General may request that a data controller produce any data protection assessment it has conducted in order to evaluate it for compliance.
- Controllers in possession of de-identified data must (1) ensure the data cannot be associated with an individual, (2) publicly commit to not re-identifying the data, and (3) contractually obligate third parties in possession of de-identified data to comply with the Connecticut Privacy Act.
- The Connecticut Privacy Act limits enforcement authority to the Connecticut Attorney General, and does not provide a private right of action.
- The Connecticut Act provides a 60-day cure period for alleged violations. However, the right to cure will sunset on December 31, 2024, with the Connecticut Attorney General retaining the discretion to grant certain controllers and processors a right to cure.
Connecticut Privacy Act Compliance Checklist
Businesses with operations or sales in Connecticut should consider the following framework in assessing compliance obligations under the new Connecticut Privacy Act, which is similar to frameworks set forth in other upcoming U.S. data privacy laws:
- Confirm That Your Business is Subject to the Connecticut Privacy Act. Entities must determine whether they meet the threshold requirements of the Connecticut Privacy Act.
- Revise Privacy Policies.Revise privacy policies to properly reflect personal data processing activities, communicate the new rights available to consumers, and identify the mechanisms implemented for consumers to exercise those rights.
- Implement "Reasonable Security." Assess cybersecurity policies, practices, and controls to ensure they are consistent with industry-recognized standards.
- Conduct Data Protection Assessments. Controllers will need to conduct data protection assessments to evaluate the risk involved in certain high risk processing.
- Create Consumer Opt-Out Link. To the extent a controller sells personal data, uses it for targeted advertising, or for profiling purposes, create a separate web page to enable Connecticut residents to exercise their opt-out rights.
- Preference Signals. No later than January 1, 2025, implement a mechanism or technology that allows consumers to exercise opt-out rights via preference signals.
- Implement Consent Mechanism for Collecting Sensitive Information. Controllers who collect sensitive data from consumers must first obtain consent. Controllers should implement mechanisms that obtain consumer consent before the collection of sensitive data.
- Create Mechanism for Revoking Consumer Consent. Controllers subject to the Connecticut Act must create an effective mechanism for a consumer to revoke the consumer's consent that is at least as easy as the mechanism by which the consumer provided the consumer's consent.
- Implement Training Program. Ensure employees responsible for handling consumer inquiries understand and are trained to handle those requests in a timely, consistent, and compliant manner.
The Connecticut Privacy Act adds further complexity to the U.S. data privacy framework as it contains certain unique requirements, particularly surrounding obtaining consumer consent, that are unlike the data privacy laws passed in other states. Ultimately, businesses will be faced with the challenge of providing diverging privacy rights to consumers who reside in different states, or granting rights to consumers that they are not otherwise entitled to. As more states lend their approach to this emerging state driven data privacy framework, challenges in crafting a compliance program will only increase.
1 "Controller" is defined as "an individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data."
2 "Processor" is defined as "an individual who, or legal entity that, processes personal data on behalf of a controller."
4"Sensitive data" is defined as "personal data that includes (A) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, (B) the processing of genetic or biometric data for the purpose of uniquely identifying an individual, (C) personal data collected from a known child, or (D) precise geolocation data."
5 "Profiling" is defined as "any form of automated processing performed on personal data to evaluate, analyze or predict personal aspects related to an identified or identifiable individual's economic situation, health, personal preferences, interests, reliability, behavior, location or movements."
Katherine Madriz (Law Clerk, White & Case, Washington, DC) co-authored this publication.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2022 White & Case LLP