Connecticut is the fifth U.S. state, and the second this year after Utah passed the Utah Consumer Privacy Act (“UCPA”), to enact a comprehensive data privacy legislation. S.B. 6, known as the Connecticut Data Privacy Act (“CTDPA” or the “Act”), near unanimously passed the Connecticut House of Representatives on April 28, 2022, after passing the Connecticut Senate the week before, and was signed in to law on May 10, 2022. The CTDPA does not create a private right of action for consumers and does not apply to personal information collected in the employment context, making it clearer that the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”) is an outlier for doing so.
This article contains a chart comparing specific provisions of the CTDPA to the UCPA the Virginia Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), and the CCPA (as amended by the CPRA), as well as a breakdown of key provisions.
Scope and Applicability
The CTDPA applies to entities that conduct business in Connecticut or produce a product or service targeted to Connecticut residents and, during the preceding calendar year, either (i) control or process the personal data of at least 100,000 residents, or (ii) derive over 25% of their gross revenue from the “sale” of personal data and control or process personal data of at least 25,000 residents.
The CTDPA applies to personal data of “an individual who is a resident of the state.” Similar to Virginia, Colorado, and Utah, the CTDPA’s scope does not cover information of individuals processed in an employment or commercial context.
Further, there are expected exemptions from the Act’s applicability, including exemptions for governmental entities, higher education institutions, nonprofits, HIPAA-covered entities and business associates, and financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act.
Controllers and Processors
The CTDPA continues the trend of using the language of the European Union’s General Data Protection Regulation and distinguishing between processors and controllers in its allocation of responsibilities. Processors are responsible for processing data on behalf of controllers, and controllers dictate how processed data should be used. In line with the purpose limitation and purpose specification fair information practice principles, controllers must limit “collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.”
The CTDPA also requires controllers and processors to enter into a contract covering topics such as the type of data subject to processing, the nature and purpose of the processing and the duration of processing. The processor must also “assist the controller in meeting the controller’s obligations” under the Act, including obligations related to the security of processing personal data and notification of a breach of security. Further, the processor must ensure that all persons handling personal data are subject to a duty of confidentiality with respect to the data.
Controllers must provide consumers with an “accessible, clear and meaningful” privacy notice stating the categories of personal data processed by the controller, the purposes of such processing, and, among other things, how consumers can exercise their rights under the CTDPA.
The CTDPA creates an array of individual rights similar to what we see in the UCPA, CPA, VCDPA, and the CCPA/CPRA (collectively, “State Privacy Laws”). These include the right to access, correct, obtain a copy of, and delete one’s personal data. Consumers can also opt-out of the processing of their personal data for the purposes of targeted advertising, the sale of personal data, and profiling purposes. Similar to other State Privacy Laws, the CTDPA has an opt-in regime for this type of processing of information of children between 13 and 16 years of age.
Like Virginia and Colorado, the CTDPA creates an opt-in regime for “sensitive” personal data. The definition of “sensitive data” in the CTDPA is broadened with respect to “biometric data.” Biometric data means “data generated by automatic measurements of an individual’s biological characteristics that are used to identify a specific individual.” The VCDPA and UCPA exclude physical or digital photographs and video and audio recordings from the definition of biometric data; however, the CTDPA excludes such materials only if they are not generated to identify a specific individual.
Similar to the CCPA regulations, the CTDPA prohibits the use of “dark patterns” to obtain consent and defines dark patterns to include “any practice the Federal Trade Commission refers to as a ‘dark pattern’.”
Requests and Right to Appeal
Under the CTDPA, a consumer can submit a request to a controller specifying the right they intend to exercise. The controller has 45 days to respond and can, with notice, extend the period for another 45 days. The controller must either (i) comply with the consumer’s request or (ii) decline to take action on the request, provide a justification for declining to take action, and include instruction for how the consumer can appeal that decision.
The CTDPA provides a statutory right to appeal denials of requests similar to provisions found in VCDPA and CPA. The controller is required to establish a process for a consumer to appeal its refusal to take action on a request. The appeal process must be conspicuously available and similar to the process for submitting consumer requests. If the controller denies the appeal, the controller must provide the consumer with a method to contact the Attorney General to submit a complaint.
Express Obligations for De-identified Data
The CTDPA incorporates obligations that relate to the processing of “de-identified data” into the definition of that term. For data to qualify as “de-identified” and, thus, not subject to certain provisions of the CTDPA, the controller must (i) take reasonable measures to “ensure that the data cannot be associated with an individual,” (ii) “publicly commit” to maintain and use the data only in de-identified form and not attempt to re-identify the data, and (iii) contractually obligates any recipients of the data to comply with the Act. Like in the UCPA, it is unclear what constitutes a “public commitment” and how a controller can “ensure” that no other person can associate the data with an individual.
Sales of Personal Data
The CTDPA defines the “sale of personal data” as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.” The CTDPA provides a broader definition of sale, similar to the definitions used under the CCPA and CPA, by including “valuable consideration” in addition to monetary consideration. The definition of sale of personal data provides for numerous exceptions, including disclosure of personal data at the direction of the consumer, intracompany disclosures and disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction.
No Private Right of Action
Under the CTDPA, there is no private right of action, nor is there a separate enforcement agency. Rather, the CTDPA is enforceable under the Connecticut Unfair Trade Practices Act (“CUTPA”) and is enforced solely by the Attorney General. The commissioner of consumer protection has the power to order an investigation and examination to be made. If the court finds that a person is in willful violation of the Act, the Attorney General, upon petition to the court, may recover, on behalf of the state, a civil penalty of not more than $5,000 for each violation. Any person who violates the terms of a temporary restraining order or an injunction, issued by the commissioner in accordance with the CUTPA, is required to pay to the state a civil penalty of not more than $25,000 per violation.
What This Means for You
The CTDPA will take effect on July 1, 2023. Organizations should determine applicability as soon as feasible. However, organizations that are already taking steps to comply with other State Privacy Laws can fold obligations under the CTDPA into their existing implementation plans. The passage of the CTDPA is a continuance of a trend that states are adopting the “Virginia” framework for data privacy legislation (i.e., no private right of action and an express exclusion of personal data collected in the employment and commercial context) as opposed to the “California” framework. The CTDPA may also be an indication that other states do not plan to go as far as Utah when it comes to exclusions that favor the controller.