On May 10, Connecticut became the fifth state to pass a comprehensive consumer privacy law, joining California, Colorado, Utah and Virginia. The Connecticut Data Privacy Act (CTDPA) takes effect July 1, 2023, alongside Colorado's similar law.
The CTDPA applies to persons who conduct business in Connecticut or persons who produce products or services that are targeted to Connecticut residents (i.e., sell products to Connecticut residents via their websites, mobile apps, etc.) and that during the preceding calendar year either (1) controlled or processed the personal data of at least 100,000 consumers or (2) controlled or processed the personal data of at least 25,000 consumers and derived more than 25 percent of their gross revenue from the sale of personal data. Unlike in California, an entity's gross annual revenue alone is not a factor that would subject the entity to application of the CTDPA. Notably, the CTDPA explicitly excludes personal data controlled or processed solely for the purpose of completing a payment or transaction, such that businesses that process debit or credit card information for the limited purpose of completing a sale fall outside the scope of the CTDPA's requirements. In addition, the CTDPA defines "consumer" as a Connecticut resident and, like most of the other states, excludes "individual[s] acting in a commercial or employment context."
The CTDPA also exempts several types of entities from having to comply with its requirements, including but not limited to state agencies, nonprofit organizations, higher education institutions, financial institutions subject to Title V of the Gramm-Leach-Bliley Act, and HIPAA-covered entities and business associates. Moreover, the CTDPA includes a provision exempting 16 categories of data from its application, such as protected health information as defined in the Health Insurance Portability and Accountability Act, information collected or used for research purposes, and patient safety work product conducted in accordance with applicable law, among others.
Similar to the other state consumer privacy laws, the CTDPA provides consumers with several rights, including the right to (1) confirm whether an entity acting as a data controller is processing the consumer's personal data (and access such data); (2) correct inaccuracies in the consumer's personal data; (3) delete personal data provided by, or obtained about, the consumer; (4) obtain a copy of the consumer's personal data processed by the data controller, allowing the consumer to transmit the personal data to another entity without difficulty; and (5) opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data (except in certain circumstances), and profiling in furtherance of solely automated decisions that produce similarly significant effects. The CTDPA further requires that by January 1, 2025, consumers be permitted to exercise their opt-out rights through an opt-out preference signal.
Unlike in California, the CTDPA does not include a private right of action. Enforcement of its requirements is limited to the state attorney general. While Connecticut businesses may breathe a sigh of relief upon hearing that consumers cannot sue them for violations of the CTDPA, preparation for implementation of the CTDPA must be taken seriously in order to avoid being subject to enforcement actions and penalties.
As more states pass their own comprehensive privacy laws, we continue to monitor for any indication of action at the federal level. For decades, we have watched as Congress has tried and failed to pass a comprehensive federal privacy law. On June 3, Senator Roger Wicker, R-Miss., ranking member of the Senate Committee on Commerce, Science, and Transportation, and Representatives Frank Pallone Jr., D-N.J., and Cathy McMorris Rodgers, R-Wash., chairman and ranking member of the House Committee on Energy and Commerce, respectively, released the first draft of comprehensive federal privacy legislation to gain bipartisan, bicameral support for the American Data Privacy and Protection Act (ADPPA). For the most part, the released discussion draft of the ADPPA would preempt existing state privacy laws, including the CTDPA. The state law preemption provision of the draft bill would not completely eliminate the alphabet soup of existing state privacy laws, however, as it includes a list of specified state laws to be preserved, including but not limited to data breach notification laws; generally applicable consumer protection laws; facial recognition, electronic surveillance, wiretapping and telephone monitoring laws; the Illinois Biometric Information Privacy Act; and part of the California Privacy Rights Act. Though Congress achieved a significant milestone in the privacy sector by releasing the draft ADPPA, it remains to be seen whether a comprehensive federal privacy act is on the horizon.