On May 10, Gov. Ned Lamont signed into law Substitute Senate Bill 6 (Public Act 22-15), Connecticut’s version of comprehensive consumer data privacy legislation. This makes Connecticut the fifth state to enact such legislation, following California, Virginia, Colorado, and Utah. The Act will go into effect July 1, 2023.
The Act applies to persons that conduct business in Connecticut or persons that produce products or services that are targeted to Connecticut residents and that during the preceding calendar year:
- Controlled or processed the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- Controlled or processed the personal data of not less than 25,000 consumers and derived more than 25 percent of their gross revenue from the sale of personal data.
The Act does not apply to:
- Nonprofit organizations;
- Financial institutions or data subject to the Gramm-Leach-Bliley Act;
- Institutions of higher education;
- Covered entities and business associates as defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule;
- Boards, agencies, and political subdivisions of the state;
- National securities associations.
Additionally, the Act exempts the following, as well as other, information and data:
- Protected health information under HIPAA, and certain other health related data;
- Personal information used pursuant to the Fair Credit Reporting Act;
- Data processed or maintained for certain employment purposes.
The Act provides consumers with the right to:
- Confirm and access personal information being processed;
- Correct inaccuracies;
- Delete personal data provided by the consumer or obtained from other sources;
- Obtain a portable copy of the consumer’s personal data;
- Opt-out of the processing of personal data if the purpose of the processing is: a) targeted advertising; b) sale of personal data; or c) profiling.
A contract between a controller and a processor must ensure:
- Each person processing personal data is subject to a duty of confidentiality;
- Deletion or return of all personal data at the end of the processor’s provisions of services;
- Availability to the controller of information evidencing the processor’s compliance with the Act;
- Processor’s contracts with subcontractors are in writing and mirror the obligations of the processor with respect to personal data;
- Cooperation from the processor with the controller’s reasonable assessment requirements.
Under the Act, some processing is considered to present a “heightened risk of harm” to consumers:
- Processing for the purpose of targeted advertising;
- Processing for the purpose of sale;
- Processing for the purpose of profiling, in some instances;
- Processing sensitive data, such as personal data related to race, religion or health conditions, genetic or biometric data, personal data collected from a known child, and precise geolocation data.
When that is the case, a controller is required to conduct and document a data protection assessment to “identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks.”
The Attorney General may require the disclosure of an assessment if relevant to an investigation, but the assessment is confidential and not subject to public disclosure.
The Attorney General has the exclusive authority to enforce the Act but must first provide a 60-day opportunity to cure if, in the Attorney General’s opinion, cure is possible. The cure provision sunsets Dec. 31, 2024.
In the absence of a cure, a violation is enforced as an unfair trade practice pursuant to Conn. Gen. Stat. § 42-110b, allowing for a temporary restraining order or permanent injunction which, if violated can result in a civil penalty of not more than $25,000 per violation. Additionally, a violative act or practice that was willful may result in a civil penalty of not more than $5,000 per violation.
The Act follows the trend of finding balance between the interests of consumers and businesses. The Act should not present issues for businesses already tooling up for compliance with the other consumer data privacy acts.