On May 10, 2022, Connecticut became the fifth state to enact a comprehensive privacy law, joining the ranks of California, Colorado, Utah, and Virginia. The Connecticut law, titled “an Act Concerning Personal Data Privacy and Online Monitoring” (the “Act”), is similar to the state privacy laws that precede it, but also has unique characteristics. The operative provisions of the Act will take effect on July 1, 2023, the same day that the Colorado Privacy Act (“ColoPA”) will take effect, six months after the Virginia Consumer Data Protection Act (“VA CDPA”) and the California Privacy Rights Act (“CPRA”) take effect, and six months before the Utah Consumer Privacy Act (“UCPA) will take effect. As the list of privacy laws continues to grow, businesses will need to formulate a plan for compliance that accounts for the nuances of each applicable law.
The Act will apply to persons that conduct business in Connecticut or that produce products or services that are targeted to residents of Connecticut and that during the preceding calendar year either:
- controlled or processed personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- controlled or processed personal data of at least 25,000 consumers and derived over 25% of their gross revenue from the sale of personal data.
The Act’s carve out for personal data controlled or processed solely for the purpose of completing a payment transaction is unique and may lessen the burdens on businesses, especially small businesses.
Unlike the California Consumer Privacy Act (“CCPA”), which includes a $25 million annual revenue threshold as one trigger for applicability, there is no monetary threshold under the Act. Rather, it focuses only on the activity of businesses with respect to personal data. The Act’s applicability thresholds most closely align with those under the VA CDPA and the UCPA, although both of those require a business to derive over 50% of its gross revenue from the sale of personal data.
Of note, the Act exempts certain types of entities, such as governmental entities, financial institutions governed by the Gramm-Leach-Bliley Act (“GLBA”), covered entities or business associates subject to HIPAA and HITECH, non-profit organizations, institutions of higher education, and national securities associations registered under federal law. It also exempts certain types of information, such as protected health information under HIPAA, personal data regulated by the Family Educational Rights and Privacy Act (“FERPA”), and data processed or maintained in the course of employment.
Similar to the UCPA, VA CDPA, and ColoPA, the Act defines “consumer” to mean an individual who is a Connecticut resident, but excludes an individual acting in a commercial or employment context. As a result, employee personal information and business contact personal information fall outside the scope of the Act.
The Act also recognizes a special category of personal data known as “sensitive data,” which it defines as (i) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status; (ii) genetic or biometric data processed for the purpose of uniquely identifying a natural person; (iii) personal data collected from a known child; or (iv) precise geolocation data. The Act’s definition of sensitive data mirrors the VA CDPA’s definition for sensitive data, but is broader than the UCPA’s and ColoPA’s definitions of sensitive data. Businesses should take note of the slight differences in order to make their compliance efforts comprehensive or tailor them as necessary.
The Act also includes a broad definition of “sale,” meaning the exchange of personal data for monetary or other valuable consideration by the controller to a third party. This definition is similar to the CCPA’s, CPRA’s, and ColoPA’s definitions of sale, while the UCPA and the VA CDPA more narrowly define sale by limiting it to an exchange only for monetary consideration. Additionally, the Act provides broad exceptions to the definition of “sale” that essentially mirror the exceptions in ColoPA, such as disclosure of personal data to a processor who processes the personal data on behalf of a controller, to a third party for the purpose of providing a product or service requested by a consumer, and to an affiliate of the controller.
Privacy Notice: The Act requires that controllers (i.e., whoever determines the purposes and means for processing of personal data) provide consumers with a reasonably accessible and clear privacy notice that includes, among other things, the categories of personal data processed; the purposes for processing that data; how consumers can exercise their rights, including the right to appeal a controller’s decision; the categories of personal data shared with third parties; and the categories of third parties with whom the controller shares that data. Additionally, if the controller sells personal data or processes personal data for targeted advertising, it must clearly and conspicuously disclose such processing and how a consumer can opt out of such sale or processing for targeted advertising.
Data Impact Assessments and Consent: Like the VA CDPA and ColoPA, selling personal data, processing personal data for targeted advertising, or processing of sensitive data pursuant to the Act require conducting and documenting a data protection assessment that weighs the benefits of processing for the controller against the potential risks for the consumer. Further, the Act prohibits processing of sensitive data without a consumer’s consent. Consent is an affirmative act signifying specific, informed, and unambiguous agreement; it is not sufficient to rely on acceptance of general or broad terms or the mere hovering over of content.
Data Processing Agreements: Like other privacy laws, the Act requires processing by a processor (i.e., someone who processes personal data on behalf of the controller) to be governed by a contract between the controller and processor setting forth, among other things, the processing instructions for the processor, the nature and purpose of the processing, the type of data subject to processing, the duration of processing, confidentiality obligations, an audit right, deletion and return of personal data, and subcontracting requirements. Ensuring adequate data processing agreements are in place with processors is often a major piece of compliance for businesses.
Consumer Rights and Requests
The Act grants consumers the right to make requests to (1) access their personal data; (2) correct inaccuracies in their personal data; (3) delete their personal data; (4) obtain a copy of their personal data in a portable format; and (5) opt out of processing for purposes of targeted advertising, the sale of personal data, or profiling. Businesses must provide one or more secure and reliable request methods and describe them in it its privacy notice. By January 1, 2025, the Act will require businesses to acknowledge opt-out preference signals for targeted advertising and sales.
A controller has 45 days to respond to a consumer request, which may be extended once by an additional 45 days when reasonably necessary. To the extent reasonably practicable, processors must assist a controller in responding to consumer requests. Like under the VA CDPA and ColoPA, a controller must also provide consumers with an appeals process if it denies a consumer’s request. A controller has 60 days to respond to an appeal.
Importantly, the Act does not create a private right of action for individuals. Rather, the Connecticut Attorney General has exclusive enforcement ability.
From July 1, 2023 until January 1, 2025, the Connecticut Attorney General must provide a 60-day cure period after providing a notice of violation. The controller or processor then has 60 days to cure the alleged violation before the Attorney General can file suit. Then, beginning on January 1, 2025, the Connecticut Attorney General has discretion to offer a cure period. When determining whether to provide a controller or processor the opportunity to cure an alleged violation, the Attorney General may consider the number of violations, the controller/processor’s size and complexity, the nature and extent of the processing activities, the substantial likelihood of public injury, and the safety of persons or property.
Unlike other state privacy laws, the Act does not create rulemaking authority for Connecticut’s Attorney General or set forth expectations for regulations. However, the Act creates a task force, which will study certain topics, such as algorithmic decision-making and children’s privacy, and make recommendations to amend the Act.
The Act’s passage highlights the benefits of a universal approach to privacy compliance, especially for large businesses. The efforts to bifurcate privacy compliance on a state-by-state basis are starting to outweigh the benefits of taking such a narrow approach.
Further, there are no signs of the privacy movement losing momentum unless there is a federal law enacted to supersede state laws. While an increasing number of state laws may create pressure for enacting federal legislation, given the time it takes to do so, it would be safe for businesses to assume that the current state privacy laws are here to stay for at least the next few years. As such, businesses should not delay their compliance efforts.