On May 10, 2022, Connecticut became the fifth U.S. state with comprehensive consumer privacy legislation after Gov. Ned Lamont, D-Conn., signed Senate Bill 6, An Act Concerning Personal Data Privacy and Online Monitoring, into law. Most provisions of the law will go into effect alongside the Colorado Privacy Act July 1, 2023, giving organizations just under 14 months to come into compliance.
The law includes many of the same rights, obligations and exceptions as the consumer privacy laws already on the books in California, Colorado, Utah and Virginia. It draws heavily from Colorado's law and the Virginia Consumer Data Protection Act — with many of the law’s provisions either mirroring or falling somewhere between the Colorado and Virginia laws — but contains a few notable distinctions that should be factored into an entity’s compliance efforts.
Scope
The scope of the Connecticut law adopts the same basic framework as Virginia and Colorado, but includes some important nuances. The law applies to entities that:
- Conduct business in Connecticut or produce products or services targeted to Connecticut residents and that during the preceding calendar year, either:
- Controlled or processed the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing payment transactions.
- Controlled or processed the personal data of at least 25,000 consumers and derived over 25% of their gross revenue from the sale of personal data.
The scope of the law is slightly broader than Virginia and slightly narrower than Colorado, with its threshold for revenue derived from data sales falling between the Virginia law (50% of gross revenues) and the Colorado law (any revenue or discount). It is also important to note that the law explicitly excludes personal data processed solely for payment transactions. Thus, entities that process debit or credit cards only to the extent necessary to complete a sale will not be subject to the law’s requirements.
Notably absent from the Connecticut law is an annual revenue threshold imposing obligations. In practice, this means that, unlike the California Consumer Privacy Act, an entity will not become subject to the law merely due to its annual revenues; and unlike the Utah Consumer Privacy Act, entities need not exceed a certain annual revenue requirement to fall within the law’s scope.
When determining the scope of the law, it is important to consider a few key definitions. It defines “consumer” as a Connecticut resident and, like Virginia, Colorado and Utah, explicitly excludes individuals “acting in a commercial or employment context.” Thus, the personal data of such individuals can be omitted when entities evaluate the law’s applicability.
Additionally, the law defines the “sale of personal data” as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.” Unlike Virginia and Utah — where a sale occurs when personal data is exchanged for monetary consideration only — the law adopts the broader CCPA- and Colorado-like definition that considers an exchange for “other valuable consideration” to also constitute a sale. The definition of “sale of personal data” also explicitly excludes certain disclosures, which follow those found in the Colorado law almost verbatim (e.g., disclosures to a processor or an affiliate of the controller, disclosures that a consumer directs the controller to disclose, etc.).
Like Virginia and Colorado, the Connecticut law’s definition of “personal data” explicitly excludes any deidentified data or publicly available information. “Publicly available information” means “information that (A) is lawfully made available through … government records or widely distributed media, and (B) a controller has a reasonable basis to believe a consumer has lawfully made available to the general public.”
Exemptions
The law also exempts certain types of entities and data from its requirements. The following six types of entities, irrespective of whether the data collected and processed would otherwise be subject to the law, are exempt from the law:
- State and local governments.
- Nonprofits.
- Higher education institutions.
- National securities associations registered under the Securities Exchange Act of 1934.
- Financial institutions and data subject to the Gramm-Leach-Bliley Act.
- Covered entities and business associates as defined by the Health Insurance Portability and Accountability Act.
The law contains 16 categories of exempted data, including specific information regulated by HIPAA, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Airline Deregulation Act. Specific employee and job applicant data are also exempt.
Consumer rights
Under the law, Connecticut consumers are provided five main rights. Notwithstanding a few deviations, these same rights are in the Virginia and Colorado laws.
Right to access. Consumers have the right to “confirm whether or not a controller is processing the consumer’s personal data and access such personal data.” However, unlike the Virginia law, it provides an exception to this right where “such confirmation or access would require the controller to reveal a trade secret.”
Right to correct. Consumers have the right to “correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data.”
Right to delete. Consumers also have the right to “delete personal data provided by, or obtained about, the consumer.”
Right to data portability. When exercising their access rights, consumers have the right to “obtain a copy of the consumer’s personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means, provided such controller shall not be required to reveal any trade secret.”
The type of data a consumer has a right to obtain a portable copy of is particularly notable. Under the Virginia law, this right is limited to consumer-provided data. However, the law’s approach here is more similar to Colorado by allowing consumers to obtain a copy of the data a controller has processed about them regardless of how the controller acquired it.
Right to opt out. Like Virginia and Colorado, consumers have the right to “opt out of the processing of the personal data for the purposes of:
- targeted advertising,
- the sale of personal data …, or
- profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.”
After the law takes effect, controllers are required to provide “clear and conspicuous” links on their websites that give consumers the choice to opt out of the above types of processing. Beginning Jan. 1, 2025, however, controllers must recognize universal “opt-out preference signal[s]” indicating a consumer’s intent to opt out of targeted advertising and sales, which will trump any conflicting controller-specific privacy setting. This is similar to Colorado's law mandating recognition of universal opt-out signals beginning July 1, 2024. But unlike Colorado, the law does not require controllers to authenticate opt-out requests, which in theory will make it easier for consumers to opt out. In this sense, the law resembles the California Privacy Rights Act, where, although recognition of universal opt-out signals is optional, opt out requests need not be authenticated since the harms associated with an unauthenticated access request, for example, do not apply to a request that opts a consumer out of targeted advertising, sales, or profiling.
Obligations
Limits on collection. As is the case under the CCPA and laws in Virginia and Colorado, controllers are required to “limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.”
Limits on use. Unless an exception applies, such as obtaining consent, controllers are prohibited from processing personal data for “purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed.”
Data security. Controllers must also “establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue.”
Consent requirements. Absent consent, the law, like Virginia and Colorado, prohibits controllers from processing sensitive data. “Sensitive data” includes personal data collected from an individual the controller knows is under 13 years old, in which case the data must be processed in accordance with the Children’s Online Privacy Protection Act.
In addition to processing sensitive data, consent is also required to process a consumer’s personal data for targeted advertising or to sell their data if a controller has actual knowledge of, and willfully disregards, that the consumer is between 13 and 16 years old. This provision extends beyond the consent requirements found in Virginia and Colorado's laws and aligns more with the CPRA, which prohibits selling or sharing data of consumers under 16 without consent.
A consumer’s consent must be “freely given, specific, informed and unambiguous,” and the law specifically dictates that it cannot be obtained through the use of dark patterns. Additionally, controllers are required to “provide an effective mechanism” for consumers to revoke consent that is at least as easy as the mechanism used to provide it. Once revoked, the controller must stop processing the data as soon as practicable, but within 15 days after receiving the revocation.
Nondiscrimination. If a consumer decides to exercise any of their rights provided by the law, controllers are prohibited from discriminating against them by “denying goods or services, charging different prices or rates for goods or services or providing a different level of quality of goods or services to the consumer.”
Transparency. Like its predecessors, Connecticut’s law requires controllers to provide consumers with a “reasonably accessible, clear and meaningful privacy notice.” Privacy notices must include:
- The categories of personal data processed by the controller.
- The purpose for processing personal data.
- How consumers may exercise their rights and appeal.
- The categories of personal data the controller shares with third parties, if any.
- The categories of third parties, if any, with which the controller shares personal data.
- An active email address or other online mechanism for consumers to contact the controller.
Additionally, if personal data is sold to third parties or processed for targeted advertising, controllers are required to “clearly and conspicuously disclose such processing” and how consumers may exercise their opt-out rights.
Responding to consumer requests. The obligations for responding to consumer requests closely resemble those under Virginia and Colorado. Controllers are obligated to respond to a consumer’s request “without undue delay,” but within 45 days after receiving the request, which may be extended an additional 45 days when reasonably necessary. Controllers must also establish a “conspicuously available” appeal process for consumers to appeal a controller’s refusal to act on a request within a reasonable time. Like the Virginia law, controllers must inform consumers in writing within 60 days of any action or inaction taken in response to the appeal. If the appeal is denied, the controller must provide the consumer with an online mechanism or other method to contact and submit a complaint to the attorney general.
Data processing contracts. Like most of its predecessors, the law requires there be a contract between a controller and processor to govern the data processing performed by the processor on behalf of the controller. Such contracts must “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties,” along with other enumerated terms — all of which are substantially similar to the requirements under Virginia and Colorado.
Data protection assessments. For each processing activity “that presents a heightened risk of harm” to consumers, controllers must conduct and document a data protection assessment. The types of activities that must be assessed include:
- Processing data for the purposes of targeted advertising.
- Selling personal data.
- Processing personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of substantial injury to consumers.
- Processing sensitive data.
Enforcement
Like Virginia, Colorado and Utah, the law lacks a private right of action, and, following Virginia’s approach, enforcement falls solely to the attorney general. Prior to initiating an action, the attorney general must notify the controller of its violation. Like Colorado's law, the law then gives a controller 60 days to cure the violation, which is double the 30-day cure periods granted under the California, Utah and Virginia laws. The law’s right to cure takes after Colorado's law in more than one way in that it will also cease to be required beginning Jan. 1, 2025, after which the attorney general will have discretion in whether to provide an opportunity to cure.
A violation of the law is considered an unfair trade practice under the Connecticut Unfair Trade Practices Act. As such, entities may face civil penalties up to $5,000 per willful violation. The attorney general may also seek to impose equitable remedies pursuant to the CUTPA, including restitution, disgorgement and injunctive relief.
Conclusion
Although we have yet to see how the Connecticut law will play out in practice, the text of the law provides a solid starting point. Entities preparing for Colorado's law will be able to leverage some of their compliance efforts, especially when it comes to consumer rights. The law’s heightened protections for children’s data and other important nuances, however, will certainly require additional consideration.
Photo by Balazs Busznyak on Unsplash