With a majority of state legislatures closing their 2021 sessions in recent weeks, it was fair to believe there was little chance for another spark to become a flame on the state privacy law front. The Connecticut General Assembly nearly turned the tables on that assumption, falling a floor vote short of becoming the third state to pass comprehensive privacy legislation this year and fourth state to do so overall. Connecticut's timing and approach also revealed a bit more about potential coordination between lawmakers in different states on the privacy bills that cropped up in this year's sessions.

On June 18 during Connecticut's special legislative session, the assembly passed Senate Bill 1202, a bill for implementing the state budget, after the Connecticut House passed an amendment to oust provisions from a comprehensive privacy bill, SB 893, which Connecticut lawmakers were considering during the regular legislative session that ended June 9. The Connecticut Senate previously passed the version of SB 1202 that included the privacy bill on a 23-7 vote before the House stripped its provisions.

The obvious question was how a privacy bill figured into Connecticut's budget planning. New York unsuccessfully attempted a similar move on privacy legislation through the state budget when Gov. Andrew Cuomo, D-N.Y., added a draft bill to his 2021 budget proposal. Some Connecticut lawmakers deemed the budget implementer bill too broad and overly inclusive, but state Sen. James Maroney, D-Conn., SB 893's sponsor, explained the inclusion of the privacy provisions were legitimate.

"When we realized we had to add positions to the attorney general's office in order to implement the provisions from the privacy bill, it really became a budget issue," Maroney told The Privacy Advisor. "The money was added to the budget for those new positions. That decision wasn't mine, but really it was (senate) leadership that decided to stick it into the implementer."

Senate Majority Leader Bob Duff, D-Conn., did in fact advocate and push for the privacy bill, noting its removal was a serious loss for consumers.

"We have a crisis of consumer privacy in this country. Our various electronic devices are listening to us, watching us, and Big Tech is profiting off of every keystroke we make. At this point consumers have no expectation of privacy, and it is literally the Wild West out there," Duff said in a public statement. "When you have multiple lobbyists being paid millions of dollars to defeat bills like this, you know we are facing an uphill battle. When lobbyists win, consumers lose. But we are going to fight this fight, and I know that eventually right will win."

Efforts to remove the privacy provisions did not fall solely on industry, but Maroney indicated there was a coalition of approximately 50 that worked against SB 893 "for the last several sessions." Maroney held meetings with the lobbyist coalition prior to the 2021 legislative session in order to meet them halfway on various topics, with Maroney admitting he made his share of concessions. Those same negotiations will be more simplified and blunt when Maroney brings the bill back in 2022.

"Quite frankly, I'm coming back with a stronger bill," Maroney said. "I did my best to balance stakeholders' concerns, but in the end, industry proved intransigent and would not move off of the Virginia model. I had made some compromises in order to try to bring them along, but if it's not possible to do it then I think our consumers deserve the strongest protections possible."

The bill offered by Maroney during this session was, like many bills up for consideration in other states, a gathering of provisions from laws in California, Virginia, Colorado and the proposed framework for the Washington Privacy Act. The bill's business thresholds for those collecting and storing data on more than 100,000 individuals or those earning revenue from the data of more than 25,000 consumers, as well as language on the right to cure, mirrored those provisions found Colorado's bill. As noted by Maroney, the bill aligned with Virginia on many of its exemptions and the provision for an ongoing working group to address potential tweaks and necessary updates to the law that may arise.

At a high-level view, the commonalities come off as a compliance win for companies looking to streamline their adherence to multiple regulations, but Wiggin and Dana Partner Michelle Wilcox DeBarge, CIPP/E, CIPP/US, wouldn't go that far.

"I do think each of these laws have some differences among them. There might be this notion that complying with other laws and then adding another state on doesn't take much or create compliance burden, but I think it does," DeBarge said. "You may potentially be revisiting notices and processing agreements, and that's a lot for large organizations with a lot of relationships with customers or vendors."

On the concept of picking and choosing provisions from other legislation, Maroney admitted there is more than just bill analysis that leads to provisions being added or left out. Lawmakers from different states are collaborating and having discussions on their bills. Maroney said he's been in contact with state Sen. Robert Rodriguez, D-Co., the sponsor of the Colorado Privacy Act, in recent weeks.

"We've been emailing after his bill passed the Senate," Maroney said. "I reached out because I hadn't seen their bill. When I read it, there were only small differences between Colorado and what we ended up with, which was something that tried to strike a balance between consumer rights and not overburdening companies."

The conversation may have spurred a move away from Maroney's original proposal that aligned almost exclusively with Virginia's law, to which a coalition of privacy advocates did not take kindly. On June 7, the coalition led by Consumer Federation of America and U.S. Public Interest Research Group sent a letter to the assembly urging the adoption of Sen. Duff's proposed amendment to SB 893. They claim the bill would've provided meaningful privacy protections in comparison to the Virginia law that, according to the two organizations, has "the dubious distinction of being the worst privacy law in the nation."

In the letter obtained by The Privacy Advisor, advocates were also critical of how SB 893's original text created "so many loopholes" that made it so data rights provided to consumers "would not apply to many types of businesses and personal data," while also opening up the potential for discriminatory practices. Sen. Duff's amendment ultimately wasn't taken up, but Maroney indicated the privacy provisions found in the implementer bill included feedback from advocates.

Even with those changes, DeBarge still found some gray areas, particularly around the consumer opt-outs.

"It appeared that you had to get affirmative consent before you process sensitive information. But on the other hand, the bill also provides you need to give people a link to opt out of the processing of their information for direct advertising or sale of their data," DeBarge said. "Exercising rights on the processing of that information sounds like more of an opt-out scenario than any kind of affirmative consent. It just proves to be a bit of a conflict that they may have worked out over time, but it's still unclear."

Maroney and Duff made clear their intentions to revive SB 893 in 2022, and with those intentions come areas of improvement that have already been identified. Maroney said they'll look at making the global opt-out mandatory instead of permissive and potentially eliminate the exemption on data used for internal research.  

"My failure this time was that I was focused on the policy piece rather than building a coalition of support," Maroney said. "I think we'll work more toward that coalition with other legislators and also make some presentations to the public over the next year demonstrating how these provisions ultimately help them."

Photo by Nick Wright on Unsplash