News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Connecticut set to join the state privacy law ranks Related reading: US State Privacy Legislation Tracker

rss_feed

""

""

There's something to be said about resilience and compromise as it relates to legislating on privacy at the state level. Neither attribute is easy to grasp or maintain, which shows with just a handful of comprehensive state privacy laws that have been passed to this point.

The Connecticut General Assembly proved both qualities can be sustainable through the life of the legislative process, resulting in the passage of what will likely be the U.S.'s fifth state privacy law. Senate Bill 6, the Connecticut Data Privacy Act, earned final passage Thursday with a 144-5 vote by the House of Representatives, which was preceded by a 35-0 Senate approval April 20.

The new Connecticut legislation will become law with a signature from Gov. Ned Lamont, D-Conn., or once 15 days have passed following adjournment of the current legislative session.

The bill, which narrowly failed last year during Connecticut's special legislative session, has links to all existing privacy laws but mostly tracks somewhere between frameworks in Colorado and Virginia. It will become effective July 1, 2023, and covers businesses holding data on more than 100,000 consumers or those deriving 25% of annual revenue from the sale of data belonging to more than 25,000 consumers.

Also included are provisions for recognition of global opt-out signals; required opt-out consent for data sales, targeted advertising and profiling; strong protections for children's and biometric data; and a sunsetting right to cure. The Connecticut attorney general's office, which has a nationally-renowned data privacy unit, will have exclusive enforcement rights. The new Connecticut legislation also creates a standing work group that will address a range of emerging topics or issues that the law could be amended to cover.

"Unfortunately, we can't change any of this. The genie is out of the bottle and it will be nearly impossible to put it back in," state Sen. James Maroney, D-Conn., said on the Senate floor last week while discussing the range of present-day data privacy harms. Maroney was the lead sponsor on the bill the last two years. "What we're doing today is saying Connecticut residents have the right to know what data is being collected about them, how it's being used, and to tell companies not to sell their data."

Fighting a new norm

Getting Connecticut's privacy bill to the finish line is no small feat given the propensity for state proposals this year that mirror Virginia's model or the recently-passed Utah model. Maroney said last year stakeholders urged alignment with Virginia, something the final Connecticut framework only does in a limited fashion.

"There is no question that it is a stronger bill as compared to the laws in Virginia and Utah," Husch Blackwell Partner Dave Stauss, CIPP/E, CIPP/US, CIPT, FIP, PLS, said. "Maroney’s multi-year effort in passing SB 6 should not be overlooked. What we have seen over the past few years is that it is significantly harder to pass a good privacy law than it is to pass a bad one."

Stauss was one of many stakeholders who contributed to the working group Maroney formed last fall to get the bill ready for the 2022 session. DMC Law Managing Member Dena Castricone, CIPP/US, CIPM, PLS, and Archive360 Head of Customer Success Marian Breeze took part in the working group, as well. Consumer Reports, which has made clear that state lawmakers need to find a path beyond Virginia and Utah to better support consumer rights and protections, was also involved.

"We applaud Connecticut lawmakers for advancing meaningful privacy legislation that will help protect the personal information of their constituents," Consumer Reports Director of Technology Policy Justin Brookman said in a statement. "Sen. Maroney has worked tirelessly to craft privacy legislation that puts the interest of consumers first. We look forward to continuing to work with policymakers to uphold and expand these key protections."

What's unique?

Speaking with the The Privacy Advisor last June following the missed opportunity in special session, Maroney said he was coming back this year with "a stronger bill" than the one that fell short. That strength may start with the sunset on the right to cure, which takes place Dec. 31, 2024. Consumer Reports said it was pleased to see the perceived "get-out-of-jail-free card" removed, while Stauss said he thinks the sunset provision will undoubtedly push companies into compliance knowing they won't have the opportunity to rectify mistakes.

"California, Colorado and Connecticut will be able to engage in multi-state enforcement actions against entities that violate comparable provisions of the three laws. This will not be the case with Virginia and Utah where violations can still be cured," Stauss said. "Through joint enforcement, 'The three Cs' of state privacy law will be in a unique position to dictate the future of U.S. privacy law, assuming the continuing absence of a federal law."

Stauss also noted that Connecticut's privacy legislation has "arguably the most consumer-friendly opt-out provisions" among state laws given its lack of an authentication requirement. Archive360's Breeze, speaking on her own behalf, was encouraged by how the pending law ups the ante with its take on consumer rights. 

"It would have been relatively easy to start with the California Consumer Privacy Act and build on it, but instead they took elements of the stronger consumer rights and business obligations from California, Colorado, and maybe even Virginia," Breeze said. "The Connecticut bill contains the consumer rights to access, correct, and opt-out that we're familiar with, and then goes further. I believe the bill's right to delete applies to personal data provided by or obtained about the consumer. That’s a big difference. It will be interesting to see how this is applied."

While not a concept exclusive to Connecticut, DMC Law's Castricone appreciates the balance that was achieved between consumer and business needs while the pending law "avoids creating an entirely separate and distinct set of rules." She did find the carve-out for payment transaction data to be an interesting twist.

"This was added to allay concerns of small convenience stores, restaurants and similar businesses that process many credit or debit card transactions each year but do not use the data for any purpose other than completing a sale," Castricone said. "From my perspective, to the extent that those businesses are not (payment card industry) compliant, it would have been ideal to at least apply the reasonable safeguards section of the act to the processing of such payment data."

A long haul

The multi-year work in Connecticut began with state Sen. Bob Duff, D-Conn., and his initial privacy initiative in 2017 before Maroney took the reins in recent years. Last year's miss on final passage led Maroney to reconsider his approach to finding common ground on the issue of privacy. He began preaching coalition over policy, which led to the creation of the dedicated multi-stakeholder working group that eventually helped hammer out compromises and consensus views.

"I am honored to have been able to work with advocates, analysts from the data privacy industry, and my fellow senators and representatives to help craft a bill that protects our residents online," Maroney said in statement after the Senate passage. "This piece of legislation provides some of the strongest privacy protections for children in the country, while not overly burdening small businesses. In our connected world, almost all of our movements can be tracked. This will give us the right to know what is being tracked about us and the ability to opt out of the sale of our personal data."  

During his remarks leading into the Senate's approval, Senate Majority Leader Duff was complimentary of the bipartisan work and support the Connecticut privacy legislation generated, noting the consensus around addressing the "crisis of privacy" that's sweeping the nation. He added that "people at this point have no expectation of any sort of privacy anymore," a problem created over time by federal inaction.

"We have waited and waited for the federal government to do something, and there's lots of (lawmakers) who would like to, but they haven't carried the ball over the finish line," Duff said. "It's now up to the states to finally take control of this issue. This is one of the biggest issues we have yet to tackle for individuals in decades. The fact it hasn't been done yet is a crime."

Photo by Balazs Busznyak on Unsplash

US State Privacy Legislation Tracker

The IAPP Westin Research Center compiled this updating tracker of proposed and enacted comprehensive privacy bills from across the country to aid our members’ efforts to stay abreast of the changing state-privacy landscape.

View Here


Approved
CDPO, CDPO/BR, CDPO/FR, CIPM, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPT, LGPD
Credits: 1

Submit for CPEs

Author
Headshot Joseph Duball IAPP Staff Contributor
Tags
Marketing/Retail
U.S.
Enforcement
Privacy Law
Privacy Operations Management
Comments

If you want to comment on this post, you need to login.

Related Stories
US State Privacy Legislation Tracker

The IAPP Westin Research Center compiled this updating tracker of proposed and enacted comprehensive privacy bills from across the country to aid our members’ efforts to stay abreast of the changing state-privacy landscape.

View Here

Related Stories
Tags
Marketing/Retail
U.S.
Enforcement
Privacy Law
Privacy Operations Management
Recent Comments