There's something to be said about resilience and compromise as it relates to legislating on privacy at the state level. Neither attribute is easy to grasp or maintain, which shows with just a handful of comprehensive state privacy laws that have been passed to this point.
The Connecticut General Assembly proved both qualities can be sustainable through the life of the legislative process, resulting in the passage of what will likely be the U.S.'s fifth state privacy law. Senate Bill 6, the Connecticut Data Privacy Act, earned final passage Thursday with a 144-5 vote by the House of Representatives, which was preceded by a 35-0 Senate approval April 20.
The new Connecticut legislation will become law with a signature from Gov. Ned Lamont, D-Conn., or once 15 days have passed following adjournment of the current legislative session.
The bill, which narrowly failed last year during Connecticut's special legislative session, has links to all existing privacy laws but mostly tracks somewhere between frameworks in Colorado and Virginia. It will become effective July 1, 2023, and covers businesses holding data on more than 100,000 consumers or those deriving 25% of annual revenue from the sale of data belonging to more than 25,000 consumers.
Also included are provisions for recognition of global opt-out signals; required opt-out consent for data sales, targeted advertising and profiling; strong protections for children's and biometric data; and a sunsetting right to cure. The Connecticut attorney general's office, which has a nationally-renowned data privacy unit, will have exclusive enforcement rights. The new Connecticut legislation also creates a standing work group that will address a range of emerging topics or issues that the law could be amended to cover.
"Unfortunately, we can't change any of this. The genie is out of the bottle and it will be nearly impossible to put it back in," state Sen. James Maroney, D-Conn., said on the Senate floor last week while discussing the range of present-day data privacy harms. Maroney was the lead sponsor on the bill the last two years. "What we're doing today is saying Connecticut residents have the right to know what data is being collected about them, how it's being used, and to tell companies not to sell their data."
Fighting a new norm
Getting Connecticut's privacy bill to the finish line is no small feat given the propensity for state proposals this year that mirror Virginia's model or the recently-passed Utah model. Maroney said last year stakeholders urged alignment with Virginia, something the final Connecticut framework only does in a limited fashion.
"There is no question that it is a stronger bill as compared to the laws in Virginia and Utah," Husch Blackwell Partner Dave Stauss, CIPP/E, CIPP/US, CIPT, FIP, PLS, said. "Maroney’s multi-year effort in passing SB 6 should not be overlooked. What we have seen over the past few years is that it is significantly harder to pass a good privacy law than it is to pass a bad one."
Stauss was one of many stakeholders who contributed to the working group Maroney formed last fall to get the bill ready for the 2022 session. DMC Law Managing Member Dena Castricone, CIPP/US, CIPM, PLS, and Archive360 Head of Customer Success Marian Breeze took part in the working group, as well. Consumer Reports, which has made clear that state lawmakers need to find a path beyond Virginia and Utah to better support consumer rights and protections, was also involved.
"We applaud Connecticut lawmakers for advancing meaningful privacy legislation that will help protect the personal information of their constituents," Consumer Reports Director of Technology Policy Justin Brookman said in a statement. "Sen. Maroney has worked tirelessly to craft privacy legislation that puts the interest of consumers first. We look forward to continuing to work with policymakers to uphold and expand these key protections."
Speaking with the The Privacy Advisor last June following the missed opportunity in special session, Maroney said he was coming back this year with "a stronger bill" than the one that fell short. That strength may start with the sunset on the right to cure, which takes place Dec. 31, 2024. Consumer Reports said it was pleased to see the perceived "get-out-of-jail-free card" removed, while Stauss said he thinks the sunset provision will undoubtedly push companies into compliance knowing they won't have the opportunity to rectify mistakes.
"California, Colorado and Connecticut will be able to engage in multi-state enforcement actions against entities that violate comparable provisions of the three laws. This will not be the case with Virginia and Utah where violations can still be cured," Stauss said. "Through joint enforcement, 'The three Cs' of state privacy law will be in a unique position to dictate the future of U.S. privacy law, assuming the continuing absence of a federal law."
Stauss also noted that Connecticut's privacy legislation has "arguably the most consumer-friendly opt-out provisions" among state laws given its lack of an authentication requirement. Archive360's Breeze, speaking on her own behalf, was encouraged by how the pending law ups the ante with its take on consumer rights.
"It would have been relatively easy to start with the California Consumer Privacy Act and build on it, but instead they took elements of the stronger consumer rights and business obligations from California, Colorado, and maybe even Virginia," Breeze said. "The Connecticut bill contains the consumer rights to access, correct, and opt-out that we're familiar with, and then goes further. I believe the bill's right to delete applies to personal data provided by or obtained about the consumer. That’s a big difference. It will be interesting to see how this is applied."
While not a concept exclusive to Connecticut, DMC Law's Castricone appreciates the balance that was achieved between consumer and business needs while the pending law "avoids creating an entirely separate and distinct set of rules." She did find the carve-out for payment transaction data to be an interesting twist.
"This was added to allay concerns of small convenience stores, restaurants and similar businesses that process many credit or debit card transactions each year but do not use the data for any purpose other than completing a sale," Castricone said. "From my perspective, to the extent that those businesses are not (payment card industry) compliant, it would have been ideal to at least apply the reasonable safeguards section of the act to the processing of such payment data."
A long haul
The multi-year work in Connecticut began with state Sen. Bob Duff, D-Conn., and his initial privacy initiative in 2017 before Maroney took the reins in recent years. Last year's miss on final passage led Maroney to reconsider his approach to finding common ground on the issue of privacy. He began preaching coalition over policy, which led to the creation of the dedicated multi-stakeholder working group that eventually helped hammer out compromises and consensus views.
"I am honored to have been able to work with advocates, analysts from the data privacy industry, and my fellow senators and representatives to help craft a bill that protects our residents online," Maroney said in statement after the Senate passage. "This piece of legislation provides some of the strongest privacy protections for children in the country, while not overly burdening small businesses. In our connected world, almost all of our movements can be tracked. This will give us the right to know what is being tracked about us and the ability to opt out of the sale of our personal data."
During his remarks leading into the Senate's approval, Senate Majority Leader Duff was complimentary of the bipartisan work and support the Connecticut privacy legislation generated, noting the consensus around addressing the "crisis of privacy" that's sweeping the nation. He added that "people at this point have no expectation of any sort of privacy anymore," a problem created over time by federal inaction.
"We have waited and waited for the federal government to do something, and there's lots of (lawmakers) who would like to, but they haven't carried the ball over the finish line," Duff said. "It's now up to the states to finally take control of this issue. This is one of the biggest issues we have yet to tackle for individuals in decades. The fact it hasn't been done yet is a crime."
Photo by Balazs Busznyak on Unsplash
The IAPP Westin Research Center compiled this updating tracker of proposed and enacted comprehensive privacy bills from across the country to aid our members’ efforts to stay abreast of the changing state-privacy landscape.
If you want to comment on this post, you need to login.