And Then There Were Five: Connecticut Passes Comprehensive Privacy Law | Wiley Kidney LLP

Privacy in brief®

On May 10, 2022, Connecticut became the fifth state in the nation to pass its own omnibus privacy legislation, joining California, Virginia, Colorado and Utah. While Senate Bill 6, the Personal Data Protection and Online Surveillance Act (CTDPA), shares some similarities with other state privacy laws, there are nuances in the CTDPA that add to the growing patchwork of state laws that domestic businesses will have to contend with.

Companies must act quickly to update their compliance programs. The CTDPA is expected to enter into force on July 1, 2023 – at the same time as the Colorado Privacy Law goes into effect – ahead of Utah’s Consumer Privacy Act, which comes into effect on December 31, 2023. The Connecticut and Colorado laws go into effect six months after the Virginia Consumer Data Protection Act (VCTDPA) and California Privacy Rights Act (ACPL), both of which have effective dates of January 1, 2023.

Below, we provide a high-level summary of the new law, including the entities to which the CTDPA will apply and five key aspects businesses should be aware of when planning their compliance strategies.

Does the CTDPA apply to your organization?

The CTDPA generally applies to entities that do business in Connecticut, or produce products or services for Connecticut residents, and that: (1) control or process the personal data of at least 100,000 resident consumers Connecticut during the preceding calendar year; or (2) monitor or process the personal data of at least 25,000 Connecticut resident consumers and derive more than 25% of their gross revenue from the sale of personal data.

Connecticut law exempts certain entities, including exemptions for certain nonprofit organizations. It also has exemptions related to federal privacy frameworks, including the Gramm-Leach-Bliley Act (GLBA) provisions; the Health Information Portability and Accountability Act (HIPAA) and the Educational Rights and Family Privacy Act (FERPA).

5 key aspects of the CTDPA

1. Consumer Rights. The CTDPA establishes five rights for Connecticut consumers, listed below. Like the laws of Virginia, Colorado and Utah, these rights do not extend to persons acting in a commercial or employment context.

  • Right of withdrawal: Consumers have the right to object to the processing of their personal data for the purposes of targeted advertising, the sale of personal data or profiling for the purpose of solely automated decisions producing legal or similar effects.
  • Right to know/access: Consumers have the right to confirm whether or not a controller is processing the consumer’s personal data and to access that personal data.
  • Right of rectification: Consumers have the right to correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes for which they are processed.
  • Right to deletion: Consumers have the right to delete personal data provided by or obtained about the consumer.
  • Right to data portability: When exercising their right of access, consumers have the right to obtain their personal data in a portable and easily usable format that allows the consumer to easily transmit the data to another entity.

2. Obligations of Data Controllers. Under the CTPDA, personal data controllers are subject to a number of duties, including obligations to:

  • Provide consumers with privacy notices;
  • Provide an unsubscribe link and mechanism;
  • Maintain reasonable security practices regarding personal data;
  • Notify consumers and seek their consent before processing sensitive data;
  • Provide consumers with an appeal process when a consumer request is denied;
  • Do not discriminate against consumers who exercise their rights; and
  • Perform privacy risk assessments for certain activities.

In addition, a controller must also enter into a contract with a processor that sets out certain criteria for the personal data that will be processed, and how that data will be processed and stored, among other things.

3. Exclude Preference Signal. Similar to Colorado law, the new CTDPA will require a controller to offer an opt-out preference signal allowing a consumer to opt-out of any processing of their personal data for the purpose of targeted advertising or any sale of such personal data. However, this provision of the law has a deferred implementation deadline of January 1, 2025.

4. End of the right to cure. The Attorney General, before bringing an action for infringement, must issue a Notice of Infringement to the Monitor if he determines that a remedy is possible. If the controller does not remedy this breach within 60 days, the AG may take action. The right to heal the sunsets of December 31, 2024.

5. Study Working Group. The CTDPA is also creating a task force to study, among other potential topics, algorithmic decision-making, child data, and possible legislation that would expand the privacy rights of state consumers. The working group is due to meet no later than September 1, 2022 and is expected to submit a report on its findings and recommendations no later than January 1, 2023.

[View source.]