Connecticut Privacy Law Explainer

On April 28, the Connecticut House of Representatives voted 144-5 in support of Senate Bill 6, the Connecticut Data Privacy Act (CDPA), which had already unanimously cleared the Connecticut Senate on April 20.

If this Act is signed into law, then Connecticut will become the latest U.S. state to enact a comprehensive privacy law, including the California Consumer Privacy Act (CCPA), Colorado Privacy Act (CPA), Virginia Consumer Data Protection Act (VCDPA), and Utah’s Consumer Privacy Act (UCPA).

Applicability

The CDPA applies only to Connecticut businesses that produce goods or services “targeted to” Connecticut residents that control or process the personal data of:

• At least 100,000 consumers, excluding personal data controlled or processed solely for completing a payment transaction, or;

• Businesses with at least 25,000 consumers that derive more than 25 percent of their gross revenue from selling personal data.

There are certain exclusions to the coverage of the CDPA. The CDPA applies to neither an “individual acting in a commercial or employment context,” nor entities or governmental bodies “whose communications or transactions with the controller occur solely within the context of that person’s role with the entity.”

In addition, the CDPA does not apply to information subject to the Health Insurance Portability and Accountability Act (HIPAA), or other medical or health laws, the Fair Credit Reporting Act (FCRA), and the Family Educational Rights and Privacy Act (FERPA).

Consumer Rights

The CDPA grants consumers the right to:

• Request confirmation from a data controller that their personal data is being collected and request access to said collected data, unless complying with this request would require the controller to “reveal a trade secret”;

• Correct any inaccuracies in personal data collected about the consumer;

• Delete personal data that’s been incorrectly collected or retained;

• Obtain a copy of their collected personal data “in a portable and readily usable format.”

• Opt-out of the processing of their personal data for the purposes of:

  • Targeted advertising;

  • Sale to a third-party in exchange for “monetary or other valuable consideration”—which is similarly defined by the CCPA and CPA, but more broadly defined than the VCDPA or UCPA; or

  • Profiling the consumer solely for the purpose of advancing “automated decisions that produce legal or similarly significant effects concerning the consumer.”

The consumer, or their authorized agent, may exercise these rights in accordance with the procedures described in the covered business’s privacy notice, which must be provided to a consumer at the start of service.

In turn, data controllers are required to respond to consumer requests “without undue delay,” and within 45 days of receipt of a request. If the controller determines it is “reasonably necessary,” then they may extend this response period by another 45 days. If a controller declines to act on the request, then they must provide the consumer with notice of this decision not to act and provide the consumer with instructions on how to appeal the decision.

Additionally, if the information is requested once during a 12-month period, the information provided in response must be free of cost to the consumer.

Business Obligations

Under the CDPA, covered businesses must comply with the following obligations:

• Limit collection of personal data to information that is “adequate, relevant and reasonably necessary” for the processing purpose that was disclosed to the consumer, unless consent is obtained;

• “Establish, implement and maintain reasonable administrative, technical and physical data security practices” that will adequately protect the personal data collected;

• Process personal data in accordance with applicable laws prohibiting unlawful consumer discrimination;

• Establish and provide consumers with an effective mechanism for revoking their consent and, upon revocation of said consent, cease processing their personal data “as soon as practicable, but not later than 15 days after the receipt of such request”;

• Provide consumers with a “reasonably accessible, clear, and meaningful” privacy notice that includes the following:

  • The categories of personal data to be processed;

  • The purpose of processing;

  • The way consumers may exercise their privacy rights, including their right to appeal;

  • The categories of personal data that the controller will share with any third parties, as well as the categories of these third parties; and

  • An active email address or way for consumers to contact controllers.

• Conduct and document data protection assessments for presentation to the Attorney General in instances where processing presents a “heightened risk of harm to a consumer,” including:

  • Personal data being used for targeted advertising;

  • The sale of personal data;

  • Personal data being used for the purpose of profiling that presents a “reasonably foreseeable risk” of:

    • Unfair, deceptive, or unlawful and disparate impact on consumers;

    • Financial, physical, or reputational injury to consumers;

    • An intrusion on the solitude, seclusion, private affairs, or concerns of consumers “where such intrusion would be offensive to a reasonable person”;

    • A substantial injury to a consumer; or

    • The processing of sensitive data.

  • Refuse to use “any user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice” or any “dark patterns”—as defined by the Federal Trade Commission (FTC)—to obtain consumer consent.

  • Refrain from processing sensitive data without first obtaining its owner’s consent.

    • Sensitive data includes information about a mental or physical health condition or diagnosis, sex life, sexual orientation, racial or ethnic origin, religious beliefs, citizenship or immigration status, biometric data, precise geolocation data, and data belonging to a known child” over age 13.

    • Where a controller “willfully disregards” the age of a child, they will be deemed in violation of the Act. If the consumer is a “known child” younger than 13 years old, controllers must process their data in accordance with the Children’s Online Privacy Protection Act (COPPA).

Enforcement

The Act has been submitted to Connecticut Governor, Ned Lamont, who has 15 days to sign the CDPA into law. If signed into law, the CDPA will become effective on July 1, 2023. The CDPA will be exclusively enforced by the Attorney General (AG), as the Act does not provide for a private right of action.

The CDPA requires the AG to extend to covered businesses the right to cure violations of the Act within 60 days of notice. However, similar to the CCPA and the CPA this right to cure will expire on December 31, 2024.

On January 1, 2025, the AG will have the right to choose whether to provide businesses with this right to cure. In making this determination, the CDPA notes that the AG may consider:

• The number of violations;

• The size and complexity of the covered business;

• The nature and extent of the covered business’ activities;

• The “substantial likelihood of injury” to the consumer;

• The safety of affected persons or property; and

• The likelihood that the alleged violation was caused by “human or technical error.”

* * * * * * *

To read our coverage on the Connecticut Data Privacy Act (CDPA) including information on its applicability, enforcement and the obligations it places on businesses, click here.

To read our coverage on the European Data Protection Board’s published draft guidelines intended to provide UX designers and consumers on how to identify deceptive marketing and UX designs (known as “Dark Patterns”) that violate GDPR, click here.

For ADCG’s Breach Report and more News Updates discussing: The Global Cross-Border Privacy Rules Forum’s meeting last week to work on an agreement for worldwide data protection rules; Minnesota Senate Education committee approved new limits on how tech companies can use data belonging to students gathered through school-issued devices; The Bank for International Settlements (BIS) has released a report calling for new governance systems; and Lawmakers zero further in on Meta/Facebook, click here.

To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.