Following a near unanimous vote in the Connecticut House, Connecticut is set to become the fifth state to pass comprehensive privacy legislation. With the addition of the Connecticut Data Privacy Act (CTDPA), Connecticut joins California, Virginia, Colorado, and Utah, in regulating businesses that possess, store, and/or sell consumers’ personal data. The CTDPA comes on the heels of the Utah Consumer Privacy Act (UCPA), recently passed in March 2022. You can read the full text of CTDPA here.
Like the Colorado Privacy Act (CPA) and Virginia’s Consumer Data Protection Act (VCDPA), the CTDPA will place similar personal data security and disclosure requirements on businesses that meet prescribed thresholds.
The CTDPA will regulate all businesses that conduct business in the state or produce products or services targeted to consumers in the state, and it establishes either of the two thresholds in the preceding calendar year:
- Processed personal data of at least 100,000 consumers (excluding personal data processed solely for completing a payment transaction), or
- Processed personal data of at least 25,000 consumers and derived at least 25% gross revenue from the sale of personal data.
The CTDPA’s applicability requirements are in line with the CPA and VCDPA, rather than the UCPA, which is a more business-friendly jurisdiction.
What obligations are placed on businesses?
Akin to the other state laws, businesses have several similar obligations to ensure compliance with the CTDPA:
- Sensitive Data: Unlike the UCPA, if a business is going to collect or use “sensitive data,” the consumer must provide consent beforehand. The CTDPA defines “sensitive data” to include racial or ethnic origin, religious beliefs, health condition or diagnosis, sexual orientation, genetic or biometric data for the purposes of identifying an individual, children’s data, and precise geolocation data.
- Protective Measures: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices.
- Children’s Data: Must receive consent before selling the personal data of or conducting targeted advertising relating to consumers between ages 13 and 16 years old, if the business has actual knowledge of the consumer’s age.
- Data Protection Assessments: Conduct and document a data protection assessment for each of the business’s processing activities that present a heightened risk of harm to consumers. A “heightened risk of harm” includes (1) processing for targeted advertising, (2) the sale of personal data, (3) processing for profiling, and (4) processing sensitive data. These assessments may also be requested by the Connecticut attorney general, however, it is not subject to a FOIA request.
- Opt-Out Preference Signal: Similar to the California Privacy Rights Act (CPRA) and the CPA, the CTDPA obligates businesses to institute an opt-opt preference signal for consumers. The opt-out signal would apply to all businesses who conduct targeted advertising or sell personal data. This requirement will take effect January 1, 2025, six months after the CPA’s opt-out preference signal requirement goes into effect.
Other Notable CTDPA Provisions
- Consumer Rights: Consumers will have the right to (1) access their personal data held by businesses; (2) delete that personal data; (3) correct any inaccuracies in that personal data; (4) transmit their personal data to another business (but only where the collection was conducted by automated means); and (5) opt out of targeted advertising, the sale of their personal data, and/or profiling.
- Exemptions: Exemptions include(1) nonprofit organizations; (2) financial institutions and information regulated under GLBA; (3) covered entities, business associates, and information regulated under HIPAA; and (4) employee and business-to-business (B2B) information.
- Task Force: Like the VCDPA, the CTDPA does not grant any rulemaking authority. By September 1, 2022, the CTDPA instructs the General Assembly’s joint standing committee to convene a privacy task force to study various privacy issues – in particular algorithmic decision-making and the possibility of expanding certain protections and rights under the CTDPA, as well as issues stemming from data colocation. By January 1, 2023, the task force will submit a report showcasing its findings and recommendations to the committee.
Enforcement power and the opportunity to cure
State residents will not have a private right of action under the CTDPA. Sole enforcement authority will be vested in the Connecticut Attorney General’s Office. The attorney general will also have the power to review and evaluate businesses’ data protection assessments for compliance in relation to an investigation. Violations of the CTDPA will constitute an unfair trade practice under Connecticut law.
The CTDPA contains a right to cure provision comparable to those in California Consumer Privacy Act (CCPA) and the CPA. Between July 1, 2023, and December 31, 2024, businesses will have a 60-day right to cure deficiencies upon written notice from the attorney general. After that time, opportunities to cure an alleged violation are based on the attorney general’s discretion. CCPA’s right to cure period sunsets on January 1, 2023, and Colorado’s sunsets on January 1, 2025.
Upon promulgation, the CTDPA will take effect on July 1, 2023, the same date as the CPA. There are still numerous proposed privacy laws pending throughout the United States. Given the recent enactment of UCPA and now the CTDPA, the 2022 wave of state privacy laws could just be getting started. More than ever, it will be critical for businesses to have a working understanding of which state privacy laws apply to them, how they can comply, and how they can avoid regulatory inquiry. As more states pass privacy laws, it puts further pressure on the federal government to pass a nationwide law.
For more information and other updates and alerts regarding privacy law developments, subscribe to Bradley’s privacy blog Online and On Point.