Connecticut becomes fifth state to enact comprehensive data privacy legislation
This article is part of a series providing insight and updates on the latest state data privacy legislation.
…And then there were five.
Connecticut is the latest state to adopt data privacy measures aimed at giving consumers more control over their personally identifiable information, following in the footsteps of California, Colorado, Utah, and Virginia.
Effective July 1, 2023, businesses that operate in Connecticut or collect data from Connecticut residents will be required to adhere to certain data privacy principles when collecting personal information, to give consumers specific rights over the collection and use of their information, and to establish mechanisms and procedures for consumers to exercise those rights.
California lead the charge on comprehensive data privacy legislation, passing the California Consumer Privacy Act (CCPA) in 2018. The California attorney general began enforcing the CCPA on July 1, 2020 and the law has undergone several changes, with the most recent set of amendments set to go into effect January 1, 2023. Since the CCPA effective date, other states have proposed similar legislation.
Applicability of Connecticut's data privacy law
Like the CCPA and other state laws addressing comprehensive data privacy and security measures, the Connecticut law includes certain thresholds for businesses that are required to comply.
Impacted businesses are those that process data on at least 100,000 consumers or those that process data on at least 25,000 consumers and derive more than 25% of gross revenues from the sale of personal data. There is a specific exclusion for “residents whose personal data is controlled or processed solely for the purpose of completing a payment transaction.”
An impacted business is, in parlance familiar to those impacted by the European General Data Protection Regulation, a “controller” or “processor.”
Connecticut privacy notice requirements
Under the law, controllers are required to provide Connecticut residents with a privacy notice that specifies:
- Categories of personal data processed
- Purposes for processing personal data
- How consumers may exercise their consumer rights
- Categories of personal data that is shared with third parties
- Categories of third parties with which the controller shares personal data
- Email address or online mechanism that the consumer may use to contact the controller.
Controllers will be required to establish, and describe in their privacy notice, one or more secure and reliable means for consumers to submit a request to exercise their consumer rights. Specifically, this will need to include a link on the controller’s website to opt-out of targeted advertising or the sale of personal data.
Consumer rights to control personal data in Connecticut
The Connecticut law gives consumers specific rights to control their personal data.
- Rights to access, collect and delete personal data: Like the CCPA, consumers under the Connecticut law have the right to know, to correct, and to delete personal data on file with the controller.
- Right to opt-out: Importantly, consumers also have the right under the law to opt-out of the processing of personal data for purposes of targeted advertising, the sale of personal data (with some exceptions); and profiling in furtherance of solely automated decisions that significantly impact the consumer.
- Right to data portability: Finally, the Connecticut law includes the right to data portability. Specifically, Connecticut consumers will have the right to “obtain a copy of the consumer’s personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means, provided such controller shall not be required to reveal any trade secret.”
If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing.
Like the Virginia and Colorado laws, Connecticut requires a specific opt-in for the processing of sensitive data – which includes racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, genetic or biometric data, data from a child, and precise geolocation data. Data controllers are required to provide an “effective mechanism for a consumer to revoke the consumer’s consent… that is at least as easy as the mechanism by which the consumer provided the consumer’s consent.”
State data privacy laws to prepare for in 2023
Next year will be a busy one for data privacy compliance.
- January 2023: The California Privacy Rights Act (CPRA), which amended the CCPA, is set to go into effect January 1, 2023. We are awaiting updated regulations from the California Privacy Protection Agency. The Virginia Consumer Data Privacy Act (VCDPA) is also effective January 1, 2023.
- July 2023: Next July ushers in requirements not just in Connecticut but also Colorado. The Colorado Privacy Act (CPA) requires the Colorado attorney general to set forth technical standards before the law’s effective date on July 1, 2023.
- December 2023: The Utah Consumer Privacy Act (UCPA) is effective December 31, 2023.
Businesses should consider whether and to what extent these laws apply, and what steps they need to take to ensure compliance by each law’s effective date.