Connecticut has passed a broad consumer data privacy law, joining the likes of California, Virginia, Colorado, and Utah. The bill nows awaits Governor Lamont’s signature. Four years in the making, Public Act No. 22-15 “An Act Concerning Personal Data Privacy and Online Monitoring,” establishes consumer privacy rights that will impact businesses that handle Connecticut resident personal data. We recommend organizations get familiar with the law now and prepare compliance strategies well before the July 1, 2023 effective date.
What are the immediate concerns for business?
Companies that have already developed compliance programs for data privacy laws in Europe (GDPR) and California (CCPA/CPRA), as well as Virginia (VCDPA), Colorado (CPA), and Utah (UCPA), will find that they are well-positioned to tweak their programs for Connecticut’s law. (Connecticut’s version seems to fall between those of VA and CO.) However, those coming within the reach of a consumer privacy law for the very first time will encounter a steep learning curve. Three of the challenges that will be most foreign to Connecticut companies will be the execution of proper opt-out and opt-in mechanisms, the consideration of whether and how to conduct risk assessments (called “data protection assessments”), and the establishment of procedures for fielding consumer requests exercising their new privacy rights.
What consumer rights are established?
Connecticut residents will have the following rights with respect to their personal data (i.e., any information that is linked or linkable to them), subject to certain limited exceptions:
- Copy (i.e., portability)
- Opt-out of targeted advertising, sales or exchange of their personal data, and profiling or automated decision making that might impact important rights or interests (e.g., lending, housing, insurance, education, etc.)
What are the key obligations for businesses?
Covered businesses (“controllers”) will have to:
- Provide equitable mechanisms for facilitating consumer opt-out rights, consumer consent/opt-in for processing sensitive data, parental consent/opt-in for personal data of minors (under 16), and easy revocation of consents
- Provide public-facing notices of data processing, sales, targeted ad, and sharing practices
- Respond to consumer rights requests timely (within 45 days)
- Prevent discrimination against consumers who exercise their privacy rights
- Document risk assessments for certain types of higher-risk data processing
- Limit use of personal data to the purpose(s) for which it was originally collected
- Implement information security policies to protect personal data
Vendors and service providers (“processors”) who handle personal data on behalf of a covered business may do so only subject to certain contractual provisions that ensure compliance with the law and data breach notification requirements.
What entities are covered?
Entities who must comply with the law include for-profit businesses who either conduct business in Connecticut or produce products and services targeted to Connecticut residents and who during the preceding calendar year either controlled or processed the personal data of 100,000 or more Connecticut residents (excluding personal data controlled or processed solely for the purpose of completing a payment transaction) or controlled or processed the personal data of not less than 25,000 Connecticut residents and derived more than 25% of their gross revenue from the sale of personal data.
Are there any exemptions?
The law does not apply to non-profits, government agencies, higher ed, financial institutions regulated under the Gramm-Leach-Bliley Act, and covered entities and business associates regulated under the Health Insurance Portability and Accountability Act (HIPAA). The law focuses on the business-to-consumer (B2C) relationship. It expressly excludes from the definition of “consumer” employees, contractors, and other business representatives.
How will the law be enforced?
The Connecticut Attorney General’s Office has sole and exclusive enforcement authority. The law expressly does not provide for a private cause of action. The Attorney General may prosecute violations of the consumer data privacy law as violations of the Connecticut Unfair Trade Practices Act (CUTPA). For the first 18 months of the law’s effectiveness (July 1, 2023 to December 31, 2024), companies will enjoy a 60-day cure period before the Attorney General can prosecute (but only where the Attorney General determines that the violation is in fact curable). Starting January 1, 2025, the cure period disappears and the Attorney General may prosecute at their discretion.
What should you be doing now?
We recommend that organizations prioritize these early steps (certainly prior to July 1, 2023):
- Are you covered? Determine whether your business profile hits the coverage thresholds.
- Inventory or map your personal data, including the systems and devices that collect, process, and store it and the reasons or purposes for which you collect it.
- Data protection assessment. Does any of your processing require you to perform and document a risk assessment?
- Review public-facing privacy notices for compliance with the law.
- Review employee-facing polices for compliance with the law.
- Review third-party contracts. Do your service provider contracts need to be updated with data processing addenda to address compliance with the law?
- Plan consumer rights mechanisms, for capturing opt-outs, opt-ins, consents, and revocations, and for responding to consumer data requests.
- Review insurance coverage. Do you have cybersecurity insurance that covers first-party expenses for defense of the regulatory investigations and actions that the Attorney General may bring?
If you would like additional information about this new consumer data privacy law, or if we may help you assess and manage your unique privacy and cybersecurity risks, please contact:
Sherwin M. Yoder
This information is for educational purposes only to provide general information and a general understanding of the law. It does not constitute legal advice and does not establish any attorney-client relationship.