Connecticut Passes Privacy Legislation.

Connecticut law focuses on consumer interests

On May 10, 2022, Connecticut Governor Ned Lamont signed An Act Concerning Personal Data Privacy and Online Monitoring after the Connecticut General Assembly previously passed the law in April.

Connecticut is the fifth state in the nation and the first in New England to pass privacy legislation. Connecticut now joins California, Virginia, Colorado, and Utah as the states to create their privacy law in lieu of federal action on the issue.  

The Connecticut law, also known as the Connecticut Data Privacy Act (“CTDPA”), goes into effect on July 1, 2023, giving companies just over a year to determine whether it applies and, if so, to take steps to comply.

A significant difference between the CTDPA and other states’ legislation is the CTDPA focuses more on consumers rather than business interests.

The CTDPA applies to persons that conduct business in Connecticut or produce products or services that are targeted to residents of the state and that control or process the personal data of a particular number of residents, namely either:100,000 or more Connecticut residents, or 25,000 or more Connecticut residents, where the business derives more than 25% of its gross revenue from the sale of personal data.

Under the CTDPA, consumers will have the right to:

• Confirm whether or not a controller is processing the consumer’s personal data and access such personal data
• Correct inaccuracies in the consumer’s personal data
• Delete personal data provided by or obtained about the consumer
• Obtain a copy of the consumer’s personal data processed by a controller in a portable and, to the extent technically feasible, readily usable format
• Opt-out of the processing of their personal data for purposes of (1) targeted advertising, (2) the sale of personal data, or (3) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

Among other obligations, controllers will be required to:

• Limit the collection of personal data to “what is adequate, relevant and reasonably necessary” to the purposes for processing, as disclosed to the consumer
• Process personal data only for purposes that are reasonably necessary to and compatible with the purposes for processing, as disclosed to the consumer (unless the controller obtains the consumer’s consent)
• Establish, implement and maintain reasonable administrative, technical and physical data security practices
• Not process sensitive data concerning a consumer without obtaining the consumer’s consent
• Not process personal data in violation of federal and state anti-discrimination laws
• Not process personal data of a consumer for purposes of targeted advertising or sell the consumer’s personal data without the consumer’s consent, where a controller has actual knowledge and willfully disregards that a consumer is 13-15 years old and parental consent for any website to collect personal data from children under the age of 13
• Provide an effective mechanism for a consumer to revoke consent and cease processing the data within 15 days of receiving a revocation request

The CTDPA exempts certain entities, including, for example, state and local government entities, nonprofits, higher education institutions, financial institutions subject to the Gramm-Leach-Bliley Act (“GLB”), and qualifying covered entities and business associates subject to the Health Insurance Portability and Accountability Act (“HIPAA”).

Connecticut is the first state law to explicitly carve out payment transaction data from its applicability threshold; this provision was added to alleviate concerns of restaurants, small convenience stores, and similar businesses that process the personal information of many customers for the sole purpose of completing a transaction.

Like Virginia, Colorado, and Utah, and unlike California, Connecticut does not include a private right of action in its law. The CTDPA limits enforcement to the state’s attorney general. Until December 31, 2024, enforcement actions will be subject to a 60-day cure period; after that, the attorney general may but is not required to provide an opportunity to correct an alleged violation. A violation of the CTDPA will constitute an unfair trade practice, which carries civil penalties of up to $5,000 per violation for willful offenses.

The CTDPA’s passage is yet another comprehensive state privacy law that businesses must consider when meeting their privacy obligations—putting further pressure on Congress to pass comprehensive federal privacy legislation to save companies from the headache of complying with the patchwork of privacy measures.