United States: Gearing Up For Comprehensive Data Privacy And Security Legislation Across The States | Connecticut Data Privacy Act

On May 10, 2022, Connecticut became the fifth state to enact a comprehensive state data privacy law. Connecticut's Senate Bill 6 (CTDPA), the Personal Data Privacy and Online Monitoring Act, is similar to consumer privacy laws that were recently passed in Virginia, Colorado, and Utah and will go into effect on July 1, 2023. In this version of our Gearing Up for privacy compliance series, we will focus on CTDPA's scope and threshold requirements, its consumer rights, actions businesses should take to comply with CTDPA, and enforcement of the CTDPA.

What Companies Are Impacted by CTDPA?

CTDPA applies to controllers and processors of personal data. Connecticut defines a controller as an individual or legal entity that "determines the purpose and means of processing personal data."¹ Connecticut defines a processor as "an individual who, or legal entity that, processes personal data on behalf of a controller."² Processors must follow the controller's instructions, and processors are required to assist controllers in meeting the controller's obligations under the CTDPA. The CTDPA provides a list of items that must be included in the contract between the processor and controller. This list of mandatory contractual items includes a list of specific processor duties.³

Like its predecessors, the CTDPA delineates threshold requirements dictating the law's applicability to a specific entity. CTDPA will apply to any person who conducts business in Connecticut or any person who produces products or services that are targeted to Connecticut residents. Additionally, the person must either:

• Control or process personal data of 100,000 or more consumers in the preceding calendar year, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
• Control or process personal data of more than 25,000 consumers and derive more than 25 percent of the entity's gross revenue from the sale of personal data in the preceding calendar year.

CTDPA provides an entity-level exemption to certain types of governmental entities, nonprofit organizations, institutions of higher education, certain national securities associations, certain financial institutions, and covered entities or business associates, as defined in 45 CFR 160.103.

CTDPA Consumer Rights

Connecticut granted consumers specific data privacy rights in CTDPA. Controllers must provide a secure and reliable means for consumers to exercise their data privacy rights, and controllers must describe the process for exercising a consumer right in a privacy notice. Controllers are required to respond to consumer requests to exercise a right without undue delay, but not later than 45 days after receiving the consumer's request. Controllers can extend the 45-day response time in certain circumstances. CTDPA grants the following consumer rights:

• The right to confirm whether or not a controller is processing the consumer's personal data, unless the request would reveal a trade secret;
• The right to access personal data that a controller is processing, unless the request would reveal a trade secret;
• The right to correct inaccuracies;
• The right to delete personal data provided by, or obtained about, the consumer;
• The right to obtain a copy of the consumer's personal data in a transmittable format, unless the request would reveal a trade secret; and
• The right to opt out for purposes of targeted advertising, selling of personal data, and profiling.

Controllers must provide consumers with a privacy notice that provides information on the personal data that the controller processes, the purpose for processing the personal data, the categories of personal data that the controller shares with third parties and the categories of third parties with which the personal data is shared, how a consumer may exercise their consumer rights, and an active email address or other online mechanism the consumer may use to contact the controller. Additionally, controllers that sell personal data to third parties or process data for targeted advertising must clearly and conspicuously disclose that processing to the consumer, and the controller must provide the consumer with the method to opt out of the processing.

What Actions Do Impacted Businesses Need to Take?

Non-exempt entities that meet the CTDPA threshold requirements will need to take action to comply with CTDPA prior to July 1, 2023. Specifically, controllers will be required to:

• Minimize Data Collection: Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.
• Minimize Data Processing: Refrain from processing personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent.
• Provide Privacy Notice: Provide consumers with a reasonably accessible and clear privacy notice.
• Provide Consumers an Opt-Out: Provide an effective mechanism for a consumer to revoke the consumer's consent and cease to process the consumer's personal information as soon as practicable, but not later than 15 days after the receipt of the consumer's request.
• Obtain Consumer Consent: Obtain consumer consent prior to processing sensitive consumer data. If a business processes sensitive data of a known child, the business must process the data in accordance with the Children's Online Privacy Protection Act (COPPA).
• Secure Personal Data: Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.
• Not Discriminate Against Consumers: Refrain from processing personal data in violation of Connecticut state and federal laws that prohibit unlawful discrimination against consumers, and do not discriminate against a consumer for exercising a consumer right contained in CTDPA.
• Not Target Advertising to Children or Sell Children's Personal Data: Refrain from processing the personal data of a consumer for purposes of targeted advertising or sell the consumer's personal data without the consumer's consent when the controller has actual knowledge, and willfully disregards, that the consumer is at least 13 years of age but younger than 16 years of age.

Who Can Enforce CTDPA?

CTDPA does not provide for a private right of action. The Connecticut attorney general has the sole enforcement authority. CTDPA provides the attorney general an enforcement grace period between July 1, 2023, and December 31, 2024, where the attorney general will notify a controller that is in violation of CTDPA prior to bringing a cause of action against the controller, if the attorney general determines that a cure is possible. The attorney general may bring a cause of action if the controller doesn't fix the violation within 60 days of being notified of the violation.

Footnotes

1. Bill § 2(8)

2. Bill § 2(21)

3. Bill §7(b)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.