On May 10, 2022, Connecticut became the fifth state to pass a comprehensive privacy law, adding to the patchwork of such laws. The law will go into effect on July 1, 2023, and applies to all persons (a) that conduct business in Connecticut or produce products or services targeted to Connecticut residents and (b) in the last year either controlled or processed the personal data of at least 100,000 consumers (unless solely for the purpose of completing a payment transaction) or controlled or processed the personal data of at least 25,000 consumers and derived 25% of their gross revenue from the sale of personal data.
Additionally, the law includes certain data-minimization requirements. For instance, the law limits the collection of personal data to what is "adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed" and forbids the processing of such data for "purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such data is processed" without the consent of the consumer.
Similar to other comprehensive privacy laws, Connecticut's law requires covered businesses to establish a "reasonably accessible, clear, and meaningful" privacy notice that discloses the controller's contact information and informs consumers of (a) the categories of personal data it processes, (b) the purposes for processing, (c) the categories of personal data shared with third parties, (d) the categories of third parties with whom the controller shares personal data, and (e) how consumers may exercise their privacy rights. Furthermore, if a controller sells personal data to third parties or processes data for targeted advertising, it must "conspicuously" disclose this to consumers to permit the exercise of a consumer's opt-out rights.
Furthermore, the law imposes certain data-security requirements on controllers, requires controllers to conduct data protection assessments for processing activities that present a "heightened risk of harm" to consumers, and establishes requirements for contracts between controllers and processors. Notably, the law provides no private right of action and relies on the state attorney general for enforcement. Like similar laws in other states, the Connecticut law provides covered businesses a cure period in which they may correct certain violations before the attorney general can bring an enforcement action. The guarantee of this cure period, however, only lasts until January 1, 2025, at which point the law grants the attorney general discretion to deny cure periods for alleged violations.
TIP: Companies can take steps now to prepare for this new law before the July 1, 2023 deadline. Such steps include 1) conducting privacy risk assessments, 2) updating consumer-rights response procedures, and 3) reviewing data-collection and processing practices to ensure compliance with data-minimization requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.