On May 10, 2022, Connecticut became the fifth state to pass a comprehensive privacy law, adding to the patchwork of such laws. The law will go into effect on July 1, 2023, and applies to all persons (a) that conduct business in Connecticut or produce products or services targeted to Connecticut residents and (b) in the last year either controlled or processed the personal data of at least 100,000 consumers (unless solely for the purpose of completing a payment transaction) or controlled or processed the personal data of at least 25,000 consumers and derived 25% of their gross revenue from the sale of personal data.

Consumers engaging with covered businesses will now enjoy an array of new privacy rights, including the right to (a) confirm that the business processes their personal data; (b) correct inaccuracies; (c) delete personal data provided by, or obtained about, the consumer; (d) obtain a copy of personal data in a "portable, and to the extent technically feasible, readily usable format"; and (e) opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data (subject to certain exceptions), or "profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer." The law also requires that covered businesses obtain consent from consumers before processing sensitive data, and it explicitly excludes from its definition of consent certain methods of doing so, including obtaining consent through acceptance of general or broad terms of use or by use of dark patterns.

Additionally, the law includes certain data-minimization requirements. For instance, the law limits the collection of personal data to what is "adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed" and forbids the processing of such data for "purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such data is processed" without the consent of the consumer.

Similar to other comprehensive privacy laws, Connecticut's law requires covered businesses to establish a "reasonably accessible, clear, and meaningful" privacy notice that discloses the controller's contact information and informs consumers of (a) the categories of personal data it processes, (b) the purposes for processing, (c) the categories of personal data shared with third parties, (d) the categories of third parties with whom the controller shares personal data, and (e) how consumers may exercise their privacy rights. Furthermore, if a controller sells personal data to third parties or processes data for targeted advertising, it must "conspicuously" disclose this to consumers to permit the exercise of a consumer's opt-out rights.

Furthermore, the law imposes certain data-security requirements on controllers, requires controllers to conduct data protection assessments for processing activities that present a "heightened risk of harm" to consumers, and establishes requirements for contracts between controllers and processors. Notably, the law provides no private right of action and relies on the state attorney general for enforcement. Like similar laws in other states, the Connecticut law provides covered businesses a cure period in which they may correct certain violations before the attorney general can bring an enforcement action. The guarantee of this cure period, however, only lasts until January 1, 2025, at which point the law grants the attorney general discretion to deny cure periods for alleged violations.

TIP: Companies can take steps now to prepare for this new law before the July 1, 2023 deadline. Such steps include 1) conducting privacy risk assessments, 2) updating consumer-rights response procedures, and 3) reviewing data-collection and processing practices to ensure compliance with data-minimization requirements. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.