ARTICLE
12 May 2022

Connecticut Passes Comprehensive Data Privacy Law

WT
Winston Taylor

Contributor

Whether you're leading the way, disrupting an industry, entering a new phase of growth, or launching a defining product—we're in the room with you. In the action. Sleeves rolled up.

With a rich history spanning both sides of the Atlantic, we are present in the major commercial centers that matter to our clients: the U.S., the U.K., Europe, Latin America, and the Middle East. Combining scale with the speed clients demand, our defining capabilities include major litigation, critical transactions, strategic IP, and private wealth.

Our team of over 1,400 lawyers works hand-in-hand across markets, sectors, practice areas, and client teams. All-in problem solvers, we bring the creativity to think differently, and the pragmatism to get things done when it counts the most.

Embedded in your business and sharing your ambition, we take the work personally. Shaping what we do and how we do it around your goals and needs, always one step ahead of the moment.

On May 10, 2022, Connecticut became the fifth state to pass a comprehensive privacy law, adding to the patchwork of such laws.
United States Connecticut Privacy

On May 10, 2022, Connecticut became the fifth state to pass a comprehensive privacy law, adding to the patchwork of such laws. The law will go into effect on July 1, 2023, and applies to all persons (a) that conduct business in Connecticut or produce products or services targeted to Connecticut residents and (b) in the last year either controlled or processed the personal data of at least 100,000 consumers (unless solely for the purpose of completing a payment transaction) or controlled or processed the personal data of at least 25,000 consumers and derived 25% of their gross revenue from the sale of personal data.

Consumers engaging with covered businesses will now enjoy an array of new privacy rights, including the right to (a) confirm that the business processes their personal data; (b) correct inaccuracies; (c) delete personal data provided by, or obtained about, the consumer; (d) obtain a copy of personal data in a "portable, and to the extent technically feasible, readily usable format"; and (e) opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data (subject to certain exceptions), or "profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer." The law also requires that covered businesses obtain consent from consumers before processing sensitive data, and it explicitly excludes from its definition of consent certain methods of doing so, including obtaining consent through acceptance of general or broad terms of use or by use of dark patterns.

Additionally, the law includes certain data-minimization requirements. For instance, the law limits the collection of personal data to what is "adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed" and forbids the processing of such data for "purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such data is processed" without the consent of the consumer.

Similar to other comprehensive privacy laws, Connecticut's law requires covered businesses to establish a "reasonably accessible, clear, and meaningful" privacy notice that discloses the controller's contact information and informs consumers of (a) the categories of personal data it processes, (b) the purposes for processing, (c) the categories of personal data shared with third parties, (d) the categories of third parties with whom the controller shares personal data, and (e) how consumers may exercise their privacy rights. Furthermore, if a controller sells personal data to third parties or processes data for targeted advertising, it must "conspicuously" disclose this to consumers to permit the exercise of a consumer's opt-out rights.

Furthermore, the law imposes certain data-security requirements on controllers, requires controllers to conduct data protection assessments for processing activities that present a "heightened risk of harm" to consumers, and establishes requirements for contracts between controllers and processors. Notably, the law provides no private right of action and relies on the state attorney general for enforcement. Like similar laws in other states, the Connecticut law provides covered businesses a cure period in which they may correct certain violations before the attorney general can bring an enforcement action. The guarantee of this cure period, however, only lasts until January 1, 2025, at which point the law grants the attorney general discretion to deny cure periods for alleged violations.

TIP: Companies can take steps now to prepare for this new law before the July 1, 2023 deadline. Such steps include 1) conducting privacy risk assessments, 2) updating consumer-rights response procedures, and 3) reviewing data-collection and processing practices to ensure compliance with data-minimization requirements. 

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More