1, 2, 3, 4, 5 … you know how the song goes! Connecticut recently became the fifth state to adopt a comprehensive data privacy law. The new act titled “An Act Concerning Personal Data Privacy and Online Monitoring,”(the “Act”) takes effect July 1, 2023. As we expected, more and more states are continuing to join the ever-growing Privacy Party. Before getting on the privacy dance floor, here is what you need to know about Connecticut’s new privacy law.
|Applicability||The Act applies to individuals or entities (i) “doing business in Connecticut” or (ii) “producing products or services targeted to Connecticut residents” if they meet either of the thresholds below. In the previous calendar year, they controlled or processed the personal data of at least:
The term “personal data” has a similar and/or identical definition to existing privacy laws and means “any information that is linked or reasonably linkable to an identified or identifiable individual.” De-identified data or publicly available information is not considered “personal data” under the Act.
The Act does not apply to the following data and/or entities:
The Act also excludes 16 categories of data. Notable data exemptions include:
*Notably, unlike California, the Act does NOT apply to employee data. The term “consumer” explicitly excludes “individuals acting in an employment context.”
|Consumer Rights||Like the other U.S. data protection laws, the Act codifies consumers’ rights to their personal data which include:
a. targeted advertising;
Along with honoring the enumerated rights listed above, businesses may not discriminate (i.e., treat differently) Connecticut consumers for exercising their rights. Businesses must also get consent to collect and process “sensitive data” which includes: “(A) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, (B) the processing of genetic or biometric data for the purpose of uniquely identifying an individual, (C) personal data collected from a known child, or (D) precise geolocation data.”
No Private Right of Action. The Act has no private right of action for Connecticut consumers. The Act limits its enforcement to the Connecticut Attorney General.
Cure Period. Under the Act, the Attorney General provides a cure period for violations that occur when the Act takes effect until December 31, 2024. During this 18-month period, entities have 60 days from receipt of the violation to cure. Failure to cure may lead to the Attorney General brining an action.
Penalties. Unlike its other U.S. counterparts, the Act does not impose a minimum or maximum penalty for violations. That said, violations of the Act will constitute a violation of the Connecticut Unfair Trade Practices Act (“CUPTA”) which imposes civil penalties of up to $5,000 for a willful violation and $25,000 for violation of a restraining order issued by the CT Commissioner of Consumer Protection.
In addition to honoring the personal data rights of Connecticut consumers, businesses that collect or process personal data must also comply with the following:
Data Processing Agreement (DPA) Requirement. Section 7 of the Act requires a contract between a “controller” (an individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data) and a “processor” (an individual who, or legal entity that, processes personal data on behalf of a controller) to “govern the processor’s data processing procedures with respect to processing performed on behalf of the controller.
Data Protection Assessments. Businesses will be required to conduct and document data protection assessments for their handling of data that presents “a heightened risk of harm” to consumers. Processing that presents a “heightened risk of harm” to a consumer includes:
Privacy Notice. The consumer rights listed above must be described in a business’ privacy notice.
What Does Compliance Look Like Going Forward?
2023 will be a big year for data privacy in the U.S. The consumer privacy laws in Colorado (“CPA”), Virginia (“VCDPA”) and Utah (“UPA”) along with the California Privacy Rights Act (“CPRA”), which amends the California Consumer Privacy Act all go into effect sometime in 2023. While there is still time before these laws take effect, we encourage companies to act now. Getting your compliance programs in place is a process and waiting until these laws are already in play can be risky. Preparing for the laws now will also help manage compliance with other states that will inevitably adopt comprehensive data privacy regulations. Indiana and Ohio are two states with privacy laws currently pending before their respective legislative bodies. Taft anticipates we will be writing about these new laws and many more very soon. Before more states come on board, businesses must:
- Take inventory and determine which of these 2023 state privacy laws apply (e.g., California’s CPRA, Colorado’s CPA, Virginia’s VCDPA, Utah’s UPA and the Act);
- Determine what their obligations are under each applicable law;
- Identify gaps in their current privacy practices; and
- Consult with outside counsel to get up to speed on compliance and data privacy best practices.
Taft will continue to monitor any changes to the Act and keep you updated on such developments right here on Taft’s Privacy and Data Security Insights blog and you can also monitor using the Taft Privacy and Data Security Mobile Application. For more information on the Act and other data privacy questions, please contact Taft’s Privacy and Data Security Team.