1, 2, 3, 4, 5 … you know how the song goes! Connecticut recently became the fifth state to adopt a comprehensive data privacy law. The new act titled “An Act Concerning Personal Data Privacy and Online Monitoring,”(the “Act”) takes effect July 1, 2023. As we expected, more and more states are continuing to join the ever-growing Privacy Party. Before getting on the privacy dance floor, here is what you need to know about Connecticut’s new privacy law.

Applicability The Act applies to individuals or entities (i) “doing business in Connecticut” or (ii) “producing products or services targeted to Connecticut residents” if they meet either of the thresholds below.  In the previous calendar year, they controlled or processed the personal data of at least:

  • 100,000 CT residents, excluding data used solely for completing a payment transaction; or
  • 25,000 CT residents and derived more than 25% of gross revenue from the sale of personal data.

The term “personal data” has a similar and/or identical definition to existing privacy laws and means “any information that is linked or reasonably linkable to an identified or identifiable individual.”   De-identified data or publicly available information is not considered “personal data” under the Act.

Act Exemptions

The Act does not apply to the following data and/or entities:

Entities:

  • state agencies;
  • non-profits;
  • institutions of higher education;
  • national securities associations registered under 15 U.S.C. 78o-3 of the Securities Exchange Act;
  • financial institutions subject to the Gramm-Leach Bliley Act (“GLBA”); or
  • covered entities or business associates under the Health Insurance Portability and Accountability Act (“HIPAA”).

Data:

The Act also excludes 16 categories of data. Notable data exemptions include:

  • protected health Information under HIPAA;
  • personal data regulated by the Family Educational Rights and Privacy Act (FERPA); and
  • financial information protected under other laws;
  • research information; and
  • employment information.

*Notably, unlike California, the Act does NOT apply to employee data. The term “consumer” explicitly excludes “individuals acting in an employment context.”

Consumer Rights Like the other U.S. data protection laws, the Act codifies consumers’ rights to their personal data which include:

  1. Right to Know and Access. Consumers can confirm whether a business is processing their personal data and access such personal data.
  2. Right to Correct. Consumers can correct inaccuracies in their personal data.
  3. Right to Delete. Consumers have the right to have their personal data deleted;
  4. Right to Portability. Consumers can obtain a copy of their personal data processed by the business and transmit it elsewhere.
  5. Right to Opt-Out. Consumers have the right to opt-out of the processing of the personal data for purposes of:

a. targeted advertising;
b. selling the data; or
c. profiling that can adversely affect the consumer.

Along with honoring the enumerated rights listed above, businesses may not discriminate (i.e., treat differently) Connecticut consumers for exercising their rights. Businesses must also get consent to collect and process “sensitive data” which includes: “(A) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, (B) the processing of genetic or biometric data for the purpose of uniquely identifying an individual, (C) personal data  collected from a known child, or (D) precise geolocation data.”

Enforcement

No Private Right of Action. The Act has no private right of action for Connecticut consumers. The Act limits its enforcement to the Connecticut Attorney General.

Cure Period. Under the Act, the Attorney General provides a cure period for violations that occur when the Act takes effect until December 31, 2024. During this 18-month period, entities have 60 days from receipt of the violation to cure. Failure to cure may lead to the Attorney General brining an action.

Penalties. Unlike its other U.S. counterparts, the Act does not impose a minimum or maximum penalty for violations. That said, violations of the Act will constitute a violation of the Connecticut Unfair Trade Practices Act (“CUPTA”) which imposes civil penalties of up to $5,000 for a willful violation and $25,000 for violation of a restraining order issued by the CT Commissioner of Consumer Protection.

Business Obligations

In addition to honoring the personal data rights of Connecticut consumers, businesses that collect or process personal data must also comply with the following:

Data Processing Agreement (DPA) Requirement. Section 7 of the Act requires a contract between a “controller” (an individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data) and a “processor” (an individual who, or legal entity that, processes personal data on behalf of a controller) to “govern the processor’s data processing procedures with respect to processing performed on behalf of the controller.

Data Protection Assessments. Businesses will be required to conduct and document data protection assessments for their handling of data that presents “a heightened risk of harm” to consumers. Processing that presents a “heightened risk of harm” to a consumer includes:

  • The processing of personal data for targeted advertising;
  • the sale of personal data;
  • the processing of personal data for profiling; and
  • the processing of sensitive data.

Privacy Notice. The consumer rights listed above must be described in a business’ privacy notice.

What Does Compliance Look Like Going Forward?

2023 will be a big year for data privacy in the U.S. The consumer privacy laws in Colorado (“CPA”), Virginia (“VCDPA”) and Utah (“UPA”) along with the California Privacy Rights Act (“CPRA”), which amends the California Consumer Privacy Act all go into effect sometime in 2023. While there is still time before these laws take effect, we encourage companies to act now. Getting your compliance programs in place is a process and waiting until these laws are already in play can be risky. Preparing for the laws now will also help manage compliance with other states that will inevitably adopt comprehensive data privacy regulations. Indiana and Ohio are two states with privacy laws currently pending before their respective legislative bodies. Taft anticipates we will be writing about these new laws and many more very soon. Before more states come on board, businesses must:

  • Take inventory and determine which of these 2023 state privacy laws apply (e.g., California’s CPRA, Colorado’s CPA, Virginia’s VCDPA, Utah’s UPA and the Act);
  • Determine what their obligations are under each applicable law;
  • Identify gaps in their current privacy practices; and
  • Consult with outside counsel to get up to speed on compliance and data privacy best practices.

Taft will continue to monitor any changes to the Act and keep you updated on such developments right here on Taft’s Privacy and Data Security Insights blog and you can also monitor using the Taft Privacy and Data Security Mobile Application.  For more information on the Act and other data privacy questions, please contact Taft’s Privacy and Data Security Team.