Data Privacy Alert: Connecticut Becomes Fifth State to Enact a Comprehensive Consumer Data Privacy Law
By Tim Rollins
On May 10, 2022, Connecticut joined California, Colorado, Utah, and Virginia as states that have passed comprehensive consumer data privacy laws. The provisions of the Act Concerning Personal Data Privacy and Online Monitoring will go into effect on July 1, 2023, the same date as the Colorado Privacy Act goes into effect.
The Connecticut consumer privacy law contains many of the same rights, obligations, and exceptions seen in the previously enacted state-level privacy laws, most closely following the trends set by Colorado and Virginia. Of course, the law does contain several differences from other state privacy laws, which organizations must account for in their compliance efforts.
The law imposes limits on collection and use of data, so organizations can only collect what is “adequate, relevant, and reasonably necessary… to the purposes for which such data is processed” and may not use data “for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes.” Organizations have an obligation to establish and implement administrative, technical, and physical data security practices. A consumer’s consent must be “freely given, specific, informed and unambiguous.”
Who It Applies To
The law applies to organizations that conduct business in Connecticut and either (1) control or possess personal data belonging to 100,000 Connecticut citizens excluding data tied solely to the purpose of completing payment transactions, or (2) control or possess personal data belonging to 25,000 consumers and derive 25% of their revenue from the sale of personal data. With no annual revenue threshold for organizations, it takes a different approach than most other privacy laws.
Six types of organizations are exempt from the law:
- State and local governments
- Higher education institutions
- National securities associations registered under the Securities Exchange Act of 1934
- Financial institutions subject to Gramm-Leach-Bliley Act
- Covered entities as defined by HIPAA
What It Covers
The Connecticut law provides citizens with five main rights that are largely the same as those enumerated in Virginia’s and Colorado’s privacy laws.
- Right to access
- Right to correct
- Right to delete
- Right to portability
- Right to opt out
Unlike other laws, the Connecticut law does not provide consumers with a private right of action. Like Virginia, enforcement is solely at the discretion of the state’s Attorney General. Prior to any enforcement action, the AG must notify an organization of its violation, which they have 60 days to cure. However, this provision sunsets on January 1, 2025. After that point, the AG’s office has discretion as to whether to allow an opportunity to cure before an enforcement action. Organizations may be penalized up to $5,000 per violation.
Expert Analysis from Matt Dumiak, Director Privacy Services, Compliance Point
Operational challenges abound with the Connecticut data privacy law. From data protection impact assessments to an appeals process when rights requests are declined, businesses must understand their obligations under this law and how it impacts their existing privacy program. Further, and something we are starting to see in other laws, businesses are required to gain consent prior to collecting sensitive data and must allow the consumer to opt-out of the processing of sensitive data in a manner that is at least as easy as it was to provide consent. The vendor environment will also need to be accounted for with specific contractual obligations. These exercises can take time, and it is recommended that businesses get in front of these obligations before the July 1, 2023, effective date.
Data Privacy Tip
For more information about current US privacy regulations, visit Exterro's Interactive Map of State Privacy Laws.