Connecticut State Capitol building showing state privacy law

New Connecticut State Privacy Law Voted In, Set To Become 5th Data Privacy Regulation of Its Kind in US

In the continued absence of federal regulation of data privacy, a patchwork of state privacy laws continues to emerge as Connecticut has voted in the Connecticut Data Privacy Act (CTDPA).

The new state privacy law bears the strongest similarity to the Virginia act, but contains some elements from each of the other regulations. It will go into effect concurrent with Colorado’s new privacy law and prior to Utah’s new bill.

Connecticut joins Utah, Virginia, Colorado and California in passing state privacy law for personal data

A nearly unanimous vote in the Connecticut House made the CTDPA official, with its terms set to go into effect on July 1, 2023. As with the other state privacy laws, only businesses that meet certain thresholds of personal information handling will be regulated under the new law: those that process the data of at least 100,000 consumers annually (minus transactions that are limited to just a payment of some sort), or those that make at least 25% of their revenue from the sale of personal information and process data for at least 25,000 consumers annually.

These thresholds will be measured by the company’s business activity in the previous calendar year. There are some exempt organization categories, however: financial institutions and others already regulated under the existing Gramm-Leach-Bliley Act, HIPAA-applicable entities, and nonprofits. Records that involve employees or business-to-business information are also exempt.

One of the key terms of Connecticut’s new state privacy law is the establishment of a “sensitive personal data” category for which companies must collect user consent. This category includes geolocation information, biometric data, health information, race and ethnicity, religious beliefs and sexual orientation.

The data of children also receives special protection under the new state privacy law. If a consumer is between the ages of 13 and 16, the business must receive consent to collect any of their personal data or to involve them in targeted advertising. The data of children is also automatically included in the “sensitive” category for regulatory purposes.

All consumers will also be granted the benefit of a mandatory opt-out signal. However, this particular element of the new state privacy law will not go into effect until January 1, 2025, presumably owing to expected complications in implementation for state businesses.

Consumers will additionally be granted rights to data access. They will be able to request correction and deletion of information that covered businesses hold, and to opt out of profiling, targeted advertising and the sale of their personal data to other parties.

Connecticut businesses will also be subject to required data protection assessments, something that will go into effect in 2023. These assessments will be required for any processing activities that present a “heightened risk of harm for consumers” and may also be specially requested by the state attorney general. A “heightened risk” means that data is being sold to a third party, processed for targeted advertising, used for profiling or includes anything in the “sensitive” category.

One right that Connecticut consumers will not have under the new state privacy law is a right to bring private action on the basis of enforcement decisions, which will fall to the attorney general. Businesses are also granted a right to cure violations, at least for a time. They will have this right from January 2023 to December 31, 2024, with 60 days to address the issue once served notice by the attorney general.

Connecticut state privacy law compares favorably to others, but lacks private action & protections for business information

The Connecticut state privacy law is roughly on par with the Virginia and Colorado bills in terms of strength, and much stronger than the “business friendly” Utah bill that goes into effect as 2023 ends. It lacks some of the key elements of the California bill, however, which both grants private right of action and extends the terms to protect processing of employee and B2B data.

Though it is overall most similar to Virginia’s bill (a good bit of it is essentially copy-and-paste), it does diverge from that state substantially in one area. The Connecticut state privacy law has some small added consumer protections in its data access request handling requirements: the requirement that the “opt out” page be separate and distinct from the rest of the site, a requirement that user browser controls be honored, and ability to accept requests from authorized agents.

Individual penalties can range up to $5,000, which is a lower maximum than any of the other states. However, Connecticut also attaches the ability to recover actual and punitive damages, costs and attorney fees; only Utah provides for actual damages, and only Virginia allows for investigation and attorney expenses.

While the growing patchwork of state privacy laws is a better outcome for consumers than nothing at all, there are legitimate concerns about companies being able to keep up with such a broad variety of regulations. Linda Thielova, OneTrust’s Head of Privacy Center of Excellence and Data Protection Officer (DPO), sees this as being something that must be addressed by a privacy culture that is baked in from the ground up: “Should companies be worried about managing compliance with now five different laws and counting? If they are only growing, improving, and adapting their programs based on new regulations, they may end up falling behind and going into react mode. Regardless of whether privacy legislation continues to pass at this rapid rate, the question of how to operationalize privacy management will not be answered with a “one-size fits all” solution. Rather, organizations should consider implementing a “center of trust” that reaches across departments and prioritizes privacy by design. By taking a proactive best-practice-driven approach to their privacy programs centered, they can go beyond checking the box on regulatory compliance to make their business more trusted with customers, partners, employees, and stakeholders.”