Connecticut has joined four other states in passing a comprehensive data privacy law that requires companies to provide consumers with information about the personal data they collect and authorizes the state attorney general to issue cure letters and file lawsuits against businesses that fail to comply.
Connecticut follows California, Virginia, Colorado, and Utah in passing such legislation. California is the only state that has enacted a comprehensive data privacy law and will upgrade its existing law starting Jan. 1. All four new state laws are scheduled to take effect in 2023: Virginia on Jan. 1, Colorado and Connecticut on July 1, and Utah on Dec. 31.
The Connecticut law does not allow consumers to sue companies that fail to protect their personal data, giving that “exclusive authority” to the state attorney general. Only California’s law provides a private right of action to consumers.
The Connecticut bill, the Personal Data Privacy and Online Monitoring Act (S.B. 6), was signed into law Tuesday by Gov. Ned Lamont (D). It gives consumers the right to access, correct, delete, and obtain a copy of their personal data captured by advertisers.
Consumers will be allowed to opt out of the processing of personal data for certain purposes, and businesses must provide a “clear and conspicuous link” on their website for consumers to make opt-out requests. Businesses must set up a process to comply with consumer requests and must supply information about a consumer’s personal information to that consumer, upon request and for free, within 45 days.
Connecticut’s law most closely resembles the law passed by Colorado, with some California elements included, said Vivek Mohan, a partner in law firm Mayer Brown’s Cybersecurity & Data Privacy practice.
“States are learning from each other and using pieces of other laws that they like,” he said. Connecticut is notable among state privacy laws in that there is no rulemaking provision for the state attorney general’s office. Rulemaking has been beset with delays in California, and the rulemaking process is underway in Colorado, Mohan said.
Companies that do business in Connecticut will be prohibited from processing sensitive personal data without the consent of the consumer, used to discriminate against a consumer, or used for purposes “that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed,” the law said.
The law will require businesses to obtain parental consent to sell the personal data of a consumer between the ages of 13 and 16 or to produce targeted ads to those underaged consumers.
The bill applies to businesses that do business in Connecticut and control the personal data of at least 100,000 consumers, or 25,000 consumers if the firm derives more than 25 percent of its gross revenue from the sale of personal data. Businesses that meet those thresholds will be required to conduct data protection assessments that lay out how they intend to comply with the law, and those assessments can be reviewed by the state’s attorney general. Exempted entities include state government agencies, healthcare organizations regulated by the Health Insurance Portability and Accountability Act (HIPAA), financial institutions regulated by the Gramm-Leach-Bliley Act, nonprofits, and institutions of higher education.
The state’s attorney general will issue cure letters alerting of potential violations and give those companies 60 days to address the issue before potentially filing a lawsuit against the company.
There are currently 11 states with active data privacy bills before their state legislatures, according to a tracker maintained by the International Association of Privacy Professionals.
Connecticut’s law “will not be the last of them, maybe not even the last one passed this year,” Mohan said.
As a result, businesses should look at the common themes weaved through each of the laws, like good data governance and the need for stricter management of personal data handled by vendors, said Linda Thielová, DPO and head of privacy at compliance software vendor OneTrust. Companies should also be establishing a process for handling customer requests for information about their personal data and should consider honoring requests from any customer, regardless of which state they reside, she said.
“Most businesses operating across all 50 states are employing the same level of privacy compliance across all the states,” she said. “It’s a great public relations opportunity to advertise that your business is going out of its way to provide the highest privacy service.”
Each law does have its own quirks, Thielová said, meaning whatever process is implemented should be able to allow for granularity in the way personal data of customers from some states is handled. This can be achieved through automation, for example, by recognizing different data elements would be considered biometric data under the Connecticut data privacy law compared to that of Virginia, she said.