When the California Consumer Privacy Act of 2018 (CCPA) became law, it was only a matter of time before other states adopted their own statutes intending to enhance privacy rights and consumer protection for their residents. After overwhelming support in the state legislature, Connecticut is about to become the fifth state with a comprehensive privacy law, as SB 6 awaits signature by Governor Ned Lamont.
If signed, the “Act Concerning Personal Data Privacy and Online Monitoring” (Act) will take effect January 1, 2023, the same day as the Colorado Consumer Privacy Act.
As noted, the Act largely tracks the Virginia Consumer Data Protection Act (VCDPA) and has the following key elements:
- Jurisdictional Scope. The Act would apply to persons that conduct business in Connecticut or that produce products or services that are targeted to residents of Connecticut and that during the preceding calendar year: (i) controlled or processed personal data of at least 75,000 consumers (under the VCDPA this threshold is at least 100,000 Virginians) or (ii) controlled or processed personal data of at least 25,000 consumers and derived over 25 percent of gross revenue from the sale of personal data (50 percent under the VCDPA).
- Exemptions. The Act provides exemptions at two levels, the entity level and the data level. Entities exempted from the Act include (i) agencies, commissions, districts, etc. of the state or political subdivisions, (ii) nonprofits, (iii) higher education, (iv) national securities associations, (v) financial institutions or data subject to Gramm-Leach-Bliley Act (GLBA), and (vi) hospitals as defined under Connecticut law. Note that the Act does not include a broad-based, entity-level exemption for covered entities and business associates as defined under HIPAA.
The Act also exempts a long list of categories of information including protected health information under HIPAA and certain identifiable private information in connection with human subject research. The Act also exempts certain personal information under the Fair Credit Reporting Act, Driver’s Privacy Protection Act of 1994, Family Educational Rights and Privacy Act, and other laws. In general, exempt data also includes data processed or maintained (i) in the course of an individual applying to, employed by or acting as an agent or independent contractor to the extent that the data is collected and used within the context of that role, (ii) as emergency contact information, or (iii) that is necessary to retain to administer benefits for another individual relating to the individual in (i) above.
- Personal Data. Similar to the CCPA and GDPR, the Act defines personal data broadly to include any information that is linked or reasonably linkable to an identified or identifiable individual, but excludes de-identified data or publicly available information. However, maintaining deidentified information is not without obligation under the Act. Controllers that maintain such information must take reasonable measures to ensure that the data cannot be reidentified. They must also publicly commit to maintaining and using de-identified data without attempting to reidentify it. Finally, the controller must contractually obligate any recipients of the de-identified data to comply with the Act.
- Sensitive Data. Similar to the VCDPA, the Act includes a category for “sensitive data.” This is defined as (i) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, (ii) the processing of genetic or biometric data for the purpose of uniquely identifying an individual, (iii) personal data collected from a known child, or (iv) precise geolocation data. Notably, sensitive data cannot be processed without consumer consent. In the case of sensitive data of a known child, the data must be processed according to the federal Children’s Online Privacy Protection Act (COPPA). Also, controllers must conduct and document a data protection assessment specifically for the processing of sensitive data.
- Consumer. The Act defines “consumer” as “an individual who is a resident of” Connecticut. Consumers under the Act do not include individuals acting (i) in a commercial or employment context or (ii) as employee, owner, director, officer or contractor of certain entities including a government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with that entity.
- Consumer Rights. Consumers under the Act would be afforded the following personal data rights:
- To confirm whether or not a controller is processing their personal data and to access such personal data;
- To correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of their personal data;
- To delete personal data provided by or obtained about them;
- To obtain a copy of their personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows them to transmit the data to another controller without hindrance, where the processing is carried out by automated means and without revealing trade secrets; and
- To opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) sale, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning them.
- Reasonable Data Security Requirement. The Act affirmatively requires controllers to establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue.
- Data Protection Assessments. The Act imposes a new requirement for controllers: conduct data protection assessments (as mentioned above regarding sensitive data). Controllers must conduct and document data protection assessments for specific processing activities involving personal data that present a heightened risk of harm to consumers. These activities include targeted advertising, sale of personal data, profiling, processing of sensitive data. Profiling activities will require a data protection assessment when it would present a reasonably foreseeable risk of (A) unfair or deceptive treatment of, or unlawful disparate impact on, consumers, (B) financial, physical or reputational injury to consumers, (C) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person, or (D) other substantial injury to consumers. When conducting such assessments controllers must identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer. Controllers also can consider how those risks are mitigated by safeguards that can be employed by the controller. Factors controllers must consider include the use of de-identified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed.
- Enforcement. The Connecticut Attorney General’s office would have exclusive enforcement over the Act. During the first eighteen months the Act is effective, until December 31, 2024, controllers would be provided notice of a violation and will have a 60-day cure period. After that, the opportunity to cure may be granted depending on the Attorney General’s assessment of factors such as the number of violations, the size of the controller or processor, the nature of the processing activities, among others. Violations of the Act constitute an unfair trade practice under Connecticut’s Unfair and Deceptive Acts and Practices (UDAP) law. Under the UDAP, violations are subject to civil penalties of up to $5,000, plus actual and punitive damages and attorneys’ fees. The Act expressly excludes a private right of action.
Other states across the country are contemplating ways to enhance their data privacy and security protections. Organizations, regardless of their location, should be assessing and reviewing their data collection activities, building robust data protection programs, and investing in written information security programs.