Connecticut Strengthens Data Breach Notification Requirements and the Uniform Law Commission Approves and Recommends Comprehensive and Uniform State Privacy Legislation

In recent weeks, Connecticut passed An Act Concerning Data Privacy Breaches (“The Act”), and the Uniform Law Commission approved and recommended the Uniform Personal Data Protection Act (“UPDPA”).  With the growing patchwork of state data privacy laws continuing to pose challenges for compliance—and the potential for federal data privacy legislation at the forefront of policy debates—the UPDPA may provide state legislators with a path toward a standardized statutory scheme.

Connecticut: An Act Concerning Data Privacy Breaches

On July 16, 2021, Governor Lamont signed An Act Concerning Data Privacy Breaches, which will take effect on October 1, 2021. As stated in the Attorney Generals Press Release, the Act includes provisions on notification of data breaches to impacted individuals and regulators and changes the former notification deadline for “individuals and the Office of the Attorney General…from 90 days to 60 days, which is in line with recent amendments passed in other states.”

In addition, the Act expands the definition of personally identifying information, compromise of which would constitute a data breach, to include patient data and medical data—a general category of health-related information that is not limited to protected health information under HIPAA.  The Act’s definition of personally identifying information also includes first name or first initial and last name in combination with, for example, Social Security number, passport number, and biometric information.

Uniform Personal Data Protection Act

On July 14, 2021, the Uniform Law Commission, a volunteer, non-profit body focused on uniformity of state laws, approved the Uniform Personal Data Protection Act.  The UPDPA has not yet been adopted by any state, but states may choose to adopt all or a portion of its provisions over time.  In contrast to the California Consumer Privacy Act (CCPA), but in line with the more recent Virginia Consumer Data Protection Act and Colorado Privacy Act, the UPDPA does not include a private right of action, leaving enforcement power to regulators.  It remains to be seen whether the elimination of the private right of action in the proposed uniform law signals a broader trend to move away from the controversial enforcement mechanism to improve the likelihood that comprehensive privacy legislation makes it to law.

The UPDPA applies to controllers and processors “that conduct[] business…or produce[] products or provide[] services purposefully directed to residents,” and meet one of four suggested thresholds: maintaining personal data about more than 50,000 data subjects; earning more than 50 percent of its gross annual revenue during a calendar year from maintaining personal data; being a processor acting on behalf of a controller the processor knows satisfies the previous two conditions; or maintaining personal data, unless it processes the personal data solely using compatible data practices, as defined by the UPDPA.

The broad scope of “compatible data practices” under the UPDPA may require a wide array of companies to consider compliance requirements, including companies typically exempt from similar statutes due to size or revenue thresholds. The UPDPA defines a compatible data practice as one that is “consistent with the ordinary expectations of data subjects or is likely to benefit data subjects substantially.”  Certain factors are considered in determining whether a processing is a compatible data practice, including: the data subject’s relationship with the controller, the type of transaction in which the data was collected, the type and nature of the data, the risk of a negative consequence on the data subject of use or disclosure of the data, effectiveness of data safeguards, and the extent to which the practice advances economic, health, or other interests of the data subject. Some compatible data practices delineated by the UPDPA are those that initiate a transaction with the data subject’s consent, meet an operational need, comply with legal obligations, create deidentified data sets, or are required to investigate fraud or malicious activity.

The scope of the UPDPA is similar to the California Consumer Protection Act (“CCPA”), although unlike the CCPA, the UPDPA does not have a threshold based on annual gross revenue that triggers compliance requirements.  Like CCPA—and the General Data Protection Regulation (“GDPR”)—the UPDPA proposes several rights for data subjects, although not all of the rights are similar.  Specifically, the UPDPA provides data subjects rights to: notice and transparency; access to and correction of personal data; prohibition of discrimination; and restrictions on incompatible or prohibited data use under the law.

The UPDPA does not include a definition of a “security breach” or data breach notification requirements to individuals or regulators. Therefore, even if there is substantial adoption of the UPDPA, states will still retain variations in their breach notification laws definitions and notice requirements. In the UPDPA, personal data is defined as any data that includes a direct identifier or is pseudonymized data that can be reasonably linked to a data subject’s identity. The UPDPA also outlines a separate category of “sensitive data” that includes racial origin, credit or debit card numbers, social security number, income, and medical information.  Like the other comprehensive state privacy laws that have passed thus far, there are notable exceptions for entities compliant with certain other privacy laws.  Specifically, entities would be exempt from the UPDPA if they process personal data in compliance with any of six key sectoral privacy regimes: the Health Insurance Portability and Accountability Act, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Drivers Privacy Protection Act, the Children’s Online Privacy Protection Act and the Family Education Rights and Privacy Act.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.