Connecticut has passed a new state data privacy law slated to go into effect on July 1, 2023. The law largely tracks other new state data privacy laws recently passed in Virginia and Colorado, but also includes several provisions that could impact compliance plans, including a new obligation to provide a mechanism for consumers to revoke their consent to the processing of their data.
Consistent with all of the state data privacy laws we have seen to date, the Connecticut law does not provide for a private right of action to broadly enforce the privacy rights provisions of the law. Additionally, unlike CCPA, there is no private right of action in connection with data breaches. The Connecticut Attorney General has sole enforcement authority, and violations of the law constitute an “unfair trade practice” under Connecticut law, with willful violations subject to statutory penalties of up to $5,000 and an initial 60-day right to cure.
Notable new features in the law we have not seen in other US state data privacy laws to date include:
- Mechanism to revoke consumer consent required – Controllers must provide a mechanism for consumers to revoke consent that is “at least as easy” as the mechanism by which they provided consent and which is effective 15 days after receipt of the request.
- Carves out personal data processed solely for payments from definition of persons subject to the law – Persons subject to the law are defined with reference to the volume of data processed about Connecticut residents, as we have seen in other laws. However, this law is the first to exclude from that measurement personal data “controlled or processed” solely for the purpose of completing a payment transaction. In practice, this carve out largely may be meaningless to businesses because they rarely will collect personal data only for payment purposes, especially where payments are made by the same person submits an order for goods or services that needs to be fulfilled.
- Potentially stronger trade secret protections – The law expressly allows controllers to deny requests for access or copies of personal data if doing so reveals a trade secret.
- Creation of Task Force Charged with Making Recommendations About Children’s Privacy, Algorithmic Bias and Other Privacy Issues – By September 1, 2022, the chairperson of the joint standing committee of the General Assembly is required to convene a task force comprised of members of the legislature, representatives from business, academia, consumer advocacy groups, large and small companies, the Connecticut AG’s office and attorneys with experience in privacy law. The task force is charged with studying specific privacy issues and making recommendations concerning a variety of issues including the elimination of health disparities, reducing bias in algorithmic decision-making, studying possible legislation to require the deletion of children’s online accounts, studying age verification of children who create social media accounts, and how the Connecticut law should apply to data storage and colocation providers. The task force will need to submit a report of their findings in short order, by January 1, 2023.
Reflecting the rising focus on issues around teen privacy, the new law follows closely to CPRA’s requirement to obtain opt-in consent from teens between 13 and 16 years of age before processing their data for targeted advertising or selling their data. The controller must obtain consent “from the consumer” for processing activities where it has “actual knowledge” or “willfully disregards” that the consumer is “at least thirteen years of age but younger than sixteen years of age.”
We outline below the key provisions of the law and draw some comparisons to the other data privacy laws to survey the lay of the state data privacy landscape.
Who is Subject to the Law – No Minimum Revenue Required
The Connecticut law eschews any revenue minimums (e.g., CCPA’s $25M floor) and instead applies based on the volume of personal data processed and, in one formulation, sold. Specifically, it applies to “persons” that conduct business in the state or that “produce products or services” that are targeted to Connecticut residents and that met at least one of following thresholds during the preceding calendar year:
- Controlled or processed the personal data of not less than 100,000 Connecticut residents, excluding data controlled or processed solely for the purpose of completing a payment transaction; or
- Controlled or processed the personal data of not less than 25,000 Connecticut residents and derived more than 25% of their gross revenue from the sale of personal data.
The exclusion of data processed for payment processing is unique to the Connecticut law.
Data in Scope – The Majority Approach
The Connecticut law applies to “personal data” and defines it as “information that is liked or reasonably linked to an identified or identifiable individual.”
Following the lead of all of the other state data privacy laws (with the exception of CCPA), the law exempts individuals “acting in a commercial or employment context.” Also exempt are HIPAA covered entities and business associates, nonprofits, governmental entities and institutions of higher education. Data subject to HIPAA, the Gramm Leach Bliley Act and the Fair Credit Reporting Act, and a handful of additional sector-specific laws, as well as data collected in connection with health research studies are also carved out of the law.
Data Subject Rights – New Obligation to Create Revocation Mechanism
Connecticut residents will have the same data subject rights as residents of Colorado, Virginia and, with minor variations, consumers in California and Utah. They include the rights to: (a) access personal data, (b) the right to correct personal data, (c) the right to delete data, and (d) the right obtain a portable copy of the consumer’s personal data. Like laws in Virginia and Colorado, the Connecticut law also provides consumers with a right to appeal a controller’s “refusal to take action” on a data subject request.
Tracking recent amendments to the Virginia data privacy law, the Connecticut law gives controllers that have not obtained personal data directly from consumers the option to respond to deletion requests by not processing the data or by simply deleting it.
New to the US data privacy landscape is the requirement that controllers provide a specific mechanism for a consumer to revoke their consent where opt-in consent was provided for the processing of sensitive data, the sale of teen personal data or the use of teen data for targeted advertising. The revocation mechanism must make it “at least as easy” for a consumer to revoke consent as the mechanism whereby the consumer provided their consent in the first place. Controllers will have 15 days from receipt of the revocation to stop processing the data at issue.
Opt-Out Rights – Sale, Targeted Advertising and Profiling
The law mirrors Virginia and Colorado laws by providing consumers with the right to opt out of the sale of personal information, processing of personal data for targeted advertising and profiling in furtherance of “solely automated decisions” that “produce legal or other similarly significant effects concerning the consumer” (e.g., financial or lending services, housing, education enrollment or opportunity, employment, insurance, access to “essential goods and services”).
“Sale” is defined as the exchange of personal data for any type of consideration, with exceptions for service providers and variations on the intentional interaction exception under CCPA. Unlike CCPA (and CPRA to come), it does not constitute a “sale” where personal data is shared with parent companies, subsidiaries and affiliates that do not share common branding.
Like CPRA, the Connecticut law envisions that controllers may, in response to requests to opt out of the sale of personal data or the processing of personal data for targeted advertising, inform the consumer of a charge for the use of any product or service. At that point, the Connecticut law requires a controller to present the terms of a “financial incentive” to a consumer.
Global Privacy Control / Opt-Out Mechanisms
The Connecticut law, like several of the other state data privacy laws, anticipates that a platform, technology or other mechanism will soon be able to communicate various opt-out references, as do several of the other state data privacy laws. Controllers will be required to observe such signals by January 1, 2025. The law also dictates the requirements of such opt-out mechanisms, including that they “not make use of a default setting,” but instead must require a consumer to make an “affirmative, freely given and unambiguous choice to opt out of any processing.” We will be watching to see how the law evolves on this point, as the lack of a default setting appears to contradict the “set-it-and-forget-it”-styled global privacy control that CCPA regulations and CPRA appear to endorse.
No Rulemaking, But Task Force Charged With Recommendations for Further Changes
The law does not provide for rulemaking, but directs legislators to form a task force to address a variety of hot topics in privacy, including bias in algorithmic decision-making and age verification for children who create social media accounts. The law also instructs the task force to recommend “possible legislation” to require the deletion of children’s accounts upon parental request and to expand the law to include additional persons or groups. One wonders if the legislature may have simply run out of time to address these issues and hopes to pass amendments to the law addressing these issues in the future.
Enforcement – No Private Right of Action and 60-Day Right to Cure Through End of 2024
As we have seen in other states, the Attorney General has sole authority to enforce the law and it includes an express statement that nothing in the law “shall be construed as providing the basis for, or be subject to, a private right of action for violations” of this law or any other law.
Violations of the law will constitute an unfair trade practice under the Connecticut Unfair Trade Practices Act (CUTPA), but (as noted above) provisions of CUTPA providing for private rights of action and class actions will not apply. CUTPA provides that courts may issue restraining orders, award actual and punitive damages, and impose civil penalties for willful violations of up to $5,000 and up to $25,000 for a violation of a restraining order.
The Connecticut law includes a mandatory 60-day right to cure that sunsets on December 31, 2024. However, beginning on January 1, 2025, the Attorney General has the authority to grant opportunities to cure, and the law lists various factors to consider when doing so (e.g., number of violations, size of controller and nature of activities, whether alleged violation was likely caused by human or technical error).
* * *
We will be watching for additional developments in the Connecticut and other state data privacy laws as they continue to unfold.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.