May 24, 2022

Connecticut Data Privacy Act: What Businesses Need to Know

Event Date:
Hosted By:
Register Now
Mark Rowan

After the Connecticut General Assembly enacted the bill in April, Connecticut Governor Ned Lamont signed An Act Concerning Personal Data Privacy and Online Monitoring on May 10th, 2022. Connecticut is the sixth state to pass consumer privacy legislation.

The Connecticut Data Privacy Act (also known as CTDPA or Connecticut Senate Bill 6) will apply to persons and businesses who conduct business in Connecticut or manufacture products or services that are targeted to Connecticut citizens when it goes into effect on July 1st, 2023. It will specifically target companies that in the previous year controlled or processed the personal data of at least 100,000 customers, or controlled or processed the personal data of at least 25,000 customers and received more than 25% of their total income from the selling of personal data.

If you want to ensure that your business is compliant with this new data privacy law, take a look at our in-depth guide to the scope, consumer rights, compliance obligations, and exemptions of the Connecticut Data Privacy Act below.

The Scope of Connecticut Senate Bill 6

The Connecticut law follows the same fundamental concept as Virginia and Colorado, but with a few key differences. The statute applies to organizations who do business in Connecticut or generate products or services for Connecticut people and have done the following in the previous fiscal year:

  • Controlled or processed personal data of at least 100,000 customers, except personal data controlled or processed simply for the purpose of completing payment transactions.
  • Controlled or processed the personal data of at least 25,000 customers, and the selling of personal data accounted for more than a quarter of their total income.

The law's reach is somewhat larger than Virginia's and slightly smaller than Colorado's, with a revenue barrier for data sales income that falls somewhere between Virginia's (50 percent of gross revenues) and Colorado's (50 percent of gross revenues) (any revenue or discount). It's also worth noting that the legislation expressly excludes personal data collected purely for payment purposes. As a result, businesses that just accept debit or credit cards to complete a sale will be exempt from the law's restrictions.

The Connecticut statute does not include an annual revenue level that triggers responsibilities. In practice, this means that, unlike the California Consumer Privacy Act, an entity will not be subject to the law solely based on its annual revenues, and that entities will not be required to exceed a certain yearly revenue threshold in order to be covered by the law. A few crucial definitions should be considered while evaluating the act’s scope. It defines "consumer" as a Connecticut resident and clearly excludes those operating in a business or employment environment, as Virginia, Colorado, and Utah have done. As a result, when entities analyze the law's application, the personal data of such persons might be withheld.

Furthermore, the law defines "selling of personal data" as the exchange of personal data by the controller to a third party for monetary or other significant benefits. Unlike Virginia and Utah, which define a sale as an exchange of personal data for monetary compensation exclusively, the statute uses the CCPA and Colorado definitions, which include an exchange for other useful considerations as well. The term "selling of personal data" also expressly excludes some disclosures, which virtually exactly mirror those in the Colorado statute, such as disclosures to a processor or an affiliate of the controller, disclosures that a consumer asks the controller to disclose, and so on.

The Connecticut statute, like Virginia and Colorado, clearly excludes any de-identified data or publicly available information from the definition of "personal data." "Publicly available information" refers to information that a controller has a reasonable basis for thinking a consumer has lawfully made available to the general public through government records or widely dispersed media.

Is Connecticut Senate Bill 6 Similar to Other Data Privacy Laws?

The answer to that would be “yes.” The California Consumer Privacy Act, Colorado Privacy Act, Virginia Consumer Data Protection Act, and Utah Consumer Privacy Act are all comparable. It contains the broad term "sale" used by the CPA and the CPRA, which covers the exchange of personal data for monetary or other valued compensation. Beginning January 1st, 2025, the CTDPA will require controllers to recognize opt-out preference signals transmitted via a universal opt-out method, following the lead of the CPA. The CTDPA, like the CPRA, does not require opt-out requests to be authenticated. The CTDPA, like the CPA and CPRA, forbids the use of dark patterns to seek permission.

The CTDPA requires controllers to get parental consent before collecting personal data from a known child, as required by the CPA and VCDPA. In addition, the CTDPA joins the CPRA, VCDPA, and CPA in requiring controllers to complete data protection assessments before engaging in data processing activities that pose a high risk of harm to consumers. Although the CTDPA gives controllers a chance to correct infractions at first, that right will expire on December 31st, 2024. The CTDPA, like other current state privacy laws in the United States, does not allow for a private right of action. The Attorney General of Connecticut will be in charge of enforcing the statute.

What Are Businesses Required to Do Under Connecticut Senate Bill 6?
Limit Collection of Data

Controllers must restrict the acquisition of personal data to what is appropriate, relevant, and reasonably necessary in regard to the purposes for which such data is processed, as notified to the consumer, as required by the CCPA and legislation of Virginia and Colorado.

Limit Use of Data

Controllers are forbidden from processing personal data for purposes that are neither reasonably required nor consistent with the specified purposes for which such personal data is processed, unless an exemption exists, such as obtaining permission.

Responding to Consumer Requests

The requirements for responding to consumer inquiries are quite similar in Virginia and Colorado. Controllers must reply to a consumer's request without any delay, but no later than 45 days after receiving it, with the possibility of an additional 45-day extension if necessary. Consumers must be able to challenge a controller's refusal to act on a request within a reasonable timeframe using a clearly visible appeal mechanism. Controllers must notify customers in writing within 60 days of any action or inaction taken in response to the appeal, just as Virginia law requires. If the consumer's appeal is refused, the controller must provide an online facility or other option for the consumer to contact and file a complaint with the attorney general.

Contracts for Data Processing

The legislation, like most of its predecessors, requires a contract between a controller and a processor to regulate the data processing undertaken on behalf of the controller by the processor. Such contracts must explicitly state the instructions for processing data, as well as the nature and purpose of processing, the kind of data subject to processing, the length of processing, and both parties' rights and duties.

Assessments of Data Protection

Controllers must complete and document a data protection assessment for each processing activity that poses a high risk of damage to consumers.

Improved Data Security

Controllers must also create, implement, and maintain suitable administrative, technological, and physical data security procedures proportionate to the amount and kind of personal data at issue to safeguard the confidentiality, integrity, and accessibility of personal data.

Comply with Consent Requirements

The legislation bans controllers from processing sensitive data without consent. Personal data obtained from an individual the controller knows is under the age of 13 is considered "sensitive data," and must be treated in compliance with the Children's Online Privacy Protection Act. Consent must be freely granted, precise, informed, and unequivocal, and it cannot be gained by the use of dark patterns, according to the legislation. Furthermore, controllers must offer an effective way for consumers to revoke the consent that is at least as simple as the mechanism used to grant consent. The controller shall cease processing the data as soon as possible after receiving the revocation, but no later than 15 days.

Nondiscrimination

Controllers are banned from discriminating against consumers who use any of their legal rights by withholding goods or services, charging different prices or rates for goods or services, or delivering a different degree of quality of products or services.

Transparency

Connecticut's legislation, like its predecessors, requires controllers to present customers with a privacy notice that is fairly accessible, clear, and meaningful.

What Consumer Rights Does Connecticut Senate Bill 6 Offer?

The following rights are provided to consumers under this new act:

  1. The right of accessibility. Consumers have the right to know whether a controller is processing their personal data and to have access to such data. It does, however, include an exemption to this right when such confirmation or access would compel the controller to divulge a trade secret, unlike the Virginia legislation.
  2. The right to correct data. Consumers have the right to have mistakes in their personal data corrected, taking into consideration the nature of the data and the reasons for which it is being processed.
  3. The right to data portability. Consumers have the right to a copy of their personal data processed by the controller in a portable and, to the extent technically practicable, easily accessible format that allows them to send the data to another controller without difficulty, when the processing is done by automated methods, provided that the controller is not compelled to expose any trade secrets.
  4. The right to opt out of data collection. Consumers in Connecticut, like those in Virginia and Colorado, have the right to opt out of the processing of personal data for the purposes of targeted advertising or the sale of personal data.
  5. The right to remove data. Consumers also have the right to remove personal data that they have submitted or that has been gathered about them.
Exemptions Under Connecticut Senate Bill 6

If you’re concerned about being compliant with this new law, don’t worry – there’s a good chance that you’re actually exempt. Certain categories of companies and data are also excluded from the law's restrictions. The following six categories of entities are excluded from the legislation, regardless of whether the data gathered and processed would otherwise be subject to the law:

  • Local and state governments.
  • Non-profit organizations.
  • Institutions of higher learning
  • The Securities Exchange Act of 1934 established national securities organizations.
  • The Gramm-Leach-Bliley Act subjected financial institutions and data.
  • The Health Insurance Portability and Accountability Act covered entities and business partnerships.

The bill exempts data from sixteen categories, including HIPAA-regulated information, the Fair Credit Reporting Act, the Driver's Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Airline Deregulation Act. Data on specific employees and job applicants are likewise excluded.

How Will This New Law Be Enforced?

The statute, like Virginia, Colorado, and Utah, lacks a private right of action, and, like Virginia, enforcement is solely in the hands of the attorney general. The attorney general must notify the controller of the infraction before taking action. The statute, like Colorado's, then provides a controller 60 days to repair the infraction, which is double the 30-day cure time allowed by California, Utah, and Virginia rules. The right to cure under the statute is similar to Colorado's in that it will no longer be needed beginning January 1st, 2025, after which the attorney general will have discretion whether or not to grant a chance to cure.

The Connecticut Unfair Commercial Practices Act defines a violation of the law as an unfair trade practice. As a result, civil fines of up to $5,000 per willful infringement may be imposed. The attorney general may also pursue equitable remedies, including as restitution, disgorgement, and injunctive relief, under the CUTPA.

May 24, 2022

Connecticut Data Privacy Act: What Businesses Need to Know

Date:
Hosted By:
Register Now

After the Connecticut General Assembly enacted the bill in April, Connecticut Governor Ned Lamont signed An Act Concerning Personal Data Privacy and Online Monitoring on May 10th, 2022. Connecticut is the sixth state to pass consumer privacy legislation.

The Connecticut Data Privacy Act (also known as CTDPA or Connecticut Senate Bill 6) will apply to persons and businesses who conduct business in Connecticut or manufacture products or services that are targeted to Connecticut citizens when it goes into effect on July 1st, 2023. It will specifically target companies that in the previous year controlled or processed the personal data of at least 100,000 customers, or controlled or processed the personal data of at least 25,000 customers and received more than 25% of their total income from the selling of personal data.

If you want to ensure that your business is compliant with this new data privacy law, take a look at our in-depth guide to the scope, consumer rights, compliance obligations, and exemptions of the Connecticut Data Privacy Act below.

The Scope of Connecticut Senate Bill 6

The Connecticut law follows the same fundamental concept as Virginia and Colorado, but with a few key differences. The statute applies to organizations who do business in Connecticut or generate products or services for Connecticut people and have done the following in the previous fiscal year:

  • Controlled or processed personal data of at least 100,000 customers, except personal data controlled or processed simply for the purpose of completing payment transactions.
  • Controlled or processed the personal data of at least 25,000 customers, and the selling of personal data accounted for more than a quarter of their total income.

The law's reach is somewhat larger than Virginia's and slightly smaller than Colorado's, with a revenue barrier for data sales income that falls somewhere between Virginia's (50 percent of gross revenues) and Colorado's (50 percent of gross revenues) (any revenue or discount). It's also worth noting that the legislation expressly excludes personal data collected purely for payment purposes. As a result, businesses that just accept debit or credit cards to complete a sale will be exempt from the law's restrictions.

The Connecticut statute does not include an annual revenue level that triggers responsibilities. In practice, this means that, unlike the California Consumer Privacy Act, an entity will not be subject to the law solely based on its annual revenues, and that entities will not be required to exceed a certain yearly revenue threshold in order to be covered by the law. A few crucial definitions should be considered while evaluating the act’s scope. It defines "consumer" as a Connecticut resident and clearly excludes those operating in a business or employment environment, as Virginia, Colorado, and Utah have done. As a result, when entities analyze the law's application, the personal data of such persons might be withheld.

Furthermore, the law defines "selling of personal data" as the exchange of personal data by the controller to a third party for monetary or other significant benefits. Unlike Virginia and Utah, which define a sale as an exchange of personal data for monetary compensation exclusively, the statute uses the CCPA and Colorado definitions, which include an exchange for other useful considerations as well. The term "selling of personal data" also expressly excludes some disclosures, which virtually exactly mirror those in the Colorado statute, such as disclosures to a processor or an affiliate of the controller, disclosures that a consumer asks the controller to disclose, and so on.

The Connecticut statute, like Virginia and Colorado, clearly excludes any de-identified data or publicly available information from the definition of "personal data." "Publicly available information" refers to information that a controller has a reasonable basis for thinking a consumer has lawfully made available to the general public through government records or widely dispersed media.

Is Connecticut Senate Bill 6 Similar to Other Data Privacy Laws?

The answer to that would be “yes.” The California Consumer Privacy Act, Colorado Privacy Act, Virginia Consumer Data Protection Act, and Utah Consumer Privacy Act are all comparable. It contains the broad term "sale" used by the CPA and the CPRA, which covers the exchange of personal data for monetary or other valued compensation. Beginning January 1st, 2025, the CTDPA will require controllers to recognize opt-out preference signals transmitted via a universal opt-out method, following the lead of the CPA. The CTDPA, like the CPRA, does not require opt-out requests to be authenticated. The CTDPA, like the CPA and CPRA, forbids the use of dark patterns to seek permission.

The CTDPA requires controllers to get parental consent before collecting personal data from a known child, as required by the CPA and VCDPA. In addition, the CTDPA joins the CPRA, VCDPA, and CPA in requiring controllers to complete data protection assessments before engaging in data processing activities that pose a high risk of harm to consumers. Although the CTDPA gives controllers a chance to correct infractions at first, that right will expire on December 31st, 2024. The CTDPA, like other current state privacy laws in the United States, does not allow for a private right of action. The Attorney General of Connecticut will be in charge of enforcing the statute.

What Are Businesses Required to Do Under Connecticut Senate Bill 6?
Limit Collection of Data

Controllers must restrict the acquisition of personal data to what is appropriate, relevant, and reasonably necessary in regard to the purposes for which such data is processed, as notified to the consumer, as required by the CCPA and legislation of Virginia and Colorado.

Limit Use of Data

Controllers are forbidden from processing personal data for purposes that are neither reasonably required nor consistent with the specified purposes for which such personal data is processed, unless an exemption exists, such as obtaining permission.

Responding to Consumer Requests

The requirements for responding to consumer inquiries are quite similar in Virginia and Colorado. Controllers must reply to a consumer's request without any delay, but no later than 45 days after receiving it, with the possibility of an additional 45-day extension if necessary. Consumers must be able to challenge a controller's refusal to act on a request within a reasonable timeframe using a clearly visible appeal mechanism. Controllers must notify customers in writing within 60 days of any action or inaction taken in response to the appeal, just as Virginia law requires. If the consumer's appeal is refused, the controller must provide an online facility or other option for the consumer to contact and file a complaint with the attorney general.

Contracts for Data Processing

The legislation, like most of its predecessors, requires a contract between a controller and a processor to regulate the data processing undertaken on behalf of the controller by the processor. Such contracts must explicitly state the instructions for processing data, as well as the nature and purpose of processing, the kind of data subject to processing, the length of processing, and both parties' rights and duties.

Assessments of Data Protection

Controllers must complete and document a data protection assessment for each processing activity that poses a high risk of damage to consumers.

Improved Data Security

Controllers must also create, implement, and maintain suitable administrative, technological, and physical data security procedures proportionate to the amount and kind of personal data at issue to safeguard the confidentiality, integrity, and accessibility of personal data.

Comply with Consent Requirements

The legislation bans controllers from processing sensitive data without consent. Personal data obtained from an individual the controller knows is under the age of 13 is considered "sensitive data," and must be treated in compliance with the Children's Online Privacy Protection Act. Consent must be freely granted, precise, informed, and unequivocal, and it cannot be gained by the use of dark patterns, according to the legislation. Furthermore, controllers must offer an effective way for consumers to revoke the consent that is at least as simple as the mechanism used to grant consent. The controller shall cease processing the data as soon as possible after receiving the revocation, but no later than 15 days.

Nondiscrimination

Controllers are banned from discriminating against consumers who use any of their legal rights by withholding goods or services, charging different prices or rates for goods or services, or delivering a different degree of quality of products or services.

Transparency

Connecticut's legislation, like its predecessors, requires controllers to present customers with a privacy notice that is fairly accessible, clear, and meaningful.

What Consumer Rights Does Connecticut Senate Bill 6 Offer?

The following rights are provided to consumers under this new act:

  1. The right of accessibility. Consumers have the right to know whether a controller is processing their personal data and to have access to such data. It does, however, include an exemption to this right when such confirmation or access would compel the controller to divulge a trade secret, unlike the Virginia legislation.
  2. The right to correct data. Consumers have the right to have mistakes in their personal data corrected, taking into consideration the nature of the data and the reasons for which it is being processed.
  3. The right to data portability. Consumers have the right to a copy of their personal data processed by the controller in a portable and, to the extent technically practicable, easily accessible format that allows them to send the data to another controller without difficulty, when the processing is done by automated methods, provided that the controller is not compelled to expose any trade secrets.
  4. The right to opt out of data collection. Consumers in Connecticut, like those in Virginia and Colorado, have the right to opt out of the processing of personal data for the purposes of targeted advertising or the sale of personal data.
  5. The right to remove data. Consumers also have the right to remove personal data that they have submitted or that has been gathered about them.
Exemptions Under Connecticut Senate Bill 6

If you’re concerned about being compliant with this new law, don’t worry – there’s a good chance that you’re actually exempt. Certain categories of companies and data are also excluded from the law's restrictions. The following six categories of entities are excluded from the legislation, regardless of whether the data gathered and processed would otherwise be subject to the law:

  • Local and state governments.
  • Non-profit organizations.
  • Institutions of higher learning
  • The Securities Exchange Act of 1934 established national securities organizations.
  • The Gramm-Leach-Bliley Act subjected financial institutions and data.
  • The Health Insurance Portability and Accountability Act covered entities and business partnerships.

The bill exempts data from sixteen categories, including HIPAA-regulated information, the Fair Credit Reporting Act, the Driver's Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Airline Deregulation Act. Data on specific employees and job applicants are likewise excluded.

How Will This New Law Be Enforced?

The statute, like Virginia, Colorado, and Utah, lacks a private right of action, and, like Virginia, enforcement is solely in the hands of the attorney general. The attorney general must notify the controller of the infraction before taking action. The statute, like Colorado's, then provides a controller 60 days to repair the infraction, which is double the 30-day cure time allowed by California, Utah, and Virginia rules. The right to cure under the statute is similar to Colorado's in that it will no longer be needed beginning January 1st, 2025, after which the attorney general will have discretion whether or not to grant a chance to cure.

The Connecticut Unfair Commercial Practices Act defines a violation of the law as an unfair trade practice. As a result, civil fines of up to $5,000 per willful infringement may be imposed. The attorney general may also pursue equitable remedies, including as restitution, disgorgement, and injunctive relief, under the CUTPA.

Let's talk

Ready To Discuss Your Data Challenges?

you may also like

Blog

ERP Data Migration: Best Practices and Tips

ERP data migration is a significant and time-consuming operation that may lead to a number of challenges in one’s organization if not planned and executed properly and supported by automation technology.

News

Michael Roberts joins Data Sentinel as VP of Professional Services

We are thrilled to announce that Michael Roberts has joined the Data Sentinel team as Vice President of Professional Services.

Webinar

Don’t Lose Customers With Weak Privacy Protections

You know that strong privacy practices are necessary to comply with Canadian and international privacy laws, but did you consider your approach to privacy as a means to foster customer goodwill and attract investors?