On May 10, 2022, Connecticut Governor Net Lamont signed Senate Bill 6, also know as An Act Concerning Personal Data Privacy, into law, making the Nutmeg State the fifth U.S. state to pass comprehensive consumer privacy legislation.
The law, which closely resembles recent privacy laws passed in Utah, Colorado, and Virginia, will go into effect on July 1st, 2023--the same data as the Colorado Privacy Act (CPA), which gives businesses just over a year to prepare.
In this blog, we’ll examine the new law, its scope, the rights it guarantees for Connecticut citizens, how it compares to other state privacy laws, and what your business will need to do to stay compliant.
Key Facts About Connecticut's Privacy Law
When does the law go into effect?
Key provisions of the law will go into effect July 1st, 2023. The cure period provision will end July 1st, 2025.
What is the Scope/Application Threshold of the Law?
Connecticut's law applies to entities that conduct business or provide services targeted to Connecticut residents and meet either of the following yearly thresholds:
- Control or process the personal data of 100,000 or more consumers, excluding data collected or processed solely for payment purposes.
- Control or process the personal data of at least 25,000 consumers and derive at least 25% of gross revenue from the sale of personal data.
There are no minimum or maximum thresholds for annual revenue, and individuals "acting in a commercial or employment context," are explicitly excluded from the protection of the law.
Notably, Connecticut's law has a broad definition for the "sale of personal data," which it defines as "the exchange of personal data for monetary or other valuable consideration by the controller to a third party.”
That means that, like California's CCPA, the applicability of the law is not limited to instances where money is directly exchanged for personal data-- "other valuable considerations" can also be considered a sale. This gives Connecticut lawmakers a large degree of discretion in enforcing the law.
The law’s definition of “personal data” excludes deidentified data and publicly available information.
What Rights do Consumers Have Under Connecticut's Privacy Law?
Connecticut consumers are provided five new rights: the right to access, the right to correction, the right to deletion, the right to data portability, and the right to opt-out.
Right to Access
Connecticut consumers have the right to “confirm whether or not a controller is processing the consumer’s personal data and access such personal data.” There is an exception to this right where “such confirmation or access would require the controller to reveal a trade secret.”
Right to Correction
Connecticut consumers have the right to “correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data.”
Right to Deletion
Connecticut consumers have the right to “delete personal data provided by, or obtained about, the consumer.”
Right to Data Portability
Connecticut consumers have the right to “obtain a copy of the consumer’s personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means, provided such controller shall not be required to reveal any trade secret.”
Right to Opt-Out
Connecticut consumers have the right to “opt-out of the processing of the personal data for the purposes of:
- targeted advertising,
- the sale of personal data …, or
- profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.”
Under the law, data controllers will be required to make available “clear and conspicuous” opt-out links on their websites. Beginning Jan. 1, 2025, data controllers will be required to recognize “opt-out preference signal[s]” sent via a universal opt-out mechanism.
What Other Compliance Obligations Do Businesses Have?
Connecticut's law sets forth several obligations including purpose limitation, data security, and consent requirements. Let's break them down.
Limiting Data Collection
Data controllers must “limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.”
Limiting Data Use
Data controllers cannot process personal data for “purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed," unless an exception applies or consent has been given to do so.
Data Security Requirements
Data controllers must “establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue.”
While the law largely follows the "opt-out" consent framework, Connecticut's law has several opt-in consent requirements. Controllers may not process “Sensitive data” without explicit consent.
Opt-in consent is also required in order to sell or process for advertising purposes the personal data of a consumer that is between the ages of 13 and 16 years old
Consent, as defined by the law, must be “freely given, specific, informed and unambiguous,” and cannot be obtained through the use of dark patterns. Data controllers must “provide an effective mechanism” that allows users to revoke consent as easily as it was given.
Data controllers may not punish or discriminate against consumers who invoke their rights by “denying goods or services, charging different prices or rates for goods or services or providing a different level of quality of goods or services to the consumer.”
Controllers to provide consumers with a “reasonably accessible, clear and meaningful privacy notice.”
Are There Exemptions?
Connecticut's law exempts government entities, nonprofits, higher education institutions, national security organizations registered under the Securities Exchange Act of 1934, financial institutions subject to the Gramm-Leach-Bliley Act, and covered entities and business associates as defined by HIPAA from compliance.
How Will the Law be Enforced?
Enforcement of Connecticut's privacy law will be carried out be the state's attorney general. When a controller is found to be in violation of the law, they will be notified by the AG, and will have a 60 day cure-period to remediate the violation. The cure-period requirement will expire on July 1st, 2025, at which point it will be at the AG's discretion whether to provide a cure period or not.
Entities found in violation of the law will face civil penalties up to $5,000 per willful violation, and other "equitable remedies" may also be pursued by the AG.
Get Compliant with Ensighten
State privacy laws like this one are pressing new responsibilities—and penalties—on businesses and marketers. Ensighten offers organizations a solution to help build a fully compliant website and simplify compliance with Connecticut's law, as well as the UCPA, CCPA, CPA, CDPA, GDPR, and any future privacy laws.
Request a demo to see how Ensighten can help your organization meet its compliance and client-side security needs.