Connecticut Poised to Become Fifth State to Enact Comprehensive Consumer Data Privacy Law

On May 4, 2022, the Connecticut legislature passed S.B. 6 entitled the “Connecticut Data Privacy Act” (CDPA) with the bill now moving to Governor Ned Lamont’s desk for signature. Although Governor Lamont is generally expected to sign the bill into law, he has 15 days to either sign the CDPA, allow it to become law upon expiration of the 15 days, or veto it. Connecticut will become the fifth state to enact comprehensive consumer privacy legislation if the bill becomes law, joining California, Virginia, Colorado, and Utah. If passed, the law would go into effect on July 1, 2023, the same day as the Colorado law.

The bill borrows elements from the laws in each of these other jurisdictions, but also contains some differences as noted below. Nonetheless, most organizations that have already taken steps to comply with the California CCPA or CPRA will find compliance with the CDPA a relatively small lift.

Applicability

If enacted the CDPA will apply to businesses that are either in Connecticut or offer products and services that are targeted towards residents of Connecticut as individuals, where the business, during the prior calendar year, met at least one of the following thresholds:

Controls or processes the personal data of 100,000 Connecticut consumers. However, unlike the other comprehensive privacy laws, the CDPA explicitly excludes personal data controlled or processed solely for the purpose of completing a payment transaction, effectively removing cardholder information subject to PCI-DSS and other similar information from its reach; or
Processes the personal information of at least 25,000 Connecticut consumers and derives over 25% of its gross revenue from the sale of personal data.

Like Virginia, Colorado, and Utah, the proposed law does not contain any financial threshold. Still, the CDPA does set the limit for deriving revenue from the sale of personal data significantly lower than the 50% generally found in the other states. And, like California, the Connecticut law defines “sale” broadly, including not only the disclosure of personal data for monetary consideration but also includes disclosures for other valuable consideration. This may result in more businesses being subject to the CDPA than a business processing an equivalent amount of personal data from residents in Colorado, Virginia, or Utah. In particular, businesses should consider their processing of personal data through analytics and advertising cookies, as these are generally considered processing for other valuable consideration. However, information disclosed at the direction of the consumer is excluded from the definition of “sale,” and controllers may be able to avoid a “sale” occurring merely as a result of the use of cookies on a website through the use of cookie consent managers and similar technologies that require the consumer to affirmatively opt-in to the use of cookies.

Exemptions

The law defines “consumers” as residents of Connecticut, but explicitly excludes individuals “acting in a commercial or employment context.” Thus, information collected in the business-to-business or employment context will not be subject to the CDPA.

The law will also exclude the following classes of organizations: (a) state and local governments; (b) non-profits; (c) higher education institutions; (d) national securities associations registered under the Securities Exchange Act of 1934; (e) financial institutions subject to the Gramm-Leach-Bliley Act (GLBA); and (f) covered entities and business associates as defined by Health Insurance Portability and Accountability Act (HIPAA). The law exempts certain categories of data, including data covered by HIPAA, the Fair Credit Reporting Act (FCRA), Driver’s Privacy Protection Act (DPPA), and the Family Educational Rights and Privacy Act (FERPA). The law will also exempt certain data subject to laws not typically exempted from the comprehensive laws in the other states, including the Farm Credit Act and the Airline Deregulation Act.

Consumer Rights

Similar to the laws in other jurisdictions, the CDPA provides Connecticut consumers with the following rights:

Right to Access. Consumers will have the right to confirm if the controller is processing personal information about that consumer and gain access to that personal data, unless the confirmation would reveal a trade secret of the controller.
Right to Correct. Consumers have the right to correct incorrect personal data.
Right to Delete. Consumers have the right to have personal data provided by, or obtained about, the consumer deleted.
Right to Data Portability. When the controller processes the data through automated means, consumers can get a copy of their personal data in a portable and readily usable format (to the extent technically feasible) so that the consumer can transmit the data to a third party. However, controllers do not have to provide this data if it would reveal a trade secret.
Right to Opt-Out. Similar to the requirements under the CCPA’s “Do Not Sell My Personal Information” requirements where a controller sells personal data to third parties or processes personal data for targeted advertising, consumers have the right to opt-out of the processing of their personal data for the purposes of targeted advertising, sale of personal data, or profiling solely for automated decision making that produce a legal or other similar effect on the consumer. Controllers will be required to provide “clear and conspicuous” links on their website to allow consumers to opt out of this processing. In addition, beginning January 1, 2025 controllers must also recognize universal “opt-out preference signal(s)” that indicate a consumer’s choice to opt out of targeted advertising and sales. While no such signal exists to date, the signal must take precedence over any other setting.

Controllers are required to respond to consumer requests without undue delay, but in any event no later than 45 days after receipt of the request. This may be extended for an additional 45 days when necessary. Controllers are also required to provide consumers with a method to appeal refusals to comply with requests to exercise these rights, along with a method to complain to the Connecticut Attorney General if the appeal is ultimately denied.

Obligations

The CDPA also requires that controllers comply with certain obligations regarding the processing of personal data:

Data Minimization. Controllers are required to limit the collection of personal data to only what is adequate, relevant, and reasonably necessary for the disclosed purposes for which the data is processed.
Use Limitation. Unless an exception applies (such as consent from the consumer), controllers generally must limit the use of personal data to the purposes for which it was collected, and not process it for any purposes that are not reasonably necessary or compatible with the disclosed purposes.
Data Security. The CDPA requires that controllers establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. These measures must be appropriate for the volume and nature of the personal data the controller processes.
Consent for Processing “Sensitive Data.” Controllers are prohibited from processing “sensitive data” without freely given, specific, informed, and unambiguous consent of the consumer. Sensitive data includes data that reveals racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship, or immigration status. Sensitive data also includes genetic or biometric data processed for the purpose of uniquely identifying the individual, personal data obtained from a consumer known to be a child, and precise geolocation data (within a radius of 1,750 feet). Controllers must also provide an effective mechanism for consumers to revoke their consent that must be as easy as the method to obtain consent and must comply with any revocation of consent as soon as practical, no more than 15 days after receipt.
Consent for Processing Data from Children. The CDPA will also require that the controller obtain consent to process personal data for targeted advertising or for the sale of personal data when the controller has actual knowledge that the consumer is between 13 and 16 years old and willfully disregards that fact.
Nondiscrimination. Controllers are not permitted to deny goods or services, charge different prices or rates for goods or services, or provide a different level of quality of goods or services to the consumer because the consumer decided to exercise any of their rights.

Privacy Notice Obligations

Like the laws in California, Colorado, Virginia, and Utah, the CDPA will require that controllers provide a clear privacy notice to consumers. The privacy notice must include:

The categories of personal data processed by the controller. However, unlike California, the categories of personal data are not defined under the CDPA.
The purposes of processing.
Information on how consumers can exercise their rights under the CDPA, and how the consumer can appeal refusals to comply with a request.
The categories of personal data shared with third parties and the categories of third parties with whom the personal data is shared.
Any sales of personal data to third parties or use of personal data for targeted advertising, together with information on how the consumer can opt-out of such use.
A valid and active email address used to contact the controller.

Data Processing Agreements

Like the other states, the CDPA will require that controllers enter into data processing agreements with processors that govern what the processor must do and not do with personal data when processing personal data on behalf of the controller. This must include clear instructions for processing the personal data, the nature and purpose of the processing, the categories of data subjects, and rights and responsibilities of the processor and controller, and the duration of the processing.

Data Protection Assessments

Controllers will be required to conduct a data protection assessment for each processing activity that has a heightened risk of harm to the consumers. The CDPA specifies that such activities include the processing of personal data for the purpose of targeted advertising, selling personal data, processing for the purpose of profiling (where the profiling presents a reasonably foreseeable risk of substantial injury to the consumer), and processing of any sensitive data.

Enforcement

The CDPA does not provide for a private right of action. While it notes that a violation of the CDPA will be considered an unfair trade practice, it appears to close the door on any potential consumer claims under Connecticut’s Unfair Trade Practices Act, as enforcement is left solely to the Connecticut Attorney General. The Attorney General is required to provide notice to the controller of any violation and, for violations prior to January 1, 2025, provide the controller with 60 days to cure the violation. After January 1, 2025, the Attorney General can provide an opportunity to cure at its own discretion. Violations may result in civil penalties under Connecticut’s Unfair Trade Practices Act of up to $5,000 for willful violations. The Connecticut Attorney General may also seek equitable remedies.

Conclusion

The CDPA will provide Connecticut consumers with similar rights regarding their personal data to the rights provided in California under the CCPA, and CPRA, Colorado, Virginia, and Utah when those laws go into effect. Companies that operate nationally and have already begin compliance efforts with these other laws will be able to utilize much of that work for the CDPA. Companies that may have otherwise not been subject to these other laws should review their operations in Connecticut and determine if they are subject to the CDPA and, if so, begin planning to be compliant with the CDPA in the 14 short months before it goes into effect.

For more information about the requirements CDPA or any other state privacy law mentioned in this article, please contact any of the partners or senior counsel in Foley & Lardner’s Cybersecurity and Privacy team.

Disclaimer

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.