On May 4, 2022, the Connecticut legislature passed S.B. 6 entitled the “Connecticut Data Privacy Act” (CDPA) with the bill now moving to Governor Ned Lamont’s desk for signature. Although Governor Lamont is generally expected to sign the bill into law, he has 15 days to either sign the CDPA, allow it to become law upon expiration of the 15 days, or veto it. Connecticut will become the fifth state to enact comprehensive consumer privacy legislation if the bill becomes law, joining California, Virginia, Colorado, and Utah. If passed, the law would go into effect on July 1, 2023, the same day as the Colorado law.
The bill borrows elements from the laws in each of these other jurisdictions, but also contains some differences as noted below. Nonetheless, most organizations that have already taken steps to comply with the California CCPA or CPRA will find compliance with the CDPA a relatively small lift.
If enacted the CDPA will apply to businesses that are either in Connecticut or offer products and services that are targeted towards residents of Connecticut as individuals, where the business, during the prior calendar year, met at least one of the following thresholds:
Like Virginia, Colorado, and Utah, the proposed law does not contain any financial threshold. Still, the CDPA does set the limit for deriving revenue from the sale of personal data significantly lower than the 50% generally found in the other states. And, like California, the Connecticut law defines “sale” broadly, including not only the disclosure of personal data for monetary consideration but also includes disclosures for other valuable consideration. This may result in more businesses being subject to the CDPA than a business processing an equivalent amount of personal data from residents in Colorado, Virginia, or Utah. In particular, businesses should consider their processing of personal data through analytics and advertising cookies, as these are generally considered processing for other valuable consideration. However, information disclosed at the direction of the consumer is excluded from the definition of “sale,” and controllers may be able to avoid a “sale” occurring merely as a result of the use of cookies on a website through the use of cookie consent managers and similar technologies that require the consumer to affirmatively opt-in to the use of cookies.
The law defines “consumers” as residents of Connecticut, but explicitly excludes individuals “acting in a commercial or employment context.” Thus, information collected in the business-to-business or employment context will not be subject to the CDPA.
The law will also exclude the following classes of organizations: (a) state and local governments; (b) non-profits; (c) higher education institutions; (d) national securities associations registered under the Securities Exchange Act of 1934; (e) financial institutions subject to the Gramm-Leach-Bliley Act (GLBA); and (f) covered entities and business associates as defined by Health Insurance Portability and Accountability Act (HIPAA). The law exempts certain categories of data, including data covered by HIPAA, the Fair Credit Reporting Act (FCRA), Driver’s Privacy Protection Act (DPPA), and the Family Educational Rights and Privacy Act (FERPA). The law will also exempt certain data subject to laws not typically exempted from the comprehensive laws in the other states, including the Farm Credit Act and the Airline Deregulation Act.
Similar to the laws in other jurisdictions, the CDPA provides Connecticut consumers with the following rights:
Controllers are required to respond to consumer requests without undue delay, but in any event no later than 45 days after receipt of the request. This may be extended for an additional 45 days when necessary. Controllers are also required to provide consumers with a method to appeal refusals to comply with requests to exercise these rights, along with a method to complain to the Connecticut Attorney General if the appeal is ultimately denied.
The CDPA also requires that controllers comply with certain obligations regarding the processing of personal data:
Like the laws in California, Colorado, Virginia, and Utah, the CDPA will require that controllers provide a clear privacy notice to consumers. The privacy notice must include:
Like the other states, the CDPA will require that controllers enter into data processing agreements with processors that govern what the processor must do and not do with personal data when processing personal data on behalf of the controller. This must include clear instructions for processing the personal data, the nature and purpose of the processing, the categories of data subjects, and rights and responsibilities of the processor and controller, and the duration of the processing.
Controllers will be required to conduct a data protection assessment for each processing activity that has a heightened risk of harm to the consumers. The CDPA specifies that such activities include the processing of personal data for the purpose of targeted advertising, selling personal data, processing for the purpose of profiling (where the profiling presents a reasonably foreseeable risk of substantial injury to the consumer), and processing of any sensitive data.
The CDPA does not provide for a private right of action. While it notes that a violation of the CDPA will be considered an unfair trade practice, it appears to close the door on any potential consumer claims under Connecticut’s Unfair Trade Practices Act, as enforcement is left solely to the Connecticut Attorney General. The Attorney General is required to provide notice to the controller of any violation and, for violations prior to January 1, 2025, provide the controller with 60 days to cure the violation. After January 1, 2025, the Attorney General can provide an opportunity to cure at its own discretion. Violations may result in civil penalties under Connecticut’s Unfair Trade Practices Act of up to $5,000 for willful violations. The Connecticut Attorney General may also seek equitable remedies.
The CDPA will provide Connecticut consumers with similar rights regarding their personal data to the rights provided in California under the CCPA, and CPRA, Colorado, Virginia, and Utah when those laws go into effect. Companies that operate nationally and have already begin compliance efforts with these other laws will be able to utilize much of that work for the CDPA. Companies that may have otherwise not been subject to these other laws should review their operations in Connecticut and determine if they are subject to the CDPA and, if so, begin planning to be compliant with the CDPA in the 14 short months before it goes into effect.
For more information about the requirements CDPA or any other state privacy law mentioned in this article, please contact any of the partners or senior counsel in Foley & Lardner’s Cybersecurity and Privacy team.