Connecticut Next State Poised to Pass Comprehensive Consumer Privacy Law
Connecticut has positioned itself as the next state to pass a comprehensive privacy law aimed at protecting its citizens’ rights and imposing certain obligations on applicable entities. On April 28, 2022, the Connecticut General Assembly passed SB 6, “An Act Concerning Personal Data Privacy and Online Monitoring” (“SB 6”), which currently awaits governor signature to become law. If enacted, SB 6 will take effect on July 1, 2023, with certain provisions afforded exceptions. At such point, Connecticut will join states California, Colorado, Virginia, and Utah as among the growing number of states that have enacted such laws. Of the current state frameworks, SB 6 is most like the Virginia Consumer Data Protection Act (“CDPA”) and Colorado Privacy Act (“CPA”).
Applicability
Similar to the EU’s General Data Protection Regulation (“GDPR”), SB 6 utilizes a “controller” / “processor” distinction and imposes specific duties on controllers and processors of consumer personal data.
Under SB 6, a “controller” is defined as any “individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.” In contrast, a “processor” is defined as an “individual who, or legal entity that, processes personal data on behalf of a controller,” with the term “processing” defined as “any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion or modification of personal data.”
SB 6 would apply to:
- Individuals and entities doing business in Connecticut, or that produce products or services that are targeted to Connecticut residents; AND
- That in the preceding year, controlled or processed the personal data of at least:
- 100,000 Connecticut residents (excluding for the purpose of completing a payment transaction)
- 25,000 Connecticut residents, if the individual or entity derived more than 25% of their annual gross revenue from selling personal data.
Like other similar state comprehensive privacy laws in effect, SB 6 will provide broad exceptions for various entitles and data categories, including entities and information covered by the Health Information Portability and Accountability Act (HIPAA) and financial institutions or data subject to the Gramm-Leach-Bliley Act (GLBA), information bearing on a consumer’s credit worthiness to the extent such activity is regulated by and authorized under the Fair Credit Reporting Act (FCRA), and government entities, nonprofits, higher education institutions, and national securities associations. Importantly, information in an employment or business-to-business context is also exempted.
What is Protected
SB 6 protects the “personal data” of its “consumers,” defined as residents of the state of Connecticut (who are not acting in a commercial or employment context or on behalf of a business, nonprofit, or government agencies). “Personal data” is defined broadly to include any information that is linked or reasonably linkable to an identified or identifiable individual. However, it does not include de-identified data or publicly available information.
The law also will provide for certain requirements for the more narrowly tailored, “sensitive data” which includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, the processing of genetic or biometric data for the purpose of uniquely identifying an individual, personal data collected from a known child or precise geolocation data.
Consumer Rights
Subject to certain exceptions, SB 6 will grant to consumers the familiar rights to:
- Know whether a controller is processing a consumer’s personal data
- Access the personal data about such consumer maintained by the controller
- Correct inaccuracies in personal data
- Delete personal data maintained by such controller
- Obtain a copy of such personal data in a portable and readily usable format (if technically feasible)
- Opt-out of the processing of such personal data for the purposes of sale, targeted advertising, or profiling decisions that “produce legal or similarly significant effects concerning the consumer”
Beginning in 2025, consumers may exercise their right to opt-out by using a global opt-out device setting. Specifically, SB 6 will require controllers to honor “universal opt-out” signals that enable users to opt-out of all sales of personal data and targeted advertising on their web browser as opposed to doing so on a website-by-website basis.
“Sale of personal data” is defined under SB 6 as the exchange of personal data for monetary or other valuable consideration by the controller to a third party. It does not include:
- The disclosure of personal data to a processor that processes the personal data on behalf of the controller
- The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer
- The disclosure or transfer of personal data to an affiliate of the controller
- The disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party
- The disclosure of personal data that the consumer:
- Intentionally made available to the general public via a channel of mass media; and
- Did not restrict to a specific audience
- The disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition or bankruptcy or other transaction or a proposed merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the controller’s assets
“Targeted advertising” is also defined under SB 6 as displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated Internet websites or online applications to predict such consumer’s preferences or interests. It does not include advertisements based on activities within a controller’s own Internet websites or online applications, advertisements based on the context of a consumer’s current search query, visit to an Internet website or online application, advertisements directed to a consumer in response to the consumer’s request for information or feedback or processing personal data solely to measure or report advertising frequency, performance, or reach.
The Connecticut Attorney General is not required to adopt rules governing the global opt-out process. The requirement is also optional until it becomes mandatory on January 1, 2025.
Consumers will also have the right to appeal a denial of a consumer request. SB 6 will require controllers who deny such requests to provide the consumer with an online mechanism or other method through which the consumer may contact the Connecticut Attorney General to submit a complaint.
Controller Obligations
Controllers must fulfill various duties to consumers under SB 6, including:
- Limiting the collection of personal data to only what is directly relevant and necessary to accomplish a specified purpose
- Providing consumers with a mechanism for revoking consent that is at least as easy as the mechanism for providing consent
- Performing a data protection assessment for processing activities that present a heightened risk of harm to consumers created or generated after July 1, 2023
- Specifying the express purpose for which data is collected and processed and refraining from processing data for unnecessary purposes or for purposes that are incompatible with the purposes to which the consumer consented
- Establishing, implementing and maintaining reasonable administrative, technical and physical data security practices to secure personal data and protect the confidentiality, integrity and accessibility
- Obtaining prior consumer consent before processing sensitive data
- Processing sensitive data of a known child in accordance with COPPA
- Abstaining from processing personal data in violation of state and federal laws
- Abstaining from discriminating against a consumer for exercising rights under SB 6
- Providing consumers with the right to access, delete, correct, export, and opt-out of the sale of their personal data or targeted advertising
- Publishing readily accessible, clear, and meaningful privacy notice to consumers
The controller’s obligations should not restrict its or its processor’s ability to collect, use or retain data for internal purposes to:
- Conduct product research and development
- Effectuate a product recall
- Identify and repair technical errors
- Perform internal operations reasonably anticipated based on the consumer’s existing relationship with the controller
- Compatible with processing data in furtherance of providing a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party
Processor Obligations
Processors are required to assist the controller with meeting its obligations, adhere to controller processing instructions, and agree to specific contractual terms governing any processing performed on behalf of the controller.
Dark Patterns
SB expressly prohibits so-called “dark patterns” which are designs that manipulate or heavily influence users to make certain choices.
Children
The SB 6 will require controllers to obtain opt-in consent from children under the age of 16 before selling their personal data or using it for targeted advertising. Businesses that comply with the verifiable consent requirements under federal Children’s Online Privacy Protection Act (COPAA) are deemed compliant for purposes of SB 6 children consent requirements.
Enforcement
Notably, SB 6 does not include a private right of action. Rather, SB 6 will be exclusively enforced through Connection Attorney General action. While SB 6 provides a 60-day cure period for alleged violations, this cure period will expire on December 31, 2024. During such time, the Connect Attorney General is required to provide entities with notice of alleged violations and provide the entity with the 60-day period to cure following such notice. Beginning January 1, 2025, a cure period may only be granted at the discretion of the Connecticut Attorney General.
Next Steps
It is widely anticipated that SB 6 will be signed into law by the Connecticut governor. Entities who are taking steps to comply with other state comprehensive privacy laws should begin preparations to assess the extent to which they will be subject to SB 6’s substantive requirements as part of its privacy and data security program efforts.