Connecticut’s new consumer data privacy law: a New Haven for privacy protection? Not exactly
Connecticut is the fifth state to pass a comprehensive privacy law. Senate Bill 6, “An Act Concerning Personal Data Privacy and Online Monitoring” (“CTDPA” or “Act”), passed in both chambers of the state legislature on April 22, 2022, and April 28, 2022, respectively, and Governor Ned Lamont signed it into law on May 10, 2022. The Act will go into effect on July 1, 2023, with the exception of certain provisions. Although this is the first comprehensive data privacy law enacted by a north east state, the Act emulates the new privacy laws in Colorado and Utah, and closely resembles the business friendly Virginia Consumer Data Protection Act (“VaCDPA”) and Utah Consumer Privacy Act (“UCPA”).
-- There are numerous exceptions.
The CTDPA applies to persons that (a) conduct business in the state or (b) persons that produce products or services that are targeted to residents of Connecticut and that during the preceding calendar year:
- controlled or processed personal data of 100,000 or more consumers, though unlike the other comprehensive privacy acts, it expressly exempts personal data that is controlled or processed solely for the purpose of completing a payment transaction; or
- controlled or processed the personal data of 25,000 or more consumers and derived more than 25% of their gross revenue from the sale of personal data.
SB 6, Sec. 2.
Similar to the VaCDPA and UCPA, the CTDPA includes numerous exceptions to its scope. SB 6, Sec. 3. Also like the VaCDPA, UCPA and Colorado Privacy Act, the CTDPA expressly does not apply to personal data “processed or maintained … in the course of an individual applying to, employed by or acting as an agent or independent contractor of a controller, processor or third party, to the extent that the data is collected and used within the context of that role.” SB 6, Sec. 3(b)(15). In addition, the definition of consumer excludes “an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor.” SB 6, Sec. 1(7).
Like the privacy acts of California, Utah, and Virginia, CTDPA does not apply to non-profits. SB 6, Sec. 3(a)(2). Like Utah’s privacy law, the CTDPA also does not apply to a host of other organizations, like institutions of higher education, financial institutions, covered entities and business associates as defined in the Social Security Act, and governmental entities. SB 6, Sec. 3(a).
CTDPA broadly defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable individual.” SB 6, Sec. 1(18). It defines “identified or identifiable individual” as “an individual who can be readily identified, directly or indirectly.” SB 6, Sec. 1(15). “Personal data” does not include de-identified or publicly available data. SB 6, Sec. 1(18). “Pseudonymous data” is defined as “personal data that cannot be attributed to a specific individual without the use of additional information.” SB 6, Sec. 1(24).
- ENFORCEMENT AND PENALTIES
-- No private cause of action; exclusive enforcement authority with the OAG.
There is no private right of action under CTDPA. SB 6, Sec. 11(d). Rather, CTDPA provides that the Attorney General has exclusive authority to enforce violations. SB 6, Sec. 11(a). Violations of the CTDPA will constitute an unfair trade practice under Connecticut law. SB 6, Sec. 11(e).
The CTDPA also contains cure provisions. From the effective date of the Act, July 1, 2023, through December 31, 2024, if the Attorney General determines that a cure is possible, he or she may issue a notice of violation to the controller prior to initiating an action for a violation, and the controller has sixty days to cure the violation. SB 6, Sec.11(b). Beginning on January 1, 2025, however, the Attorney General must consider a number of factors, such as the number of violations, the size and complexity of the controller or processor, and the substantial likelihood of injury to the public, in determining whether to grant a controller or processor the opportunity to cure. SB 6, Sec. 11(c).
- CONSUMER DATA SUBJECT RIGHTS
-- Rights of confirmation, access, deletion, and correction.
The Act defines “controller” as “an individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing data.” SB 6, Sec. 1(8). It defines “processor” as “an individual who, or legal entity that, processes personal data on behalf of a controller.” SB 6, Sec. 1(21). Like the GDPR and other privacy regimes, “processing” means “any operation or set of operations performed, whether by manual or automated means, on personal data or sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion or modification of personal data.” SB 6, Sec. 1(20). Similar to the UCPA, determining whether a person is a controller or processor with respect to a specific processing of data is “a fact-based determination that depends upon the context in which personal data is to be processed.” SB 6, Sec. 7(d).
The CTDPA grants consumers the right of confirmation, deletion, and data access. SB 6, Sec. 4(a). Unlike the UCPA, the CTDPA grants consumers the right of correction. Id. A controller shall respond within 45 days after the receipt of a request by a consumer to exercise consumer rights. SB 6, Sec. 4(c)(1). A controller must inform a consumer within 45 days of the receipt of the request of the justification for declining to take action and instructions for how to appeal the decision, and a controller must establish a “conspicuously available” process for a consumer to appeal the controller’s refusal to take action. SB 6, Sec. 4(c)(2), (d).
A consumer has the right to opt out of the processing of personal data for purposes of:
- targeted advertising;
- the sale of personal data; or
- profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
SB 6, Sec. 4(a)(5). Like the UCPA, the CTDPA has a narrow definition of “sale of personal data.” It is defined as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.” SB 6, Sec. 1(26). The definition expressly exempts:
- the disclosure of personal data to a processor that processes the personal data on behalf of the controller;
- the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
- the disclosure or transfer of personal data to an affiliate of the controller;
- the disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party;
- the disclosure of personal data that the consumer intentionally made available to the general public via a channel of mass media; or
- the disclosure or transfer of personal data to a third party as an asset that is part of a (proposed) merger, acquisition, bankruptcy or other transaction in which the third party assumes control of all or part of the controller’s assets.
SB 6, Sec. 1(26).
- DUTIES OF A CONTROLLER
-- Nonwaivable duties of transparency, data limitation, data security, and non-discrimination.
Transparency. Controllers must provide “reasonably accessible, clear and meaningful privacy notices that include:
- the categories of personal data processed by the controller;
- the purpose for processing personal data;
- how consumers may exercise their consumer rights;
- the categories of personal data that the controller shares with third parties, if any;
- the categories of third parties, if any, with which the controller shares personal data; and
- an active electronic mail address or other online mechanism that the consumer may use to contact the controller.
SB 6, Sec. 6(c). If the controller “sells” personal data to third parties or processes personal data for targeted advertising, the controller must “clearly and conspicuously” disclose such processing and how a consumer can opt out of such processing. SB 6, Sec. 6(d). Generally, a controller may not process:
- sensitive data concerning a consumer without the consumer’s consent;
- sensitive data concerning a known child without processing such data in accordance with COPPA;
- personal data in violation of the state and federal laws that prohibit unlawful discrimination against consumers; and
- the personal data of a consumer for purposes of targeted advertising, or sell the consumer’s personal data without the consumer’s consent, under circumstances where a control has actual knowledge, and willfully disregards, that the consumer is a least thirteen years of age but younger than sixteen years of age.
SB 6, Sec. 6(a).
Data Limitation. A controller must “limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.” SB 6, Sec. 6(a)(1). In addition, a controller must not “process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.” SB 6, Sec. 6(a)(2).
Data Security. A controller is required to “establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue.” SB 6, Sec. 6(a)(3).
Non-Discrimination. A controller may not discriminate against a consumer for exercising his or her rights. SB 6, Sec. 6(a).
- DUTIES OF A PROCESSOR
-- Adherence to instructions, data security and cooperation, required data processing agreements.
Instructions. Under the Act, a processor must adhere to the controller’s processing instructions. SB 6, Sec. 7(a).
Data Security. In addition, “taking into account the nature of processing and the information available to the processor,” a processor must assist the controller “in meeting the controller’s obligations in relation to the security of processing the personal data and in relation to notification of a breach security . . . of the system of the processor, in order to meet the controller’s obligations. SB 6, Sec. 7(a)(2).
Data Processing Agreements. The CTDPA provides that “[a] contract between a controller and a processor shall govern the processor’s data processing procedures with respect to processing performed on behalf of the controller.” SB 6, Sec. 7(b). The contract shall clearly set forth:
- instructions for processing data;
- the nature and purpose of processing;
- the type of data subject to processing;
- the duration of processing; and
- the rights and obligations of both parties.
SB 6, Sec. 7(b). In addition, the contract must require that the processor:
- ensure that each person processing data is subject to a duty of confidentiality with respect to the data;
- at the controller’s discretion, delete or return all personal data to the controller as requested at the end of the provision of services;
- upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor’s compliance with the obligations of the Act;
- after providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to personal data; and
- allow, and cooperate with, reasonable assessment by the controller.
SB 6, Sec. 7(b)(1)-(5).