On April 28, 2022, the Connecticut General Assembly passed SB 6, the Act Concerning Personal Data Privacy And Online Monitoring (the “Connecticut Privacy Act”) by a vote of 144-5, which puts Connecticut on course to become the fifth state to enact a comprehensive data privacy law, following California, Virginia, Colorado, and Utah. The bill, which passed the state senate 35-0, now awaits the signature of Governor Ned Lamont. If it becomes law, the bulk of the statute is set to take effect July 1, 2023.

The bill passed by Connecticut legislature closely follows the structure of similar laws enacted in other states, giving support to the Colorado legislature’s claim, that “states across the United States are looking to [the Colorado Privacy Act, enacted in 2021] and similar models to enact state-based data privacy requirements and to exercise the leadership that is lacking at the national level.” One of the Connecticut bill’s sponsors and its key proponent in the state senate, Sen. James Maroney, compared the legislation to Colorado’s statute, saying that both SB 6 and the Colorado law are less aggressive than the California Consumer Privacy Act (“CCPA”) but provide more privacy protections that similar bills passed by other states.

Scope

The bill borrows from other states in limiting applicability to businesses which meet a certain threshold, but like the Colorado and Virginia models, there is no threshold based on revenue alone. The statute would apply to those conducting business in Connecticut or producing products or services that are targeted to residents of Connecticut. In either case, the law would apply to businesses if, during the preceding calendar year, they either

  • controlled or processed the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  • controlled or processed the personal data of at least 25,000 consumers and derived more than 25 percent of its gross revenue from the sale of personal data.

Certain entities and information are also excluded from the reach of the legislation. This primarily includes entities that are already subject to a privacy regime under federal law, such as covered entities or business associates under HIPAA (the Health Insurance Portability and 78 Accountability Act of 1996) and financial institutions subject to the Gramm-Leach-Bliley Act, which are entirely exempted at the entity level. There are also exemptions for identifiable private information regarding human subjects covered by various federal regulatory regimes, various other healthcare-related information, and information governed by the Fair Credit Reporting Act, the Driver’s Privacy Protection Act of 1994, FERPA (the Family Educational Rights and Privacy Act), the Farm Credit Act, and the Airline Deregulation Act. Information collected and used for employment or benefits purposes and emergency contact information are also excluded from the bill.

Enforcement

Like similar state laws that have passed, the Connecticut bill does not create a private right of action that would allow consumers to enforce the statute directly. Instead, the state attorney general is charged with pursuing entities that fail to comply. In this regard, the Connecticut bill joins the Utah, Colorado, and Virginia statutes in expressly rejecting private litigation as a privacy enforcement tool. As with the Colorado law, until January 1, 2025, prior to any enforcement action, controllers must be given a sixty-day opportunity to cure a violation if the attorney general concludes that a cure is possible.

Controllers and Processors

Like the privacy statutes in Virginia, Colorado, and Utah—as well as the EU’s General Data Protection Regulation (“GDPR”)—the Connecticut Privacy Act categorizes entities handling personal data as either “controllers” or “processors” [the CCPA has a similar concept in its categorization of “businesses” and “service providers”]. A controller is an individual or entity that “alone or jointly with others determines the purpose and means of processing personal data.” A processor, on the other hand, is an entity that “processes personal data on behalf of a controller.” Processors’ obligations flow through the controller; they must comply with the controller’s instructions and contractual restrictions and provide information and other assistance necessary to show the controller that the processor is compliant.

As is the case in other comprehensive privacy laws that have passed, controllers face more substantial direct obligations. For example, subject to certain exemptions for compliance with law and internal business purposes, controllers must permit consumers to exercise certain data subject rights with regard to personal data collected about them, including the right to

  • access personal data processed by the controller;
  • correct inaccuracies in personal data;
  • request deletion of personal data;
  • obtain a copy of the personal data, in a format that is readily transmissible to another controller; and
  • opt out of the processing of personal data for the purposes of targeted advertising, sales of personal data, or profiling related to certain automated decision-making.

Controllers must respond to consumers’ requests within 45 days and without unreasonable delay. If necessary due to the complexity or number of a certain consumer’s requests, controllers can extend the deadline an additional 45 days by informing the consumer within the initial 45-day period. Controllers must also provide consumers a process for appealing rejected requests.

In addition, controllers must

  • limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer;
  • maintain reasonable and appropriate information security safeguards for personal data;
  • avoid processing sensitive data without the consumer’s consent;
  • provide a clear, accessible privacy notice that includes certain disclosures;
  • conduct a data protection assessment for processing activities that create “a heightened risk of harm to a consumer;”
  • provide an effective mechanism for a consumer to revoke consent (and comply with the revocation of consent within fifteen days of such request); and
  • avoid discriminating against consumers for exercising their rights under this statute.

Sensitive Information

Like several other privacy regimes, the Connecticut Privacy Act applies heightened protections to certain information. These “sensitive data” include information about racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; genetic or biometric data used for identification; information collected from children; and geolocation data. Processing sensitive data requires consent from the consumer and automatically presents a heightened risk of harm to a consumer, triggering the data protection assessment requirement

Dark Patterns

The Connecticut Privacy Act follows Colorado’s statute in explicitly invalidating consent obtained through the use of a “dark pattern”—defined as “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice.” Dark patterns, a term that has recently begun to receive substantial governmental attention, will likely evolve in coming years, and the act explicitly includes in its definition any practice to which the FTC has referred as a dark pattern.

Authorized Agent and Global Privacy Control

Like other state privacy laws, the act permits a consumer to designate another party as the consumer’s authorized agent and to opt out of personal data processing on that consumer’s behalf. Such designation can also be done through technical means, “including, but not limited to, an Internet link or a browser setting, browser extension or global device setting, indicating such consumer’s intent to opt out of such processing.”

This provision could give legal effect to standards such as the Global Privacy Control signal (GPC), which is intended to indicate the user’s decision to opt out of information sales or sharing under applicable privacy laws in an automatic and uniform fashion. Although it is not explicitly mentioned in the legislation, the GPC is already recognized as a valid method by which consumers may opt out of the sale of their personal information in California and broader legal recognition of the standard could represent a major change given the opt-out regimes created by state privacy laws. Because the GPC can be configured to be sent automatically by the user’s browser, the signal can functionally create an opt-in regime with regard to that particular user. The deadline for compliance with the obligation to heed such indicators extends to January 1, 2025, presumably to allow for time to modify information systems to interpret the signal and respond appropriately.

Protections for Children

Like other state law models, the Connecticut Privacy Act extends special protections to minors. Under federal law, knowingly collecting information from children under the age of thirteen is only permitted with parental consent. The Connecticut bill creates picks up where federal law leaves off, requiring the minor’s consent for certain processing activities if the minor is between the ages of thirteen and sixteen.

* * *

The Connecticut Privacy Act is only further evidence of the momentum among states to pass comprehensive privacy laws that reflect a European approach to privacy through the lens of U.S. state law practices. Other state legislatures are currently considering similar comprehensive privacy bills. We are closely tracking developments in these states. Subscribe to RopesDataphiles.com for updates.