Connecticut is poised to become the fifth state to pass comprehensive consumer privacy legislation, after California, Virginia, Colorado, and Utah. Senate Bill 6, the Connecticut Data Privacy Act ("CTDPA"), passed the Connecticut House of Representatives on April 28, 2022, after clearing Senate approval on April 20. Once enacted, most provisions of the CTDPA would take effect on July 1, 2023.

The CTDPA would impose data protection obligations on businesses that process personal data of Connecticut residents. It would also afford Connecticut residents the rights to access, correct, delete, and opt out of sales of personal data. Enforcement would be handled by the Connecticut Attorney General. The law does not contain a private right of action.

Who Must Comply with the CTDPA?

Entities conducting business in Connecticut or targeting Connecticut consumers with their products or services, and that, during the preceding year:

  1. controlled or processed the personal data of at least 75,000 consumers, or
  2. controlled or processed the personal data of at least 25,000 consumers and derived over 25% of their gross revenue from the sale of personal data will be subject to CTDPA.

Several types of entities would be exempt, including state agencies and divisions, non-profit organizations; higher education institutions, registered national securities associations; financial institutions already regulated by the Gramm-Leach-Bliley Act, and entities regulated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

What Data Does the CTDPA Protect?

The CTDPA would protect "personal data," defined as "information that is linked or reasonably linkable to an identified individual or an identifiable individual." Personal data does not include deidentified data, aggregated data, or publicly available information.

As with other state consumer privacy laws, CTDPA would exempt several categories of data already regulated under sector-specific federal laws, including (1) certain health, health care, patient, clinical trial, and research subject information protected by other federal laws (including HIPAA); (2) personal data governed by the Driver's Privacy Protection Act of 1994; (3) personal data regulated by the Family Education Rights and Privacy Act of 1974; (4) personal data governed by the Farm Credit Act of 1971; and (5) certain employee information; among others.

What Are a Business's Obligations Under the CTDPA?

The CTDPA would require businesses to include certain required provisions in contracts with vendors and service providers. Businesses must also implement reasonable data security practices to safeguard personal data. The CTDPA also tracks the Virginia, Colorado, and California privacy laws (and the EU General Data Protection Regulation) in requiring businesses to conduct data protection assessments of any processing activity that presents a heightened risk of harm to a consumer.  Such activities include targeted advertising, sales of personal data, processing sensitive personal data, or profiling consumers in ways that present "a reasonably foreseeable risk of adverse impact or harm to Connecticut residents."

CTDPA would require businesses to obtain consumers' opt-in consent before collecting and processing "sensitive personal data," including biometric data. The CTDPA defines "sensitive data" to include personal data that reveals a person's racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, medical history, genetic or biometric information, or precise geolocation, and personal data about a child. Notably, photographs, video and audio recordings are not considered biometric data unless such data is generated to identify a specific individual. Businesses knowingly collecting data about a child under 13 must obtain parental consent.  Further, the CTDPA requires businesses to obtain opt-in consent from children known to be between 13 and 16 before selling their personal data or using it for targeted advertising.

A business would also be required to create or update its privacy policy to describe its privacy practices, the rights available to Connecticut residents, and the mechanism for residents to exercise those rights. In particular, the CTDPA would require businesses to provide a link on their websites enabling residents to opt out of any processing of the residents' personal data for targeted advertising or sale.

What Rights Do Connecticut Residents Have Under the CTDPA?

CTDPA would give Connecticut residents the right to notice, access, correction, deletion, and data portability. Businesses would also have to create a process for consumers to appeal denials of such requests. As with other state consumer privacy laws, CTDPA would give consumers the right to opt-out of the use of their information for targeted advertising, sale, or automated profiling producing "legal or similarly significant effects concerning the consumer."

How do the Rights and Obligations Under the CTDPA Compare to Those in Other States?

Connecticut would join three other states-Virginia, Colorado, and Utah-in now adopting consumer privacy laws building on the model first proposed, although not passed, in the Washington Privacy Act and enacted in the Virginia Consumer Data Protection Act (VCDPA). Connecticut, like Colorado, creates a robust opt-out framework with multiple choices, providing consumers opt-out rights, requiring an easy-to-exercise right to revoke consent for processing sensitive personal information, and requiring businesses to recognize opt-out signals (such as browser signals) for targeted advertising and sales of personal data by January 2025. It contains the broad right of deletion found in the Virginia Consumer Data Protection Act, extending to both data the individual has provided to the business, and to data obtained from other sources.

The CTDPA does not include the right to opt-out of the "sharing" of personal data or the significantly broader definition of "sensitive personal information" found in California privacy laws. And, in contrast to California and Colorado, the CTDPA does not grant rulemaking authority to any state agency.

How is the CTDPA Enforced?

The Connecticut Attorney General would have exclusive authority to enforce the CTDPA. The Attorney General may permit businesses a 60-day cure period for any alleged violation if it determines that a cure is possible. This right to cure will sunset on December 31, 2024. Beginning January 1, 2025, the Attorney General at its discretion may provide an opportunity to cure, taking into consideration (1) the number of violations, (2) the size and complexity of the business in question, (3) the nature and extent of the relevant processing activities, (4) the substantial likelihood of injury to the public, and (5) the safety of persons or property.

Next Steps

The Connecticut legislative session adjourned on May 4, 2022, and the bill is before Governor Ned Lamont for signature. It will become law when signed or, if not signed, 15 days after the legislative session adjourned.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.