Following the lead of California, Virginia, Colorado and, most recently, Utah, Connecticut has become the fifth state to pass comprehensive consumer data privacy legislation. The Connecticut legislature passed "An Act Concerning Personal Data Privacy and Online Monitoring" (referred to in this Legal Update as the "Connecticut Data Privacy Act" or "CTDPA") on April 28, 2022. Connecticut Governor Ned Lamont signed the bill (SB 6) into law on May 10, 2022, and the CTDPA will take effect on July 1, 2023. Connecticut is the second state to enact such a law in in 2022, following in the footsteps of the Utah Consumer Privacy Act ("UCPA"), which was signed into law on March 24, 2022, and will take effect on December 31, 2023.

Companies that have followed the California Consumer Privacy Act ("CCPA"), the California Privacy Rights Act ("CPRA"), Virginia's Consumer Data Protection Act ("VCDPA"), the Colorado Privacy Act ("CPA") and the UCPA will find many similarities in the CTDPA. Similar to the other non-California laws, the CTDPA adopts the "controller" and "processor" nomenclature used in the EU General Data Protection Regulation ("GDPR") and does not include a private right of action for consumers to sue for potential violations. Nor does the CTDPA extend consumer rights to the employee or business-tobusiness context. The CTDPA grants applicable consumers certain familiar rights, including to access, correct and delete their personal data.

The CTDPA is arguably less business-friendly and more consumer-oriented than the Virginia and Utah frameworks, aligning more closely with Colorado's law and in some ways with the California model. Similar to Colorado, the CTDPA requires controllers, starting January 1, 2025, to recognize consumers' opt-out preference signals for targeted advertising and sales, a mechanism often referred to as "global opt-out." (In California, once the CPRA takes effect, businesses will have the option, but not the obligation, to recognize opt-out preference signals while Utah and Virginia have no global opt-out provisions.) The CTDPA does not require controllers to authenticate consumer opt-out requests; rather, controllers may deny opt-out requests if it is unreasonably burdensome to associate the request with the personal data. Like California and Colorado, the CTDPA grants consumers the right to opt-out of personal data sales, targeted advertising, and profiling, and the CTDPA's definition of "sale" is similarly broad.1 Also, like California and Colorado, the CTDPA's right for controllers to cure violations has an expiration date (December 31, 2024).

Notably, the CTDPA does not authorize the Connecticut Attorney General ("CT AG") to engage in rulemaking, although future rulemaking from Colorado and California on similar provisions may influence the interpretation of such provisions in the CTDPA. Similar to Colorado and Virginia, the CTDPA requires opt-in consent for the collection and processing of "sensitive data";2 however, the CTDPA also requires controllers to provide a mechanism for consumers to revoke this consent. Also, the CTDPA takes a hard line on children's data, requiring controllers to obtain consent to sell the personal data of a consumer between the ages of 13 and 16 or to process that data for targeted advertising. 

Scope

The CTDPA applies to for-profit entities that conduct business in Connecticut—or produce products or services targeted to Connecticut residents—and that in the preceding year controlled or processed3 the personal data of:

  1. At least 100,000 Connecticut residents or

  2. At least 25,000 Connecticut residents and derived over 25 percent of gross revenue from selling personal data

The CTDPA protects "consumers," and covered businesses are referred to as "controllers" or "processors."4

The CTDPA does not apply to personal data collected in an employment or business-to-business context. "Personal data" is defined as information "linked or reasonably linkable to an identified or identifiable individual" and does not include de-identified data or publicly available information. Covered entities are not required to re-identify de-identified or pseudonymous data in order to comply with the statute.

Exemptions

Like the other comprehensive state laws, the CTDPA contains exemptions. In addition to not applying to entities that do not meet the size threshold, the CTDPA's obligations do not apply to state government agencies, covered entities and business associates regulated by the Health Insurance Portability and Accountability Act ("HIPAA"), financial institutions regulated by the Gramm-Leach-Bliley Act ("GLBA"), non-profits and institutions of higher education.

To view the full article, please click here.

Footnotes

1. "Sale of personal data" is defined as the exchange of personal data for monetary or other valuable consideration by the controller to a third party. 

2. "Sensitive data" is defined as personal data that includes (A) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status, (B) the processing of genetic or biometric data for the purpose of uniquely identifying an individual, (C) personal data collected from a known child, or (D) precise geolocation data.

3. "Process" is defined as an operation or set of operations performed on personal data, such as collection, use, storage, disclosure, analysis, deletion or modification. 

4. "Consumer" is defined as an individual who is a resident of Connecticut. "Controller" is defined as an individual or legal entity that alone or jointly with others determines the purpose and means of processing personal data. "Processor" is defined as an individual or legal entity that processes personal data on behalf of a controller. 

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe - Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.