United States: Take Five: Connecticut Joins Four US States With Its Broad Consumer Privacy Legislation

On May 10, 2022, Connecticut Governor Ned Lamont signed into law the Act Concerning Personal Data Privacy and Online Monitoring (the Act or CTDPA), making Connecticut the fifth state to enact a broadly applicable consumer privacy law, following California, Virginia, Colorado, and Utah. Although the CTDPA bears substantial resemblance to those other states' consumer privacy laws—particularly the Colorado Privacy Act (CPA)—businesses should take note of key distinctions among them as they prepare for compliance with the Act, which will become effective July 1, 2023.

The Act is enforceable by Connecticut's attorney general, and, like the Utah Consumer Privacy Act (UCPA), Virginia's Consumer Data Protection Act (VCDPA), and CPA, does not empower consumers (as defined below) with a private right of action. In line with the CPA, until January 1, 2025, controllers will be afforded with a 60-day opportunity to cure a violation if the attorney general concludes a cure is possible. After January 1, 2025, the attorney general has discretion regarding whether to provide an opportunity to cure.

The Act appears to be just a first step in Connecticut's expansion of privacy regulation: the Act provides for the establishment, by September 1, 2022, of a task force, chaired by members of the state General Assembly and including representatives from business, academia, consumer advocacy groups, and the office of state attorney general, to study a range of privacy-related topics and to report, no later than January 1, 2023, on their findings and recommendations for possible expansion of the scope of the Act.

Who is Subject to the Act?

Like the VCDPA, CPA, UCPA, and Europe's General Data Protection Regulation (GDPR), the Act categorizes entities handling "personal data" as either "controllers" or "processors." Controllers are individuals or entities that determine the purpose and means of processing personal data (while it does not mean "owner," a controller is typically the entity that has rights with respect to the personal data at issue), while processors are those who process such personal data on a controller's behalf (processors are service providers or vendors). The CTDPA applies to controllers that either conduct business in Connecticut or produce products or services that are targeted to Connecticut residents and that, during the preceding calendar year, either (1) controlled or processed the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction,¹ or (2) controlled or processed the personal data of at least 25,000 consumers and derived more than 25% of gross revenue from the sale of personal data. Thus, unlike the California and Utah models, the Act does not reach controllers solely by virtue of an annual revenue threshold.

The "sale of personal data" is defined broadly as a controller's "exchange of personal data for monetary or other valuable consideration," but does not include disclosures: (i) to the controller's processors or affiliates, (ii) pursuant to the consumer's direction, (iii) that involve only personal data already made public by the consumer, or (iv) made as part of a transaction in which the recipient of the data acquires the data as an asset along with control over all or part of the controller's assets.

"Consumers" are residents of Connecticut, but only to the extent they are acting in a personal capacity and not as employees or job applicants of a controller/processor. Specifically, an individual is not a "consumer" with respect to personal data processed in the context of that individual's employment or in the context of the individual's representation (whether as an employee, owner, director, officer, or contractor) of an organization whose "communications or transactions with the controller occur solely within that context of that individual's role with" the organization. These exclusions are similar to those under the other four states' consumer privacy laws, and underscore the legislators' intent to focus privacy protection on the personal data individuals share for personal, family, or household purposes as opposed to what they may share for employment purposes or as the representative of a company or other organization.

What Information is Covered?

The CTDPA borrows the broad definition of "personal data" used in the UCPA, CPA, and VCDPA (and one similar to the definition in the CCPA and GDPR): "[A]ny information that is linked or reasonably linkable to an identified or identifiable individual" excluding de-identified data or publicly available information."

"De-identified data" is defined as "data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such individual, if the controller that possesses such data (A) takes reasonable measures to ensure that such data cannot be associated with an individual, (B) publicly commits to process such data only in a de-identified fashion and not attempt to re-identify such data, and (C) contractually obligates any recipients of such data to satisfy the criteria set forth in" these aforementioned requirements. By requiring public commitments to process such data in a de-identified fashion without attempting re-identification, and imposing legal obligations on recipients of any such data (regardless of whether they are controllers or processors subject to the Act), the CTDPA follows the approach to de-identified data adopted in each broad consumer privacy law except for the VCDPA.

"Publicly available information" is "information that (A) is lawfully made available through federal, state, or municipal government records or widely distributed media, and (B) a controller has a reasonable basis to believe a consumer has lawfully made available to the general public."

What Exemptions Apply?

Consistent with the other four states' consumer privacy laws, the Act carves out from its scope certain categories of personal data and categories of entities. The majority of these carve-outs are for information or persons regulated under other privacy regimes, such as the privacy regulations implementing the Health Insurance Portability and Accountability Act (HIPAA) (governing "protected health information"), the Fair Credit Reporting Act ("consumer report" information), the Family Educational Rights and Privacy Act (student data), and the Children's Online Privacy Protection Act (personal information collected online from children under age 13). In addition, the Act does not apply to nonprofit organizations or national securities associations registered under the Securities Exchange Act.

What Obligations Does the CTDPA Impose?

Notice and Choice. Like each of the other state privacy regimes, the CTDPA imposes a number of obligations on both controllers and processors. Specifically, controllers must provide consumers with a "reasonably accessible and clear privacy notice" that, among other things, describes the categories of personal data processed by the controller, the purpose for processing personal data, and the categories of personal data that the controller shares with third parties, if any. To the extent a controller sells personal data to third parties or processes personal data for targeted advertising, the controller is obligated to clearly and conspicuously disclose such processing as well to provide a clear and conspicuous means for consumers to opt out of such processing.

Processor Contracts. Controllers must also execute written contracts with their processors that describe the nature and purpose of the planned data processing, the type of data subject to processing, and the anticipated duration of processing. Any such contract must also require that the processor, if it engages a subcontractor to assist with the data processing,(i) provide the controller with an opportunity to object and (ii) absent an objection, bind the subcontractor to a written contract obligating the subcontractor to meet the same data protection obligations applicable to the processor with respect to the personal data.

Data Protection Assessments. Similar to the California, Colorado and Virginia state consumer privacy laws, the Act incorporates privacy by design by requiring controllers to conduct and document a data protection assessment for each of the controller's processing activities that present a "heightened risk of harm to a consumer." Examples of activities that raise heightened risks include processing personal data for purposes of targeted advertising, selling personal data, processing sensitive data (as defined below), and processing personal data for the purpose of profiling, where such profiling presents a "reasonably foreseeable risk" of unfair or deceptive treatment of or unlawful disparate impact on consumers, among other things. Such data protection assessments must identify and weigh the benefits flowing from processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer that are associated with such processing. They also must be made available to the attorney general upon request.

The CTDPA, consistent with existing broadly applicable privacy legislation, affords a special level of protection to "sensitive data." "Sensitive data" is defined as "personal data that includes (A) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, (B) the processing of genetic or biometric data for the purpose of uniquely identifying an individual, (C) personal data collected from a known child, or (D) precise geolocation data." Controllers may not process such data without first obtaining the consent of the consumer—in the case of children's data, the consent must be obtained from a parent or guardian in accordance with rules implementing the federal Children's Online Privacy Protection Act. This opt-in requirement for processing sensitive personal data is also imposed under the VCDPA and CPA, whereas under the UCPA and the CCPA/CPRA, a business may process sensitive personal information of a consumer unless the consumer opts out. That being said, there are several processing activities that may be undertaken without consent, even for sensitive data, assuming they fall into one of many exclusions, which include compliance with law and internal research and development.

Like the CPRA and CPA, the CTDPA explicitly excludes from the definition of "consent" any agreement obtained through the use of a "dark pattern", defined as a "user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice" and "includes, but is not limited to, any practice the Federal Trade Commission refers to as a 'dark pattern.'" As the FTC continues to ramp up efforts to aggressively protect against dark patterns,² companies should expect increased legislative and regulatory attention to these activities at both the federal and state levels.

What Rights Can Consumers Exercise Under the CTDPA?

Consistent with the other states' privacy laws, the CTDPA empowers consumers with the right to access their personal data (unless such access would require the controller to reveal a trade secret), and to have the data corrected, deleted, and/or delivered in a portable format for transmission to others. Controllers must respond to consumers' requests within 45 days and without unreasonable delay. Controllers may extend the deadline for another 45 days by informing the consumer within the initial 45-day period, if it is necessary as a result of the complexity or volume of consumer's requests. Controllers also must provide consumers with a process for appealing rejected requests.

The Act also gives consumers the right, with certain limitations, to opt out of the processing of their personal data for purposes of targeted advertising, sales, and profiling in furtherance of "solely automated decisions that produce legal or similarly significant effects concerning the consumer." By January 1, 2025, controllers subject to the CTDPA will have to incorporate a platform, technology, or other mechanism that allows a consumer to send an opt-out preference signal to the controller indicating the consumer's intent to opt out of any such processing or sale. Among other things, that platform, technology, or mechanism must not unfairly disadvantage another controller or make use of a default setting, and it must be consumer-friendly and easily usable by the average consumer.

Looking Ahead

The principal challenge posed by the Act and the other similar state privacy laws for businesses to which they apply will likely be determining how to best comply with their non-uniform provisions. Arnold & Porter has advised many companies on making such determinations with respect to applicable privacy laws in the United States and globally. The compliance dates are fast-approaching: the CPRA (which amends the CCPA) and VCDPA are effective January 1, 2023, while the CPA and CTDPA are effective July 1, 2023. The UCPA will come into force on December 31, 2023.

Footnotes

1. This exclusion will likely capture many brick and mortar businesses, including most restaurants, that solely process payment data and any other personal data (e.g., zip code, first and last name) collected in connection with that payment data to complete transactions.

2. See, e.g., the new enforcement policy issued by the FTC in October 2021, which warns companies against using dark patterns to manipulate consumers into subscription services: FTC to Ramp up Enforcement against Illegal Dark Patterns that Trick or Trap Consumers into Subscriptions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.