When the California Consumer Privacy Act of 2018 (CCPA) became law, it was only a matter of time before other states passed legislation to defend their inhabitants’ privacy rights and consumer protection. Connecticut is about to become the fifth state with complete privacy legislation, as SB 6 awaits approval by Governor Ned Lamont after receiving overwhelming support in the state legislature.
The “Act Concerning Personal Data Privacy and Online Monitoring” (Act) will go into effect on January 1, 2023, the same day as the Colorado Consumer Privacy Act.
Important Factors
The Act closely follows the Virginia Consumer Data Protection Act (VCDPA) and includes the following major elements:
Jurisdictional Authority
The Act would apply to individuals who conduct business in Connecticut or produce products or services aimed at Connecticut residents and who, during the preceding calendar year, either 1) controlled or processed personal data of at least 75,000 consumers (under the VCDPA, this threshold is at least 100,000 Virginians) or (ii) controlled or processed personal data of at least 25,000 consumers and derived more than 25% of gross revenue from the sale of personas (50 percent under the VCDPA).
Exemptions
Exemptions are provided under the Act at two levels: entity and data. Exempt from the Act are 1) state or political subdivision agencies, commissions, districts, etc., (ii) nonprofits, (iii) higher education, (iv) national securities associations, (v) financial institutions or data subject to the Gramm-Leach-Bliley Act (GLBA), and (vi) hospitals as defined by Connecticut law. It should be noted that the Act does not offer a broad-based, entity-level exception for HIPAA-defined covered companies and business partners with ISO 27001 certifications.
The Act also exempts a wide range of information types, including HIPAA-protected health information and some identifiable private information in conjunction with human subject research. In addition, the Act exempts some personal information from disclosure under the Fair Credit Reporting Act, the Driver’s Privacy Protection Act of 1994, the Family Educational Rights and Privacy Act, and other statutes. Exempt data also includes data processed or maintained I in the course of an individual applying to, being employed by, or acting as an agent or independent contractor, to the extent that the data is collected and used in the context of that role, (ii) as emergency contact information, or (iii) that is required to retain to administer benefits for another individual relating to the individual in I above.
Personal information
The Act, like the CCPA and GDPR, broadly defines personal data as any information that is connected or reasonably linkable to an identified or identifiable individual, but excludes de-identified data and publicly accessible information. The Act, however, makes it mandatory to keep de-identified information. Controllers who keep such data must take reasonable steps to guarantee that the data cannot be reidentified. They must also make a public commitment to keep and use de-identified data without seeking to reidentify it. Finally, the controller must legally bind any receivers of de-identified data to the Act’s requirements.
Sensitive Information
The Act, like the VCDPA, has a category for “sensitive data.” This includes I data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship or immigration status, (ii) genetic or biometric data processing for the purpose of uniquely identifying an individual, (iii) personal data collected from a known child, and (iv) precise geolocation data. Notably, sensitive data cannot be treated without the agreement of the customer. Sensitive data of a known kid must be treated in accordance with the federal Children’s Online Privacy Protection Act (COPPA). Controllers must also complete and document a data protection assessment for sensitive data processing.
Consumer
The Act defines “consumer” as “any individual who is a Connecticut resident.” Individuals acting 1) in a commercial or employment context, or (ii) as an employee, owner, director, officer, or contractor of certain entities, including a government agency, whose communications or transactions with the controller occur solely in the context of that individual’s role with that entity, are not considered consumers under the Act.
Consumer Protection
Consumers will be granted the following personal data rights under the Act:
To determine whether or if a controller is processing their personal data and to have access to such data;
To remedy mistakes in their personal data, taking into consideration the nature of the personal data and the purposes for which their personal data is being processed;
To erase any personal information submitted by them or gathered about them;
To obtain a copy of their personal data processed by the controller in a portable and, to the extent technically feasible, easily usable format that allows them to transmit the data without hindrance to another controller, where the processing is carried out by automated means and without revealing trade secrets; and
To object to the processing of personal data for the purposes of I targeted advertising, (ii) sale, or (iii) profiling in support of decisions that have legal or similarly important consequences for them.
A reasonable need for data security. The Act expressly requires controllers to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data that are proportionate to the volume and nature of the personal data in question.
Assessments of data security. The Act requires controllers to perform data protection assessments, which is a new duty under the Act (as mentioned above regarding sensitive data). Controllers must undertake and document data protection assessments for particular personal data processing activities that pose a high risk of harm to consumers.
These activities include targeted advertising, personal data sales, profiling, and sensitive data processing. Profiling activities will necessitate a data protection assessment if there is a reasonably foreseeable risk of (A) unfair or deceptive treatment of, or unlawful disparate impact on, consumers, (B) financial, physical, or reputational harm to consumers, (C) physical or other intrusions upon consumers’ solitude or seclusion, or private affairs or concerns, where such intrusion would be offensive to a reasonable person, or (D) other substantial harm to consumers.
Controllers must identify and analyze the advantages that may flow, directly or indirectly, from the processing to the controller, the consumer, other stakeholders, and the public while performing such evaluations. Controllers should also assess how such risks are minimized by measures that the controller can deploy. Controllers must examine the use of de-identified data, reasonable consumer expectations, the context of the processing, and the connection between the controller and the consumer whose personal data will be processed.
Enforcement
The Act would be enforced only by the Connecticut Attorney General’s office. Controllers would be given notice of a violation and a 60-day cure time during the first eighteen months the Act is in operation, through December 31, 2024. Following that, the Attorney General may offer an opportunity to cure based on variables such as the number of infractions, the size of the controller or processor, and the nature of the processing operations, among others. Under Connecticut’s Unfair and Deceptive Acts and Practices (UDAP) legislation, violations of the Act constitute an unfair commercial practice. Violations of the UDAP can result in civil fines of up to $5,000, plus real and punitive damages and lawyers’ expenses. A private right of action is specifically prohibited under the Act.
Takeaway
Other nations are considering methods to strengthen their data privacy and security safeguards. Organizations should analyze and review their data gathering operations, develop comprehensive data protection systems, and invest in documented information security programs, regardless of their location.
