Connecticut Governor Signs Fifth Comprehensive National Consumer Data Privacy Act | Hudson Cook, LLP
On May 10, 2022, Connecticut Governor Ned Lamont signed into law Surrogate Bill 6 (the “Connecticut Data Privacy Act” or “CTDPA”). The CTDPA will come into force on July 1, 2023.
By enacting the CTDPA, Connecticut becomes the fifth state in the nation to implement generally applicable consumer data privacy law, pursuant to the California Consumer Privacy Act and California Privacy Rights Act, Virginia Consumer Data Protection Act, the Colorado Privacy Act and Utah law. Consumer Privacy Act. Although the CTDPA is similar to these other state laws, small differences between these laws can have a large and variable impact on a company’s data processing, since data processing regulations are so specific to the facts. The increase in the number of states passing data processing laws raises the stakes for businesses. Business attorneys should continue to monitor developments in other states, including regulatory developments in California related to changes to its data privacy laws scheduled for January 2023.
The CTDPA applies to persons who (A) conduct business in Connecticut, or (B) produce products or services for residents of Connecticut; and who, during the preceding calendar year: (1) monitored or processed the personal data of at least 75,000 consumers (excluding personal data monitored or processed solely for the purpose of carrying out a payment), or (2) monitored or processed the personal data data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data. The CTDPA applies to information that is linked or reasonably linked to an identified or easily identifiable person. The law also provides special protections for sensitive data, which includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship or immigration status. Sensitive data also includes the processing of genetic personal data or certain biometric data, if the purpose of the processing is the unique identification of an individual, as well as precise geolocation data. The CTDPA uses a broader definition of “biometric data” than other state laws.
However, the CTDPA does not apply, among others:
- financial institutions or data subject to Title V of the federal Gramm-Leach-Bliley Act;
- certain activities regulated by the Fair Credit Reporting Act;
- anonymized data; Where
- certain publicly available information.
The CTDPA also does not limit a controller’s or processor’s ability to comply with other laws, engage in certain fraud prevention and detection and security activities, or engage in certain internal processing uses, among other limited activities.
The CTDPA offers consumers a number of rights related to their personal data. Under the CTDPA, consumers have the right to:
- confirm whether or not a controller (the person who determines the purpose and means of processing personal data) is processing personal data;
- access their personal data;
- correct inaccuracies in their personal data;
- delete the personal data that the consumer has provided or that the data controller has obtained about the consumer;
- obtain a portable copy of the personal data that the consumer has previously provided to the controller in a format that is easily usable and allows the consumer to transmit the data to another controller without hindrance; and
- object to the processing of personal data for (1) targeted advertising, (2) the sale of personal data or (3) profiling for the purpose of solely automated decisions producing legal or similar effects concerning the consumer.
The first five rights listed above do not apply to pseudonymous data, provided that the data controller is able to demonstrate that any information necessary to identify the consumer is kept separately and subject to technical and organizational controls. which prevent the data controller from accessing this information. “Pseudonymous Data” is defined by the CTDPA as personal data that cannot be assigned to a specific individual without the use of additional information, provided that such additional information is subject to the safeguards set forth above.
The CTDPA also requires data controllers to adopt and offer, by July 1, 2025, a platform, technology or mechanism that allows consumers to opt out through an opt-out preference signal sent to the controller indicating the consumer’s intention to opt out of the sale or processing of personal data for the purpose of targeted advertising.
OBLIGATIONS OF THE MONITOR
The CTDPA imposes different obligations depending on whether the company is a controller or a processor (the entity processing personal data on behalf of the controller). Therefore, a business will need to analyze whether it is acting (under CTDPA definitions) as a controller or a processor when engaging in any processing of personal data.
Under the CTDPA, controllers must, among other things:
- provide a privacy notice with specific information, including the categories of personal data processed, the purposes for which the personal data is processed, how a consumer can exercise a right, the categories of personal data the controller shares with third parties, the categories of third parties the parties with whom the data controller shares personal data, an active electronic e-mail address which the consumer can use to contact the data controller and, in the event of the sale of personal data or processing of personal data for the purpose of targeted advertising, a clear and conspicuous disclosure of how a consumer can opt out;
- establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data involved;
- not process sensitive data without first obtaining consumer consent or, in the case of a child, process data in accordance with the Federal Children’s Online Privacy Protection Act, 15 USC §§ 6501 and following., setting specific standards for adequate consent;
- provide an effective mechanism for the consumer to revoke consent that is at least as simple as the mechanism by which the consumer gave consent and, in the event of revocation of that consent, stop processing the data as soon as possible, but no longer fifteen days after receipt of this request;
- not process a consumer’s personal data for the purpose of targeted advertising, or sell the consumer’s personal data without the consumer’s consent, in circumstances where a controller has actual knowledge that the consumer is under the age of at least thirteen years old or deliberately ignores whether the person is at least thirteen years old but less than eighteen years old;
- not discriminate against a consumer for exercising a right by withholding a good or service from the consumer, charging the consumer a different price or rate for a good or service, or providing the consumer a different level of quality of a good or service; and
- establish a procedure allowing the consumer to appeal the refusal of the data controller to comply with a request to exercise consumer rights.
The CTDPA also requires controllers to perform and document data protection assessments when carrying out data processing that presents an increased risk of harm to a consumer. Processing that poses an increased risk of harm to the consumer includes:
- processing of personal data for the purpose of targeted advertising;
- sale of personal data;
- processing of personal data for profiling purposes, where such profiling presents a reasonably foreseeable risk of certain types of harm to consumers; and
- the processing of sensitive data.
A processor must follow the controller’s instructions and must assist the controller in fulfilling its obligations, including obligations related to data security and breach notification, as well as provide information necessary to enable the controller to conduct and document data protection assessments. Persons who process personal data must also be subject to a duty of confidentiality.
The CTDPA imposes requirements for contracts between controllers and processors as well as requirements for the engagement of processors, including requiring in writing that the processor comply with the processor’s obligations with respect to personal data.
The Connecticut Attorney General has exclusive authority to enforce the CTDPA. From July 1, 2023 to December 31, 2024, the Attorney General must issue a Notice of Violation to the Monitor if he or she determines that a remedy is possible. The controller will have sixty days to remedy the breach. From 1 January 2025, the Attorney General will have the power to decide whether to grant a controller or processor the opportunity to remedy an alleged breach, taking into account the number of breaches, the size and complexity of the controller or processor, the nature and extent of the controller’s or processor’s processing activities, the substantial likelihood of harm to the public and security people or property. A violation of the CTDPA will constitute an unfair trade practice. Penalties for engaging in an unfair trade practice include the imposition of a cease and desist order, civil penalties of up to $5,000 for willful violations and, in the case of private litigation, damages. -actual and punitive interest as well as legal costs and lawyers’ fees.
The CTDPA does not provide a private right of action for consumers.
©2022. Posted in business law today, 16 June 2022, by the American Bar Association. Reproduced with permission. All rights reserved. This information or any part thereof may not be copied or disseminated in any form or by any means or stored in any electronic database or retrieval system without the express written consent of the American Bar Association.