State Privacy Round Up: Connecticut Set to Become Fifth State to Enact Privacy Law

As predicted, 2022 has been a busy year for the U.S. privacy world. Utah’s Consumer Privacy Act, the fourth state privacy law, was signed into law on March 24, 2022. Connecticut is now likely to be the fifth state to enact its own privacy law. The Connecticut Data Privacy Act (Senate Bill 6) passed both the House and Senate in the final weeks of April, and the bill will become law with the Connecticut Governor’s signature or fifteen days after the current legislative session ends on May 4th.

Taking effect on July 1st, 2023, the Connecticut Data Privacy Act has familiar provisions to the other enacted state privacy laws, but mostly aligns with the Virginia Consumer Data Protection Act and the Colorado Privacy Act.

Key details of the Connecticut Data Privacy Act include:
  • No private right of action; 60-day right to cure period ending on December 31, 2024
  • Applies only to controllers that meet data volume threshold (75,000 consumers or more) or data volume + revenue threshold (process data of 25,000 consumers and derive 25% of revenue from selling personal data)
  • Provides GLBA (entity and data-based), HIPAA (data-based), FCRA (data-based), and other relevant exemptions
  • Consumer rights largely align with other states and includes appeal rights
  • Controller-processor contract requirements mirror other states
  • Must provide conspicuous notice of right to opt-out of targeted advertising and sales
  • Must provide a clear and conspicuous link on the website to enable a consumer to opt out of the targeted advertising or sale of the consumer’s personal data
  • Must allow consumers to opt out of the targeted advertising or sale of the consumer’s personal data via a global opt out mechanism by January 1, 2025
  • Cannot collect sensitive personal data without first providing clear notice and obtaining the consumer’s consent (sensitive data concerning a known child must be processed in accordance with COPPA)
  • Imposes reasonable data security requirements
  • Requires data protection assessments which must be disclosed to the Connecticut Attorney General upon request
  • Includes antidiscrimination provisions but exempts loyalty/rewards programs
  • General Assembly must convene a working group to study certain topics concerning data privacy and the working group must issue a report before January 1, 2023

Privacy bills in eleven other states remain active as some legislative sessions are ending. As previously reported, the California Privacy Protection Agency continues its regulation-making activity with regulations expected by late summer or early fall. The Colorado Attorney General’s Office is soliciting informal comments on sixteen topics, including enforcement and controller and processor obligations, with stakeholder sessions and formal notice of proposed rulemaking likely coming later this year.

Businesses working to comply with adopted privacy laws in California, Colorado, Virginia, and Utah should keep an eye on these and other privacy developments and consider ways to extend their current compliance efforts to cover emerging laws.