Connecticut is the next in a growing list of states to pass comprehensive data privacy legislation. Last Friday, the Connecticut legislature passed, by large margins, Senate Bill 6 — which we are referring to as the Connecticut Data Privacy Act (CTDPA). The law now awaits the Governor’s signature.
The CTDPA follows the form and content of other privacy laws passed in the prior year, including the Colorado Privacy Act (CPA), Virginia Consumer Data Protection Act (VCDPA), and Utah Privacy Act (UPA). California, of course, passed the California Consumer Privacy Rights Act (CPRA) via ballot initiative in 2020. All of these laws will become effective in 2023.
Unfortunately for many businesses, the CTDPA contains variations on certain obligations and consumers rights that are, in some ways, more consumer friendly than the rough consensus among other state privacy laws and less consumer friendly in other ways. Companies will need to pay close attention to these nuances in assessing how to build their privacy programs.
Here is a summary of how Connecticut’s privacy law compares to the state laws that will become effective in 2023:
Thresholds for Applicability
The CTDPA applies to persons or entities that conduct business in the state of Connecticut or that produce products or services that are targeted to residents of the state, that during the preceding calendar year:
- controlled of processed the personal data of not less than 100,000 Connecticut consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or
- controlled or processed the personal data of not less than 25,000 Connecticut consumers and derived more than 25% of their gross revenue from the sale of personal data.
This language largely mirrors that of the CPA. Unlike California’s CPRA, the CTDPA does not provide for a revenue threshold establishing automatic applicability. Unique to the CTDPA is the exclusion of personal data processed solely for the purposes of completing a payment transaction. This language was likely drafted with Connecticut’s fintech and payment processing industries in mind. Utah’s UPA remains the only state law that applies only to businesses that satisfy both a revenue threshold and impact a specified number of state consumers.
In addition to the narrow payment processing exemption, the CTDPA provides categorical exemptions for certain entities covered under federal law as well as certain types of data. The entities exempted from CTDPA coverage include (a) state agencies, (b) nonprofits, (c) financial institutions subject to the GLBA, and (d) hospitals covered under HIPAA, whether for- or non-profit. Categories of data exempted from CTDPA coverage include (a) protected health information (PHI) and data inextricably associated with PHI under HIPAA, (b) clinical trial and research data, (c) consumer credit information covered under the Fair Credit Reporting Act, and (d) information relating to employment and B2B transactions. Finally, de-identified data does not qualify as personal data subject to the Act.
The law defines “consumers” so as to exclude employees, applicants and business contacts – which is in line with the other privacy laws save for the CPRA. As noted above, the law exempts non-profits, again in line with most other states save for Colorado.
Data Minimization and Security
The CTDPA follows the roll based Controller-Processor model of the CPA, UPA, and VCDPA, where the Controller determines the purpose of processing and the manner in which the personal data may be used. It contains fundamental obligations for covered controllers and processors to limit the collection of personal data to that which is reasonably necessary to the purposes of processing and to implement, establish, and maintain reasonable administrative, technical, and physical security measures.
Contractors and Sub-Contractors
Like the CPA, CPRA, UPA, and VDCPA, the CTDPA requires that controllers establish data processing contracts prior to sharing information with contractors. The required elements of these contracts are largely in line with those required under the other state privacy laws. Utah is the outlier in this regard, having more limited requirements regarding the return and deletion of data at the conclusion of a contract. In contrast, Colorado and the Connecticut are more restrictive, requiring a processor to notify the controller and allow them to object prior to sharing the controller’s data with a subcontractor.
With regards to the processing of personal data relating specifically to children, the CTDPA requires that businesses comply with the requirements of the Children’s Online Privacy Protection Act (COPPA). Similar to the CPRA, it also prohibits a business from selling or sharing for the purpose of targeted advertising the personal data of a minor known to be between the ages of 13 and 16 years without the consumer’s express consent.
The CTDPA adopts a consumer friendly approach to biometrics that lies somewhere between Virginia and Utah – which exclude photos from the definition of biometrics – and California – which does not specifically exclude photos from the definition. The CTDPA does exclude photos from the definition of biometrics but limits the exclusion to instances where the controller does not use attributes of photos to identify individuals.
Connecticut’s law is similar to the CPA and CPRA in that it prohibits the use of “dark patterns” to include consent. The VCDPA and UPA do not address dark patterns, but do require that consent must be freely given and informed. One notable difference between the CTDPA and other U.S. state privacy laws is that it adopts a GDPR-style requirement for the revocation of consent, expressly requiring that controllers provide an effective mechanism for a consumer to revoke the consumer’s consent. This mechanism must be “at least as easy as the mechanism by which the consumer provided the consumer’s consent.” Further, covered businesses must implement mechanisms to cease processing relevant data within 15 days of receiving the consumer’s notice of withdrawn consent.
Consumer Rights and Opt Outs
Like the CPRA, CPA, UPA, and VCDPA, the CTDPA establishes consumer rights in relation to their personal data. Under the CTDPA, these rights include (a) the right to access and confirm processing of personal data, (b) the right to correct inaccuracies in information held, (c) the right to delete personal information pertaining to the consumer, (d) the right to portability, and (e) the right to opt out of (1) targeted advertising, (2) the sale of personal data, and (3) automated profiling. These rights are generally in line with those established under comparable state laws. The exception to the rule is the UPA, which does not provide the right to opt out of profiling.
One aspect of the CTDPA that is particularly consumer friendly is the requirement that companies recognize global opt out signals by January 1, 2025. This controversial requirement aligns with a similar requirement in the CPA. No other state has yet required companies to recognize global opt out signals, although California may effectively do so via rule making.
No Rule Making Authority
The CTDPA does not set forth any rulemaking authority. This may be a boon to the law’s implementation, allowing Connecticut to avoid the significant delays and complications currently faced by California in attempting to draft and publish guiding regulations.
In sum, organizations already complying with the CCPA and/or preparing to comply with the CPRA, CPA , UPA and VCDPA are unlikely to face any major surprises in complying with the new Connecticut Act. As usual, however, the devil is likely to be in the details. Small nuances in how Connecticut addresses specific issues can be impactful for particular companies. Understanding the company’s data collection and sharing is critical to determining whether compliance with the CTDPA will require more, or less, compliance steps than other states.