ANALYSIS In the absence of any progress at the federal level, US states continue to move on consumer privacy legislation to give individuals more control and security over their sensitive personal information.
On May 10, 2022, Connecticut Governor Ned Lamont officially signed into law Public Act No. 22-15, ‘An Act Concerning Personal Data Privacy and Online Monitoring’ – more commonly referred to as the Connecticut Privacy Act (CTPA).
Connecticut thus became the fifth state to enact a comprehensive consumer privacy law and the second in 2022, following the Utah Consumer Privacy Act’s passage in March.
While the CTPA is a significant win for consumers and privacy advocates alike – especially as the law is considered much more consumer-friendly than its Utah counterpart – it also further complicates businesses’ compliance obligations around a growing patchwork of laws, each slightly different than the next.
Moreover, companies should immediately begin preparing for a number of additional laws that will go into effect in 2023.
At the same time, they should build out their compliance programs with flexibility and adaptability in mind, such that only minimal program modifications are needed when new laws are inevitably enacted in other parts of the country – likely sooner rather than later.
The CTPA will go into effect at the same time as the Colorado Privacy Act on July 1, 2023.
Scope and applicability
The CTPA applies to any entity that: (1) conducts business in Connecticut or produces products or services targeted at Connecticut residents; and (2) during the preceding calendar year: (a) controlled or processed the personal data of at least 100,000 consumers; or (b) controlled or processed the personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.
Under the CTPA, ‘personal data’ means any information that is linked or reasonably linkable to an identified or identifiable individual.
Of note – in similar fashion to the CPRA, VCDPA, CPA, and UCPA – the CTPA classifies certain types of data as “sensitive data” which triggers additional compliance obligations not applicable to other, more general types of personal data.
Under the CTPA, sensitive data includes: (1) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status; (2) the processing of genetic or biometric data for the purpose of uniquely identifying an individual; (3) personal data collected from a known child; or (4) precise geolocation data.
Consumer rights
The CTPA affords consumers five fundamental rights:
- Access: The right to confirm whether a controller is processing the consumer’s personal data and access to such data.
- Correction: The right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of processing it.
- Deletion: The right to delete personal data provided by, or obtained about, the consumer.
- Portability: The right to obtain a copy of the consumer’s personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.
- Opt-out: The right to opt out of the processing of personal data for purposes of: (1) targeted advertising; (2) personal data sales; and (3) profiling.
Privacy notices
Similar to the requirements of other new consumer privacy laws, the CTPA requires controllers to provide consumers with a reasonably accessible privacy notice that includes, among other things, the categories of personal data processed by the controller, the purposes for processing personal data, and how consumers may exercise their rights.
Data protection assessments
Under the CTPA, controllers are required to conduct and document data protection assessments (DPAs) for each data processing activity that presents a heightened risk of harm to consumers.
This could include processing personal data for purposes of targeted advertising; the sale of personal data; profiling; and the processing of sensitive data.
Before processing any sensitive data, controllers must obtain consumer consent and conduct a DPA.
Data security measures
Under the CTPA, controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.
The CTPA also sets forth a range of requirements on processors of personal data, which include adhering to the instructions of a controller, assisting the controller in meeting their obligations under the CTPA, and entering into written contracts with controllers that set out instructions that bind the processor.
Liability and enforcement
The CTPA does not provide a private right of action for individuals to pursue litigation against entities for alleged violations of the law. Rather, enforcement authority rests exclusively with the Connecticut attorney general.
Companies that violate the CTPA can be subjected to civil penalties of up to $5,000 per violation.
Importantly, however, the CTPA includes a notice and cure provision that provides the opportunity for businesses to avoid enforcement actions if violations are corrected within 60 days after receiving notice of alleged non-compliance.
With that said, the mandatory notice and cure provision will only remain in force until the end of 2024. After that time, the Connecticut attorney general will have discretionary authority over whether to provide a controller with an opportunity to cure before pursuing an enforcement action against it.
Analysis and takeaways
With 10% of US states now having their own consumer privacy laws – each with their own unique requirements and restrictions – the task of compliance for companies with operations around the country (or globe) is increasingly complex.
In particular, the now-sizeable web of state laws leaves companies in a precarious position over how to best approach compliance in an efficient and cost-effective manner.
Until recently, most organizations favored either a state-by-state approach to compliance or a ‘highest common denominator’ approach, whereby the strictest state standard for each discrete compliance requirement is implemented across all jurisdictions where consumer privacy statutes are now on the books.
With a fifth state now added to the compliance equation, a third approach is emerging – with companies scrapping the piecemeal approach altogether and instead choosing to offer consumers the same rights and control over their personal information regardless of where they are located.
This uniform, nationwide approach may soon gain more popularity in the near future, as dozens of other states also introduce consumer privacy bills of their own in 2022.
Not only does this approach simplify and streamline organizational compliance burdens, it also provides the additional benefit of providing consumers in many states with greater control and protection over their personal information than is required by law.
This potentially offers a substantial competitive advantage in today’s highly competitive marketplace, especially as consumers demand greater transparency and control when it comes to how their sensitive personal information is collected, used, and protected by the companies they give their hard-earned money to.
With consumer privacy laws in California, Virginia, Colorado, Utah, and now Connecticut all set to go into effect next year, now is the time for companies to consult with experienced privacy and data strategy counsel to begin the task of determining which approach to utilize. Then they can build out their compliance programs to ensure compliance is achievable by 2023.