Connecticut becomes fifth state to enact comprehensive privacy requirements
On May 10th, Connecticut joined California, Virginia, Colorado, and Utah in enacting comprehensive privacy legislation.
The Connecticut Data Protection Act (“CTDPA”) layers onto an increasingly complex state legislative landscape and will take effect on July 1, 2023, giving businesses just over a year to account for the areas where the new Connecticut law differs from the other current and pending U.S. state laws. In advance of the July 2023 deadline, businesses should evaluate their current privacy programs, update their 12-month compliance roadmaps, and implement new measures to address the multiple new privacy laws taking effect in 2023. Below, we suggest action items that businesses should consider when updating their privacy programs to account for the new state law.
Connecticut’s New Privacy Law is Similar to Colorado’s and Other States’ Privacy Laws
Businesses will welcome the fact that the CTDPA significantly overlaps with the Colorado Privacy Act (“CPA”), also set to take effect on July 1, 2023. The CTDPA also shares key similarities with the Virginia Consumer Data Protection Act (“VCDPA”), which will go into effect on January 1, 2023, and the Utah Consumer Privacy Act (“UCPA”), which will go into effect on December 31, 2023. The CTDPA, CPA, UCPA, and VCDPA all generally adopt similar approaches, but there are material distinctions that set each law apart, described further below. Overall the CTDPA, like the CPA, appears more consumer-friendly than the VCDPA and the UCPA. To a lesser extent, the CTDPA also shares certain core commonalities with the California Consumer Privacy Act (“CCPA”) and the California Privacy Rights Act (“CPRA”), set to take effect on January 1, 2023.
Below is a list of some key provisions of the CTDPA:
- Core Privacy Rights: The CTDPA will give Connecticut residents the right to access their personal data, obtain a portable copy of their personal data, correct or update their personal data, request deletion of their personal data. This is in line with the CPRA, VCDPA, CPA, and UCPA, except that the UCPA does not offer a correction right.
- Targeted Advertising, Sales, Automated Decision-Making: CTDPA also allows Connecticut residents to opt-out of the processing of their personal data for purposes of: (i) targeted or behavioral advertising, (ii) sales of personal data, and/or (iii) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer. Note that the CTDPA defines “sale” as the exchange of personal data for “monetary or other valuable consideration” [emphasis added]. This definition mirrors the California and Colorado definitions of sale, and it is more expansive than the Virginia and Utah frameworks (which only allow for monetary consideration to trigger a sale). As such, Connecticut, Colorado, and California expand the universe of data flows that may be subject to the sale opt-out right. The CTDPA, like the CCPA/CPRA, is somewhat unique in that it allows businesses to honor a sale opt-out without first requiring verification of the requester’s identity.
- Global Privacy Controls: Connecticut takes a more aggressive tack with regard to global privacy controls, similar to Colorado’s approach. Both the CTDPA and the CPA will require businesses to recognize, as a valid opt-out of sales and targeted advertising, a user-selected universal opt-out mechanism. These requirements will be phased in under both states’ laws: beginning on July 1, 2024, in Colorado and beginning on January 1, 2025, in Connecticut. The requirements related to global privacy controls in California are less clear at present, since the CCPA, CPRA, and California Attorney General letters offer somewhat conflicting views of the requirement. CPRA rulemaking may clarify this ambiguity.
- Deadlines to Respond: Businesses must either honor or decline privacy requests under the CTDPA within 45 days of receipt (extendable to 90 days under certain circumstances). This is in line with California, Virginia, Colorado, and Utah law (except that California law requires sale opt-outs to be honored within 15 business days).
- Appeals Right: Like the CPRA, VCDPA, and CPA, the CTDPA requires that businesses create a process for consumers to appeal a denial of a request and to timely review such appeal. Only the UCPA does not require businesses to provide an appeal right in the event the business declines to honor a request.
- Sensitive Data: The CTDPA, like the VCDPA and CPA, will require prior opt-in consent to process “sensitive data” (defined under the CTDPA to mean personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, genetic or biometric data for the purpose of uniquely identifying an individual, personal data collected from a known child, or precise geolocation data). This is more privacy-protective than the CPRA, which will give consumers the ability to limit the use and disclosure of sensitive data to only those uses which are necessary for providing the requested services/products to a consumer. Connecticut’s opt-in requirement is also more privacy-protective than the UCPA, which gives consumers an opt-out right for processing sensitive personal data.
- Applicability Thresholds: The CTDPA’s applicability to businesses will be subject to data processing thresholds. Specifically, the CTDPA will apply to any “controller” or “processor” that conducts business in Connecticut or produces products or services that are targeted to Connecticut residents and either: (a) controls or processes the personal data of at least 75,000 Connecticut residents in a year or (b) derives over 25% of its gross revenue from the “sale” of personal data and controls or processes the personal data of at least 25,000 Connecticut residents. Recall that in comparison the UCPA also requires a minimum revenue threshold for the law to apply.
- Exemptions for Other Privacy Laws: The CTDPA will exempt personal data that is already subject to other laws like HIPAA, Gramm-Leach-Bliley, or FERPA, in line with other state laws.
Employment Data and B2B Data is Not Covered
The CTDPA will not apply to personal data collected in the employment context or the B2B / commercial context, to the extent that the data is used within the context of those roles. This is in line with Virginia, Colorado, and Utah. As we have reported previously, the applicability of California law to employment-related personal data and B2B data is still pending the outcome of proposed legislation currently in the State Assembly. Under the CPRA, the CCPA’s exemptions for employment data and B2B data are scheduled to sunset after December 31, 2022. Two bills have been offered to extend that sunset for three more years or make the employee and B2B exemptions permanent.
Regulatory Enforcement, No Private Right of Action, Cure Period
Like the other pending state privacy laws, the CTDPA will not have a private right of action for general non-compliance or failure to honor privacy rights requests. Instead, it will be enforceable by the state’s attorney general.
The CTDPA will provide businesses with an initial 60-day right to cure alleged non-compliance before the attorney general may pursue enforcement actions. However, the right to a cure period under the CTDPA will sunset after 18 months (ending on December 31, 2024). Colorado law also sunsets the right to a cure period on the same timeline as Connecticut. California law, which provides a 30-day cure period before possible regulator enforcement, will no longer guarantee an opportunity to cure once the CPRA takes effect on January 1, 2023. This means that regulators in California, Colorado, and Connecticut will be able to more easily undertake multi-state enforcement actions against businesses that violate comparable provisions of the three states’ laws.
No Rulemaking Process, Privacy Working Group
The CTDPA does not authorize regulatory rulemaking. This means that unlike the CPRA and CPA, which will both be reviewed, modified, and clarified through administrative rulemaking, the CTDPA will remain as-drafted unless and until the legislature adopts, and the governor signs, amendments to the law. Meanwhile, the CTDPA establishes a privacy working group that must study certain topics concerning data privacy and issue a report of its findings and recommendations to the legislature by January 1, 2023. This is a very short window of time for the working group to be appointed, convene itself, identify key topics, study those topics, and issue recommendations. The working group will comprise representatives from industry, academia, consumer advocacy groups, small and large companies, the office of the Attorney General, and attorneys with experience in privacy law.
Action Items for Businesses
The CTDPA continues a broadening trend of U.S. states enacting their own comprehensive privacy laws. This dynamic is unlikely to change any time soon, and more states will likely follow Connecticut, Utah, Colorado, Virginia, and California – sooner rather than later. Though no two state laws are the same, it is possible to craft a U.S. privacy compliance program in a streamlined manner that is principles-based and will be adaptable if (or more likely, when) more states follow suit.
As we have noted in past guidance, in order to prepare for 2023 and beyond, we recommend that businesses:
- Conduct a privacy compliance assessment, mapping the privacy controls to the requirements in the different state laws and to a principles-based privacy framework;
- Review (or undertake) data mapping exercises, being sure to reflect applicable data handling practices that capture the key definitions under these new laws (e.g., sensitive data), categories of personal data, sources of data, use cases, and recipients of data;
- Ensure personal data is protected by physical, technical, and administrative safeguards appropriate to the nature of the data and the potential risks and prepare a written cybersecurity program;
- Review and update privacy notices now, and implement a process for annual reviews thereafter. As part of the privacy notices and data mapping, businesses should put in place a data retention schedule that is compliant with state privacy laws;
- Assess the effectiveness of existing processes for receiving, verifying, and responding to consumer requests made pursuant to state privacy laws;
- Review and update template agreements (such as data processing agreements with vendors that will process personal data), and ensure that vendor questionnaires adequately assess the security standards of vendors; and
- Assess whether any activities of the business constitute “sales” or “targeted advertising” and ensure that there are easy-to-use opt-out mechanisms where applicable.