By Prasun Howli, Kathryn Rock
On May 10, 2022, Connecticut became the fifth state, after California, Virginia, Colorado, and Utah, to enact a comprehensive privacy law related to controlling and processing of personal data. The Connecticut data privacy bill, An Act Concerning Personal Data Privacy and Online Monitoring, was signed into a law with an effective date of July 1, 2023. The law adopted many of the same requirements of the General Data Protection Regulation and other state privacy laws, such as the Virginia Consumer Data Protection Act (VCDPA), the Colorado Consumer Protection Act (CCPA), and the Utah Consumer Privacy Act (UCPA) as they relate to consumer rights and data processing obligations of controllers and processors. The controller determines the purpose and means of processing while the processor processes the personal data on behalf of the controller.
The Connecticut data privacy law applies to “persons that conduct business”1 in the state of Connecticut or “produce products or services that are targeted to the residents”2 of the state. The law is applicable when:
Personal data controlled or processed solely for completing payment transactions are excluded from the law. Similar to VCDPA, CCPA, and UCPA, the law is not applicable when personal data is used in an employment or commercial context.
Similar to other US state laws, the Connecticut privacy law provides certain rights to the consumer as outlined below:
The law requires the controller to fulfill consumer requests within 45 days, with an option to extend the request for another 45 days, depending on the “complexity and number of the consumer's requests, provided the controller informs the consumer of any such extension within the initial 45-day response period and the reason for such extension.”4 The controller needs to provide the information to the consumer free of charge once within a 12-month period. For any excessive or repetitive consumer requests, the controller may charge an administrative fee. If a consumer request is rejected, the controller needs to inform the consumer with an option for the consumer to appeal the decision. After the receipt of the appeal, the controller will have 60 days to provide a written response to the consumer indicating action taken or not taken in regard to the appeal. Additionally, the controller must establish an online portal or another method for the consumer to submit a complaint to the state attorney general if an appeal is denied.
The law requires controllers to follow certain requirements as outlined below:
The law also outlines the processor responsibilities. The law mandates that a contract must be established between a controller and a processor related to the data processing rights and obligations of the controller and the processor. The processor needs to abide by the contract and enable the controller to meet the obligations related to data privacy requirements.
A controller must carry out a Data Protection Assessment (DPA) for processing activities where they may pose a risk to consumer data privacy. Such activities include targeted advertising, sale of personal data, profiling, and processing of sensitive data. The DPA is treated as confidential information and exempted from disclosure “under the Freedom of Information Act, as defined in Section 1-200 of the general statutes.”10 However, the attorney general may request the assessment information for review and the controller needs to make it available to the attorney general.
The attorney general will have the “exclusive authority”11 to enforce the law. During the 18-month period beginning July 1, 2023, and ending on December 31, 2024, prior to initiating any action for the violation of the law, the attorney general will issue a notice of violation to the controller. If the controller fails to cure the violation within 60 days, the attorney general may take action. The act will be treated as a violation of the Connecticut Unfair Trade Practice Act (CUTPA) which “impose civil penalties of up to $5,000 for willful violations and $25,000 for violation of a restraining order.”12 However, after January 1, 2025, depending on the nature of the violation and past history of the controller, the attorney general may or may not provide an option for the controller to cure the violation. Similar to UCPA, the law does not include a provision for private right of action.
With many other state laws in the pipeline and a shifting definition of personal data that brings more private data within the ambit of a privacy law, data privacy compliance continues to be an evolving challenge. To prepare for when the Connecticut data privacy law and other state laws go into effect, organizations should develop/review data inventories across all applicable products and consumer corporate functions to understand the flow of consumer personal information across business units, service providers, and third parties, as well as the purpose behind it. Additionally, organizations should conduct a current-state assessment against the new state obligations to identify any compliance gaps and develop a roadmap of future activities to address compliance gaps and operationalize new requirements. As organizations continue to expand their privacy management activities in light of the new and evolving state requirements, they should work to identify, document, and implement regulatory-agnostic operational requirements based on privacy principles and best practices.
Guidehouse has assisted many clients across various industry sectors and geographies with assessing their privacy risk and operationalizing their compliance with US and international privacy regulations. We have supported our clients by developing data inventories, conducting gap assessments, and creating roadmaps for privacy compliance, as well as supporting the development of those activities, including the implementation of processes for managing consumers’ requests for their data. Services we have provided include:
1 Senate Bill No. 6: An Act Concerning Personal Data Privacy and Online Monitoring.
2 See previous footnote.
3 See previous footnote.
4 See previous footnote.
5 See previous footnote.
6 See previous footnote.
7 See previous footnote.
8 See previous footnote.
9 See previous footnote.
10 See previous footnote.
11 See previous footnote.
12 Penalties under the CUTPA.