Connecticut is 5th State to Enact Data Privacy Law: Considerations for Data Privacy Activities

On May 10, 2022, Connecticut became the fifth state, after California, Virginia, Colorado, and Utah, to enact a comprehensive privacy law related to controlling and processing of personal data. The Connecticut data privacy bill, An Act Concerning Personal Data Privacy and Online Monitoring, was signed into a law with an effective date of July 1, 2023. The law adopted many of the same requirements of the General Data Protection Regulation and other state privacy laws, such as the Virginia Consumer Data Protection Act (VCDPA), the Colorado Consumer Protection Act (CCPA), and the Utah Consumer Privacy Act (UCPA) as they relate to consumer rights and data processing obligations of controllers and processors. The controller determines the purpose and means of processing while the processor processes the personal data on behalf of the controller.

Scope

The Connecticut data privacy law applies to “persons that conduct business”¹  in the state of Connecticut or “produce products or services that are targeted to the residents”²  of the state. The law is applicable when:

1. Personal data of 100,000 or more consumers are controlled or processed during the preceding calendar year; or,
2. Personal data of 25,000 or more consumers are controlled or processed during the preceding calendar year and more than 25% of the gross revenue is derived from the sale of the personal data. 

Personal data controlled or processed solely for completing payment transactions are excluded from the law. Similar to VCDPA, CCPA, and UCPA, the law is not applicable when personal data is used in an employment or commercial context.

Consumer Rights

Similar to other US state laws, the Connecticut privacy law provides certain rights to the consumer as outlined below: 

• Right of Access: Consumer has the right to confirm “whether or not a controller is processing the consumer’s personal data”³  and the consumer can request access to the data.
• Right of Correction: Consumer has the right to correct inaccuracies related to the consumer’s personal data.
• Right of Deletion: Consumer has the right to request deletion of personal data that the consumer has provided to or obtained by the controller.
• Right to Data Portability: Consumer has the right to request a copy of the personal data in a portable format that will allow the consumer to transfer data to another controller. 
• Right to Opt Out: Consumer has the right to opt out of the processing of personal data where the data is used for targeted advertising, profiling for automated decision-making, or the data is being sold to a third party.

The law requires the controller to fulfill consumer requests within 45 days, with an option to extend the request for another 45 days, depending on the “complexity and number of the consumer's requests, provided the controller informs the consumer of any such extension within the initial 45-day response period and the reason for such extension.”⁴ The controller needs to provide the information to the consumer free of charge once within a 12-month period. For any excessive or repetitive consumer requests, the controller may charge an administrative fee. If a consumer request is rejected, the controller needs to inform the consumer with an option for the consumer to appeal the decision. After the receipt of the appeal, the controller will have 60 days to provide a written response to the consumer indicating action taken or not taken in regard to the appeal. Additionally, the controller must establish an online portal or another method for the consumer to submit a complaint to the state attorney general if an appeal is denied.

Controller Responsibilities

The law requires controllers to follow certain requirements as outlined below:  

• Collection Limitation: The controller needs to “limit the collection of personal data to what is adequate, relevant, and reasonably necessary.”⁶
• Purpose Specifications: The controller needs to process personal data based on the purpose disclosed to the consumer.  
• Data Security: The controller needs to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.”⁷
• Processing of Sensitive Data: The controller needs to obtain consent before processing sensitive data of the consumer. The personal data concerning a child will be processed in accordance with the federal Children's Online Privacy Protection Act.  
• Unlawful Discrimination: The law prohibits the controller from making unlawful discrimination against consumers for exercising their privacy rights. However, the law does not prohibit controllers from providing goods or services for no fee or at a discount as part of a “bona fide loyalty, rewards, premium features, discounts, or club card program.” ⁸
• Transparency: The law mandates the controller to provide consumers “with a reasonably accessible, clear, and meaningful privacy notice.”⁹
• Secondary Use: Controllers must disclose if they share personal data of consumers with third parties or engage in targeted advertising. They also need to disclose the manner in which a consumer may exercise the right to opt out of such processing. 

The law also outlines the processor responsibilities. The law mandates that a contract must be established between a controller and a processor related to the data processing rights and obligations of the controller and the processor. The processor needs to abide by the contract and enable the controller to meet the obligations related to data privacy requirements.

Data Protection Assessment

A controller must carry out a Data Protection Assessment (DPA) for processing activities where they may pose a risk to consumer data privacy. Such activities include targeted advertising, sale of personal data, profiling, and processing of sensitive data. The DPA is treated as confidential information and exempted from disclosure “under the Freedom of Information Act, as defined in Section 1-200 of the general statutes.”¹⁰ However, the attorney general may request the assessment information for review and the controller needs to make it available to the attorney general.

Enforcement

The attorney general will have the “exclusive authority”¹¹ to enforce the law. During the 18-month period beginning July 1, 2023, and ending on December 31, 2024, prior to initiating any action for the violation of the law, the attorney general will issue a notice of violation to the controller. If the controller fails to cure the violation within 60 days, the attorney general may take action. The act will be treated as a violation of the Connecticut Unfair Trade Practice Act (CUTPA) which “impose civil penalties of up to $5,000 for willful violations and $25,000 for violation of a restraining order.”¹² However, after January 1, 2025, depending on the nature of the violation and past history of the controller, the attorney general may or may not provide an option for the controller to cure the violation. Similar to UCPA, the law does not include a provision for private right of action.

Conclusion

With many other state laws in the pipeline and a shifting definition of personal data that brings more private data within the ambit of a privacy law, data privacy compliance continues to be an evolving challenge. To prepare for when the Connecticut data privacy law and other state laws go into effect, organizations should develop/review data inventories across all applicable products and consumer corporate functions to understand the flow of consumer personal information across business units, service providers, and third parties, as well as the purpose behind it. Additionally, organizations should conduct a current-state assessment against the new state obligations to identify any compliance gaps and develop a roadmap of future activities to address compliance gaps and operationalize new requirements. As organizations continue to expand their privacy management activities in light of the new and evolving state requirements, they should work to identify, document, and implement regulatory-agnostic operational requirements based on privacy principles and best practices.

Guidehouse Service Offerings

Guidehouse has assisted many clients across various industry sectors and geographies with assessing their privacy risk and operationalizing their compliance with US and international privacy regulations. We have supported our clients by developing data inventories, conducting gap assessments, and creating roadmaps for privacy compliance, as well as supporting the development of those activities, including the implementation of processes for managing consumers’ requests for their data. Services we have provided include:

• Conducting assessments of the current state of an organization’s privacy posture.
• Designing target operating models for privacy-related governance structure, processes, technology, and controls.   
• Assisting with the implementation of a data privacy program that is technologically sound and sustainable, including designing and documenting processes, personal data inventory, policies, and procedures.  
• Conducting testing and monitoring to ensure design adequacy and operating effectiveness of privacy-related controls.

^{1  Senate Bill No. 6: An Act Concerning Personal Data Privacy and Online Monitoring.
2  See previous footnote.
3  See previous footnote.
4  See previous footnote.
5  See previous footnote.
6  See previous footnote.
7  See previous footnote.
8  See previous footnote.
9  See previous footnote.
10 See previous footnote.
11 See previous footnote.
12 Penalties under the CUTPA.}