Connecticut Becomes Newest State With Consumer Data Privacy Law: What You Need To Know

On May 10, Connecticut joined other states by passing a state consumer data privacy law. This law gives Connecticut consumers more control over what companies can do with personal data collected from Connecticut consumers. Here’s what you should know about this new law and its impact on your business.

Applicability

The law, which takes effect on July 1, 2023, applies to individuals and entities that:

1. Conduct business in Connecticut or produce products or services that are targeted to Connecticut residents; and
2. During the preceding calendar year, either:
   • Controlled or processed personal data of at least 100,000 consumers (excluding for the purpose of completing a payment transaction), or
   • Controlled or processed personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.

These parameters are narrower than some of the other similar statutes (excluding data collected to complete a transaction), but also include the broad definition of “sale” found in the California statutes (encompassing the exchange of personal data for monetary or “other valuable consideration”).

The law also specifically excludes from the statute:

1. State and local governments,
2. Nonprofits,
3. Higher education institutions,
4. National securities associations registered with the SEC,
5. Financial institutions and data subject to the Gramm-Leach Bliley Act, and
6. Covered entities and business associates under HIPAA.

Consumer Rights

As with the prior statutes, the Connecticut law provides consumers with the following new rights:

1. Right to access – the right to know what personal data a company has collected about them. However, unlike the other laws, Connecticut’s right to access does not apply to personal data that would require the company to reveal a trade secret.
2. Right to correct – the right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purpose for which the company processes that personal data.
3. Right to delete – the right to have the company delete any and all personal data provided by or obtained about the consumer.
4. Right to data portability – the right to obtain a copy of all the personal data that the company has acquired about the consumer (so long as it’s technically feasible). This right is broader than some laws as it is not limited to data provided by the consumer but encompasses all data obtained about the consumer regardless of source.
5. Right to opt out – the right to opt out of the processing of data for the purposes of:
   • Targeted advertising,
   • The sale of personal data, or
   • Profiling in furtherance of solely automated decisions that produce legal or similarly significant effects on the consumer.

Requirements

The law also imposes requirements on companies subject to the statute when collecting consumer personal data. For instance, companies can only collect personal data that is adequate, relevant, and reasonably necessary in relation to the purpose of the collection. Similarly, the company cannot use personal data, without consent or meeting another exception, unless it is reasonably necessary for or compatible with the purposes of the collection.

The law also requires companies to maintain reasonable administrative, technical and physical data security practices to protect collected personal data. Companies must also make specific disclosures in privacy notices about what they do with personal data they collect (including the categories of data collected, how consumers can exercise their rights and appeal, and contact information for the company). And, companies must conduct risk assessments when activities present a “heightened risk of harm” to consumers.

Enforcement

Like Colorado, Virginia, and Utah, the law does not allow for private rights of action to enforce rights under the law—leaving enforcement solely to the Connecticut Attorney General. Prior to any enforcement action, entities are allowed 60 days to cure any violation (twice as long as allowed in California, Virginia, and Utah), but that cure period ceases as of Jan. 1, 2025. Violations can result in penalties up to $5,000 per willful violation or equitable remedies like restitution, disgorgement, and injunctive relief.

Connecticut is the latest, but will more than likely not be the final, state to enact consumer data privacy rights and protections. While the federal government could step in with a federal data privacy law,  those chances currently seem slim.

While each law varies, it is important for companies to note the similarities between these statutes and the rights they afford to consumers and prepare accordingly. Companies would be wise to build these privacy concepts into their services and products now, as we anticipate more states will continue to enact laws affording consumers various rights with respect to their data.