Connecticut: Act Concerning Personal Data Privacy and Online Monitoring – what you need to know
On 10 May 2022, the Connecticut State Governor signed Senate Bill 6, thereby enacting the Connecticut Act Concerning Personal Data Privacy and Online Monitoring ('CTDPA') and making Connecticut the fifth State in the US to pass a comprehensive privacy law, joining the likes of California, Colorado, Utah, and Virginia. In particular, the CTDPA provides several privacy rights for consumers, establishes obligations on data controllers, and assigns enforcement powers to the Attorney General ('AG'). OneTrust DataGuidance addresses some of the key requirements introduced by the CTDPA that organisations will have to keep in mind in the operationalisation of their privacy program.
Scope of application
The CTDPA's protections apply to 'consumers' defined as individuals who are residents of Connecticut. However, the CTDPA's definition of 'consumer' does not include individuals acting in a commercial or employment context.
With respect to data controllers and organisations, the CTDPA's scope extends to entities that:
- conduct business in Connecticut, or produce products or services that are targeted to Connecticut residents; and
- during the preceding calendar year, either:
- processed the personal data of at least 100,000 consumers; or
- processed the personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.
Similarly to other US state privacy laws, the CTDPA enshrines some exceptions regarding its applicability. In particular, certain entities, including, for example, state and local government entities, non-profits, higher education institutions, and entities subject to the Gramm-Leach-Bliley Act of 1999 ('GLBA') and to the Health Insurance Portability and Accountability Act of 1996 ('HIPAA'), do not fall under its scope.
The CTDPA provides consumers with several new rights, namely:
- the right of access - which allows consumers to confirm whether or not a controller is processing their personal data, and to access such personal data, unless such confirmation or access would require the controller to reveal a trade secret;
- the right of rectification - which allows consumers to correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes of the processing of this personal data;
- the right of deletion - which allows consumers to delete personal data which they have previously provided;
- the right of data portability - which allows consumers to obtain a copy of their personal data which is processed by the controller, and to obtain this data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means, provided that such controller shall not be required to reveal any trade secret; and
- the right to opt out - which allows consumers to opt out of the processing of their personal data for:
- purposes of targeted advertising;
- the sale of personal data; or
- profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
In this respect, consumers may exercise their rights under the CTDPA directly or through another person designated to serve as their authorised agent. Procedurally, the CTDPA provides that a controller, if able to verify, with commercially reasonable effort, the identity of the consumer and the authorised agent's authority, must respond to a consumer's rights requests without undue delay, but not later than 45 days after receipt of the request. The controller may extend the response period by 45 additional days when reasonably necessary, considering the complexity and number of the consumer's requests, provided that the controller informs the consumer of any such extension within the initial 45-day response period and of the reason for the extension.
Furthermore, starting from 1 January 2025, the CTDPA decrees that consumers may also opt out of personal data processing for targeted advertising or sale 'through an opt-out preference signal sent, with such consumer's consent, by a platform, technology or mechanism to the controller'. However, the CTDPA does not require for the details of this mechanism to be approved by the state regulator, which may create uncertainty about the possibility of developing industry standards in this area. In this context, the CTDPA allows controllers to deny an opt-out request if they have a good faith, reasonable, and documented belief that such a request is fraudulent.
Lastly, consumers will have the right to appeal a denial of their request and, not later than 60 days after receipt of an appeal, the controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions.
Controller and processor obligations
The CTDPA holds quite a protective stance towards consumers and imposes several obligations on controllers. Among other obligations, controllers will be required to:
- provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
- the categories of personal data processed by the controller;
- the purpose for processing personal data;
- how consumers may exercise their consumer rights, including how to appeal a controller's decision with regard to their request;
- the categories of personal data that the controller shares with third parties, if any;
- the categories of third parties, if any, with which the controller shares personal data; and
- an active electronic mail address or other online mechanism that the consumer may use to contact the controller;
- implement the data minimisation principle by restricting the collection of personal data to 'what is adequate, relevant and reasonably necessary' to the purposes for processing, as disclosed to the consumer;
- implement the purpose limitation principle by processing personal data only for purposes that are reasonably necessary to, and compatible with, the purposes for processing, as disclosed to the consumer (unless the controller obtains the consumer's consent);
- establish, implement, and maintain reasonable administrative, technical, and physical data security practices;
- obtain opt-in consent for the collection and processing of 'sensitive' data, which includes information revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship or immigration status, genetic or biometric data, children's data, and precise geolocation;
- enter into a contract with processors, which shall govern the processor's data processing procedures with respect their processing performed on behalf of the controller;
- not process personal data in violation of federal and state anti-discrimination laws;
- provide an effective mechanism for a consumer to revoke consent, that is at least as easy as the mechanism for providing consent, and to cease processing the data within 15 days of receiving a revocation request; and
- obtain opt-in consent from children under the age of 16 before selling their personal data or using it for targeted advertising.
Furthermore, the CTDPA requires controllers to also conduct and document a data protection assessment for processing activities that present a heightened risk of harm to a consumer, such as the processing of personal data for targeted advertising, sale, and/or profiling. Data protection assessments for such activities prepared pursuant to other privacy frameworks satisfy this requirement, provided that such data protection assessment is reasonably similar in scope and effect to that which would otherwise be conducted pursuant to the CTDPA.
Nonetheless, the CTDPA highlights that these obligations do not restrict a controller's ability to collect, use, or retain data for internal purposes in order to:
- conduct internal research to develop, improve, or repair products, services, or technology;
- effectuate a product recall;
- identify and repair technical errors that impair existing or intended functionality; or
- perform internal operations that are reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer's existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.
The CTDPA follows the trend of most US state privacy laws and does not provide for a private right of action for individuals. Instead, the CTDPA grants the AG with the exclusive authority to enforce its provisions.
The CTDPA, though, provides for an enforcement grace period beginning on the entry into effect date of 1 July 2023, and ending on 31 December 2024. In this timeframe, the AG must, prior to initiating any action for any violation of the CTDPA, issue a notice of violation to the controller if the AG determines that a cure is possible. If the controller fails to cure a violation within 60 days of receipt of the notice of violation (the so-called 'cure period'), the AG may initiate an enforcement action.
Once this cure period has ended, therefore after 31 December 2024, the AG has discretionary authority to provide an opportunity to cure alleged violations, subject to the following considerations:
- the number of violations;
- the size and complexity of the controller or processor;
- the nature and extent of the controller or processor's processing activities;
- the substantial likelihood of injury to the public;
- the safety of persons or property; and
- whether such alleged violation was likely caused by human or technical error.
With the effective date of the CTDPA set for 1 July 2023, businesses will have to act promptly in order to consider its provisions and start taking steps to ensure compliance.
Marcello Ferraresi Privacy Analyst