Connecticut: Analysing the CTDPA
On 10 May 2022, Connecticut became the fifth state to enact broad consumer data privacy legislation when Connecticut Governor Ned Lamont signed Senate Bill 6 - the Connecticut Data Privacy Act ('CTDPA'). David M. Stauss and Shelby E. Dolen, from Husch Blackwell LLP, provide an overview of the CTDPA and draw comparisons between the bill and other state privacy laws in California, Colorado, Virginia, and Utah.
What entities are covered?
The CTDPA applies to persons that conduct business in Connecticut or that produce products or services that are targeted to residents of Connecticut and that, during the preceding calendar year, either (1) controlled or processed the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction or (2) controlled or processed the personal data of not less than 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data. The CTDPA defines 'consumer' to mean Connecticut residents not acting in a commercial or employment context.
When the bill's sponsor Senator James Maroney originally introduced the bill, the bill set the consumer threshold at 65,000 instead of 100,000 consumers, reflecting that Connecticut has less residents than Colorado and Virginia. However, the threshold was eventually moved to 100,000 to accommodate small businesses.
Similar to the Virginia Consumer Data Protection Act ('VCDPA'), the CTDPA provides entity level exemptions for entities subject to the Health Insurance Portability and Accountability Act of 1996 and the Gramm-Leach-Bliley Act of 1999. The CTDPA also does not apply to non-profits as does the Colorado Privacy Act ('CPA'). Like the laws passed in other states, the CTDPA contains a number of other exemptions, which organisations should closely review prior to engaging in any compliance efforts.
How is personal data defined?
The CTDPA defines personal data as 'any information that is linked or reasonably linkable to an identified or identifiable individual'. The definition does not include de-identified data or publicly available information. Publicly available information is defined broadly to mean information that is lawfully made available through federal, state, or municipal government records or widely distributed media and that a controller has a reasonable basis to believe a consumer has lawfully made available to the general public.
What rights does the CTDPA provide?
The CTDPA grants Connecticut residents the rights to:
- confirm whether or not a controller is processing the consumer's personal data and access such personal data, unless such confirmation or access would require the controller to reveal a trade secret;
- correct inaccuracies in the consumer's personal data;
- delete personal data provided by, or obtained about, the consumer;
- obtain a copy of the consumer's personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means; and
- opt out of the processing of the personal data for purposes of:
- targeted advertising;
- the sale of personal data; or
- profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
The CTDPA defines 'sale' broadly to mean the exchange of personal data for monetary or other valuable consideration by a controller to a third party. This definition largely tracks the definitions in California and Colorado and is broader than Virginia's definition, which does not include the phrase 'or other valuable' consideration.
With the exception of opt-out requests, controllers must verify an individual's identity prior to responding to a request. Controllers do not need to verify opt-out requests, however, controllers can deny such requests if they have a good faith belief that the requests are fraudulent. This is consistent with California's approach to opt-out requests and more consumer-friendly than the laws in Colorado and Virginia, which require verification.
Controllers have 45 days to respond to consumer requests. Controllers also are required to establish an appeal procedure for requests that they deny.
How does the CTDPA treat sensitive data?
Like the laws in Colorado and Virginia, the CTDPA requires controllers to obtain user consent prior to the processing of sensitive data. The CTDPA defines sensitive to mean:
- data revealing racial or ethnic origin, religious beliefs, mental, or physical health condition or diagnosis, sex life, sexual orientation, citizenship, or immigration status;
- the processing of genetic or biometric data for the purpose of uniquely identifying an individual;
- personal data collected from a known child; or
- precise geolocation data.
The CTDPA also provides that controllers must allow consumers to revoke their consent in a manner that is as easy as it was to provide consent.
The CTDPA defines consent as 'a clear affirmative act signifying a consumer's freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer'. Similar to the CPA, consent does not include agreements obtained through dark patterns. The law defines 'dark patterns' as 'a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice and any practice the Federal Trade Commission refers to as a "dark pattern"'.
The CTDPA defines biometric data to mean 'data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises or other unique biological patterns or characteristics that are used to identify a specific individual.' It does not include a digital or physical photograph, an audio or video recording, or any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual.
The CTDPA's definition differs from the VCDPA's definition, which excludes facial and voice recognition from the definition of biometric data. Colorado's law does not include a definition of biometric data, presumably leaving that definition to the rulemaking process.
Are controllers required to recognise opt-out signals?
Yes. Starting 1 January 2025, controllers must allow consumers to opt out of targeted advertising and sales through opt-out preference signals. The CTDPA sets forth certain specifications for the operation of those signals.
Does the CTDPA require data processing agreements?
Yes. The CTDPA requires controllers to ensure there are written contracts in place with processors for the processing of personal data. The contracts must set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. In addition, the contract must require that the processor:
- ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
- at the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
- upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the CTDPA;
- after providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data; and
- allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor, or the processor may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organisational measures in support of the obligations under the CTDPA.
What other obligations apply to controllers?
Controllers must provide consumers with a privacy notice that describes, among other things, the personal data that controllers collect, how they use it, and who they transfer it to. Controllers also must:
- prepare data protection assessments for certain high risk processing activities;
- limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer;
- unless an exception applies, not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer's consent;
- establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue; and
- not discriminate against consumers for exercising their rights.
How does the CTDPA treat children's data?
Similar to the Children's Online Privacy Protection Act of 1998, the CTDPA requires parental consent for the processing of children under the age of 13. However, the CTDPA goes one step further and prohibits controllers from processing the personal data of consumers for purposes of targeted advertising, or selling consumers' personal data without consent, under circumstances where a controller has actual knowledge, and willfully disregards, that the consumer is at least 13 years of age, but younger than 16 years of age. This prohibition is similar to the prohibition found in California's law.
Does the CTDPA allow for Attorney General rulemaking?
No. Unlike the laws in California and Colorado, the CTDPA does not grant the Attorney General ('AG') rulemaking authority.
How is the CTDPA enforced?
The CTDPA grants exclusive enforcement authority to the Connecticut AG's office. The CTDPA does not create a private right of action. The CTDPA contains a 60-day right to cure, which sunsets on 31 December 2024.
When does the CTDPA go into effect?
1 July 2023.