Connecticut has joined four other states in passing a comprehensive data privacy law that requires businesses to provide consumers with information about the personal data they collect and empowers the state attorney general to issue cure letters and file lawsuits against those who do not comply.
California, Virginia, Colorado, and Utah have all passed similar legislation. California is the only state with a comprehensive data privacy law, which will be upgraded beginning January 1. In 2023, all four new state laws will go into effect: Virginia on January 1, Colorado and Connecticut on July 1, and Utah on December 31.
Consumers cannot sue companies that fail to protect their personal data under Connecticut law, which gives the state attorney general "exclusive authority." Only California law gives consumers a private right of action.
The Personal Data Privacy and Online Monitoring Act (S.B. 6) was signed into law by Connecticut Governor Ned Lamont on Tuesday (D). It gives customers the right to see, correct, delete, and obtain a copy of their personal information collected by advertisers.
Consumers will be able to opt out of certain types of personal data processing, and businesses will be required to provide a "clear and conspicuous link" on their website for consumers to submit opt-out requests. Businesses must establish a process to respond to consumer requests and must provide information about a consumer's personal information to that consumer, free of charge, within 45 days of receiving the request.
According to Vivek Mohan, a partner in law firm Mayer Brown's Cybersecurity & Data Privacy practice, Connecticut's law most closely resembles the Colorado law, with some California elements included.
"States are learning from each other and using pieces of other laws that they like," he explained. Connecticut is unique among state privacy laws in that the state attorney general's office has no rulemaking authority. California's rulemaking has been plagued by delays, and Colorado's rulemaking is currently underway, according to Mohan.
Companies doing business in Connecticut will be prohibited from processing sensitive personal data without the consent of the consumer, using it to discriminate against a consumer, or using it for purposes "that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed," according to the law.
Businesses will be required to obtain parental consent before selling personal data of consumers aged 13 to 16 or producing targeted ads for those under the age of 16.
Businesses that do business in Connecticut and control the personal data of at least 100,000 customers, or 25,000 customers if personal data sales account for more than 25% of gross revenue, are subject to the bill. Businesses that meet those criteria will be required to conduct data protection assessments outlining how they plan to comply with the law, which the state's attorney general can review. State government agencies, healthcare organizations governed by the Health Insurance Portability and Accountability Act (HIPAA), financial institutions governed by the Gramm-Leach-Bliley Act, nonprofits, and institutions of higher education are among the exempted entities.
The state's attorney general will send out cure letters to companies that have committed potential violations, giving them 60 days to correct the problem before filing a lawsuit.
According to a tracker maintained by the International Association of Privacy Professionals, there are currently 11 states with active data privacy bills before their state legislatures.
This law "will not be the last of them, maybe not even the last one passed this year," Mohan predicted.
As a result, according to Linda Thielová, DPO and head of privacy at compliance software vendor OneTrust, businesses should look at the common themes that run through each of the laws, such as good data governance and the need for stricter management of personal data handled by vendors. Companies should also develop a process for dealing with customer requests for personal data information, and consider honoring requests from any customer, regardless of where they live, she said.
"Most businesses operating across all 50 states are employing the same level of privacy compliance across all the states," she said. "It’s a great public relations opportunity to advertise that your business is going out of its way to provide the highest privacy service."
According to Thielová, each law has its own quirks, so whatever process is put in place should be able to handle personal data of customers from specific states with granularity. This can be accomplished through automation, such as recognizing which data elements are considered biometric data under Connecticut's data privacy law versus Virginia's, she said.
By fLEXI tEAM