Connecticut Governor Ned Lamont has signed the country’s fifth comprehensive consumer privacy act, “An Act Concerning Personal Data Privacy and Online Monitoring,” (the “Connecticut Data Privacy Act” or the “CDPA” as we refer to it in this article). The CDPA will become effective on July 1, 2023.
Connecticut now joins California, Colorado, Virginia, and Utah, as states with comprehensive consumer privacy laws. Consistent trends are emerging in this set of new laws, but we are also seeing a divergence of various concepts, and distinct differences in how these laws balance between consumer privacy with business objections. Most minds will agree that California, via the California Consumer Privacy Act (“CCPA”) and the upcoming California Privacy Rights Act (“CPRA”), unsurprisingly, leads the charge with the most consumer privacy-friendly law out of the bunch. Utah’s Consumer Privacy Act (UCPA), on the other hand, is frequently considered to be the most business friendly. Our view is that CDPA tracks more closely to the Colorado Privacy Act (CPA) and Virginia Consumer Data Protection Act (VCDPA), though with various differences, and ends up generally in the middle of the California-to-Utah spectrum.
Our breakdown below outlines key concepts on how the CDPA will impact businesses, and several notes about how its provisions compare to other US state privacy laws.
As with the CPA, the VCDPA, and the UCPA, the CDPA extends its privacy protections only to Connecticut residents acting in an individual capacity, and not in a commercial or employment context.
The CDPA contains a familiar applicability threshold framework and applies to persons that conduct business in Connecticut, or produce products or service targeted to Connecticut residents, that during the preceding calendar year: either (1) controlled or processed the personal data of at least 100,000 Connecticut residents (excluding personal data processed for the purpose of completing a payment transaction); or (2) controlled or processed the personal data of 25,000 Connecticut residents and derived more than 25% of their gross revenue from the sale of personal data.
Similar to what we have seen with other US state privacy laws, the CDPA does not apply to various governmental bodies, nonprofits, educational institutions, entities subject to the Gramm-Leach-Bliley Act (“GLBA”), or covered entities and business associates subject to the Health Insurance Portability and Accountability Act (“HIPAA”). In addition, certain types of information are excluded from the scope of the CDPA, including information and data subject to HIPAA and other federal medical/health laws, the Fair Credit Reporting Act (“FCRA”), and the Family Educational Rights and Privacy Act “FERPA”).
Those familiar with the CPA, the VCDPA, and the UCPA will find the CDPA definitions of “controller,” “processor,” and “personal data” to be very similar.
The CDPA does not contain any consumer rights that are groundbreaking in comparison to other US state privacy laws. Under the CDPA, consumers would have the following rights:
- Confirm whether or not a controller is processing the their personal data and access such personal data, unless such confirmation or access would require the controller to reveal a trade secret;
- Correct inaccuracies in the their personal data;
- Delete their personal data;
- Obtain a copy of their personal data in a portable and readily usable format; and
- Opt-out of their processing of personal data for (a) targeted advertising; (b) the sale of personal data; or (c) profiling in furtherance of solely automated decisions that product legal or similarly significant effects concerning the consumer.
Consumers may exercise their rights via a secure and reliable means, which shall be described in the covered business’ privacy notice, and may in most cases do so through an authorized agent (which in some circumstances may be by way of a technology, including, but not limited to, an Internet link or a browser setting, browser extension or global device setting).
Controllers must respond to consumer requests without undue delay, and in any event within 45 days after receipt (which may be extended an additional 45 days when reasonably necessary). If a controller declines to take action on the request, it must notify the consumer and provide instructions for how to appeal the controller’s decision. Controllers are not required to verify the identity of any consumer making a request, which aligns Connecticut with the CRPA but differs from the CPA. Controllers may deny an opt-out request if they have a good faith, reasonable, and documented belief that the request is fraudulent.
Information provided in response to a consumer request must be free of charge and provided once during any 12-month period. Additionally, businesses may not discriminate against consumers for exercising their rights under the CDPA, including by denying goods or services, charging different prices or rates, or providing a different level of quality.
Obligations of Covered Businesses
Controllers have the following obligations under the CDPA:
- Limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer;
- not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the purposes for which such personal data is processed, as disclosed to the consumer, unless the business obtains the consumer's consent;
- establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data;
- not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with COPPA;
- not process personal data in violation of applicable laws that prohibit unlawful discrimination against consumers;
- provide an effective mechanism for a consumer to revoke their consent that is at least as easy as the mechanism by which the consumer provided consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than 15 days after the receipt of such request; and
- not process personal data for purposes of targeted advertising, or sell personal data without the consumer's consent, under circumstances where a controller has actual knowledge, and willfully disregards, that the consumer is at least 13 years of age but younger than 16 years of age (note that this goes further than the CPA and the VCDPA).
Controllers subject to the CDPA will find its notice requirements similar to other US privacy laws, including providing consumers with a privacy notice that meets the requirements of the CDPA. The privacy notice prescribed by the CDPA is quite similar to that required by the CCPA. Also, similar to the CCPA’s “Do Not Sell My Personal Information” banner requirements, if a controller sells personal data to third parties or processes personal data for targeted advertising, the business must clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing, and provide a clear and conspicuous link on its website that enables a consumer to do so.
Notably, by January 1, 2025, controllers must allow consumers to opt out of any processing of the consumer's personal data for targeted advertising, or any sale of such personal data, through an opt out preference signal sent, with such consumer's consent, by a platform, technology or mechanism to the controller indicating such consumer's intent to opt out of any such processing or sale. Colorado also requires the recognition of the “universal opt-out,” but it takes effect 6 months prior to Connecticut. You’ll recall that the CPRA makes the recognition of such signals optional, but we may see rulemaking on that front from the new privacy regulatory agency.
Vendors and Service Providers
Processors are required to adhere to instructions from controllers and to provide assistance to controllers in meeting the controllers’ obligations under the CDPA. The CDPA also requires that contracts with processors contain certain content as specified in the CDPA
Data Protection Assessments
The CDPA requires controllers to conduct and document data protection assessments for each processing activity that presents a “heightened risk of harm to a consumer,” which includes: (a) processing of personal data for targeted advertising; (b) sale of personal data; (c) processing of personal data for purposes of profiling where such profiling presents a reasonably foreseeable risk of (i) unfair or deceptive treatment of, or unlawful disparate impact on, consumers; (ii) financial, physical or reputational injury to consumers; (iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person; (iv) other substantial injury to consumers; and (v) the processing of sensitive data. Controllers are required to provide such assessments to the Attorney General upon request in connection with an investigation by the Attorney General.
"Sensitive data" under the CDPA means personal data that includes (a) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, (b) the processing of genetic or biometric data for the purpose of uniquely identifying an individual, (c) personal data collected from a known child, or (d) precise geolocation data.
Similar to the CPA and CCPA, the CDPA prohibits the use of “any user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice” (referred to as a “dark pattern”) to obtain consumer consent. The CDPA also references any practices that the Federal Trade Commission refers to as a dark pattern.
The CDPA does not provide for a private right of action, and enforcement rests exclusively with the Attorney General.
Covered businesses have with a right to cure violations of the CDPA before the Attorney General initiates an enforcement action, but that right will sunset on December 31, 2024. If the business fails to cure the violation within 60 days, the Attorney General may bring an action.
Beginning January 1, 2025, the Attorney General will have discretion to choose whether to provide a business with a right to cure violations of the CDPA. In making its determination, the Attorney General may consider the following factors: (1) The number of violations; (2) the size and complexity of the business; (3) the nature and extent of the business’ processing activities; (4) the substantial likelihood of injury to the public; (5) the safety of persons or property; and (6) whether such alleged violation was likely caused by human or technical error.
If signed into law, the CDPA will become effective on July 1, 2023, with several exemptions.
What is happening in other states?
Watch this space. Other states are moving rapidly. Proposals in Alaska (3 bills under consideration), Hawaii (4 bills under consideration), Louisiana, Massachusetts, Ohio, and Wisconsin (4 bills under consideration) – among others – are moving through state legislatures. Bills in the following states did not advance this year: Florida, where the legislature adjourned for the 2022 session on March 11 without passing Florida HB 9, Indiana, where the legislature adjourned on March 14, Iowa, where the legislature closed on April 19, and Washington, where none of the four bills introduced or carried over to the 2022 session met the legislative deadline to crossover. Be sure to check back with the Mintz Privacy & Cybersecurity Blog regularly for updates and subscribe to our newsletter.