Share this article on:
Connecticut has joined California, Colorado, Utah, and Virginia in passing a comprehensive new data privacy law that establishes responsibilities for businesses that collect and process the personal data of state residents and gives consumers new rights. The Connecticut Data Privacy Act (Senate Bill 6) was passed 35-0 by the Senate and 144-5 in the House of Representatives and awaits the signature of the state Governor, Ned Lamont. The new privacy law comes into effect on July 1, 2023.
The new law establishes a framework for controlling and processing the personal data of state residents, sets privacy protection standards for data controllers and data processors, and gives state residents rights over the collection and use of their personal data. Consumers will be given the right to access their personal data held by a company, obtain a copy of that information, and correct any errors. Consumers will also have the right to be forgotten and have their personal data deleted. Consumers can also choose to opt out of the processing of their personal data for targeted advertising, certain sales of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects concerning consumers.
The new law closely mirrors the Colorado Privacy Act (CPA) and the Virginia Consumer Data Protection Act (CDPA), with the scope of the law falling somewhere between the two. The law will apply to businesses that hold the data of more than 100,000 consumers or those that derive 25% or more of their annual revenue from the sale of data of more than 25,000 consumers, with the protections stronger than those of Virginia and Utah, but falling short of the privacy law in Colorado.
The new law includes a sunset on the right to cure, which is December 31, 2024. That means from July 1, 2023, until December 31, 2024, businesses found to be in violation of the Connecticut Data Privacy Act will have the opportunity to take corrective actions to address the areas of non-compliance and avoid a financial penalty or other sanctions. The removal of the right to cure should encourage businesses to comply with the new law.
Certain entities will be exempted and will not be required to comply with the Connecticut Data Privacy Act: state and local governments, nonprofits, national securities associations registered under the Securities Exchange Act of 1934, financial institutions subject to the Gramm-Leach-Bliley Act, and covered entities and business associates under the Health Insurance Portability and Accountability Act. There are also exceptions for certain data types, such as data regulated by HIPAA, FERPA, the Airline Deregulation Act, Fair Credit Reporting Act, Farm Credit Act, and the Driver’s Privacy Protection Act.
Compliance with the Connecticut Data Privacy Act will be enforced by the Connecticut Attorney General, and a standing working group will be formed to assess emerging topics that the law could be amended to address.