US state of Connecticut passes comprehensive consumer privacy bill

May 10, 2022 |

In the United States the states have traditionally been active in law reform, often leading the way until the Federal Government steps in and makes nationwide laws, to the extent permissible by the constitution.  There have been notable exceptions, such the New Deal legislation of the 1930s and the Lyndon Johnson’s frenetic legislative activity of the 1960s.  But with privacy the US states have lead the way, with the California Consumer Privacy Act of 2018 (CCPA) being the most comprehensive.

Australian States could legislate for proper privacy protections in Australia.  There is ample scope to provide greater protections and  but choose not to do so.

The US North Eastern State of Connecticut has passed a comprehensive privacy Act, S.B.6  AN ACT CONCERNING PERSONAL DATA PRIVACY AND ONLINE MONITORING.  With Connecticut’s Bill that will be the fifth state of the Union to have have a comprehensive privacy law.  It will take effect on 1 January 2023.

The official description of what the legislation, if signed by the Governor, is:

To: (1) Establish (A) a framework for controlling and processing personal data, and (B) responsibilities and privacy protection standards for data controllers and processors; and (2) grant consumers the right to (A) access, correct, delete and obtain a copy of personal data, and (B) opt out of the processing of personal data for the purposes of (i) targeted advertising, (ii) certain sales of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning consumers.

The legislation applies to persons conducting business in Connecticut or persons that produce products or services that are targeted to residents of Connecticut that :

  • controlled or processed the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction, or
  • controlled or processed the personal data of not less than 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.

The legislation does not regulate:

  • nonprofit organizations,
  • institutions of higher education,
  • financial institutions or data subject to the GLBA,
  • HIPAA covered entities or business associates.
  •  business-to-business and employee data. Consumer Rights
  • certain personal information under the
    • Fair Credit Reporting Act,
    • Driver’s Privacy Protection Act of 1994,
    • Family Educational Rights and Privacy Act,

Under the Bill consumers have the right to:

  1. confirm whether or not a controller is processing personal data,
  2. access their personal data in a portable format,
  3. correct inaccuracies in their personal data,
  4. delete personal data “provided by, or obtained about,” them, and
  5. obtain a copy of the consumer’s personal data processed by the controller in a portable format.
  6.  opt-out of the processing of the consumer’s personal data for “targeted advertising,” “sale,” or “profiling,”.
  7. revoke consent, which must be ‘at least as easy as the mechanism by which the consumer provided consent.”

Data controllers:

  • need to obtain consent prior to processing sensitive data.  Consent is not obtained through acceptance to terms and conditions or through the use of dark patterns.
  • maintain deidentified information only if it takes reasonable measures to ensure that the data cannot be reidentified. They must also publicly commit to maintaining and using de-identified data without attempting to reidentify it.

A controller can not “ process the personal data of a consumer for purposes of targeted advertising, or sell the consumer’s personal data without the consumer’s consent the controller has actual knowledge, and willfully disregards that the consumer is at least 13 years old, but under 16 years old.

The Bill has strong similarities to the Colarado privacy legislation and  the Virginia Consumer Data Protection Act (VCDPA) in that :

  • it defines personal data broadly to include any information that is linked or reasonably linkable to an identified or identifiable individual, but excludes de-identified data or publicly available information.
  •  it defines sensitive data as
    •  data revealing racial or ethnic origin,
    • religious beliefs,
    • mental or physical health condition or diagnosis,
    • sex life,
    • sexual orientation or
    • citizenship or
    • immigration status,
    •  the processing of genetic or biometric data for the purpose of uniquely identifying an individual,
    • personal data collected from a known child, or
    • precise geolocation data.
  • sensitive data cannot be processed without consumer consent. In the case of sensitive data of a known child, the data must be processed according to the federal Children’s Online Privacy Protection Act (COPPA).
  •  “consumer” is defined as “an individual who is a resident of” Connecticut. Consumers under the Act
  • it equires controllers to establish, implement, and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue.
  • it imposes a new requirement for controllers: conduct data protection assessments

Leave a Reply