Connecticut Enacts Fifth National Consumer Data Privacy Law | PC Weiner Brodsky Kider
The State of Connecticut recently enacted the Fifth National Data Privacy Act (the Act) which establishes obligations for state businesses that process and manage consumer data and creates privacy standards for controllers and data processors. The law follows bills passed in Virginia, California, Colorado and Utah. The law largely follows Virginia’s data privacy law, the VCDPA, with only a few variations. The law will come into effect on July 1, 2023, and affected entities must remedy any violations of the law by December 31, 2024.
The law applies to individuals and corporations who (1) operate a business in Connecticut or produce products or services for residents of Connecticut, (2) and within the preceding year (A) have controlled or processed the data of at least 100,000 consumers, or (B) controlled or processed the data of more than 25,000 consumers and derived more than 25% of its gross revenue from the sale of data. The Act excludes data that individuals and entities obtain to complete a transaction. The law covers “consumers” who reside in Connecticut and does not include a person “acting in a business or employment context.”
The law does not apply to (1) public bodies, (2) non-profit organizations, (3) institutions of higher education, (4) securities associations registered with the SEC, (5 ) financial institutions or data subject to Title V of the Gramm-Leach-Bliley Act, and (6) certain data covered by HIPPA. The law excludes financial institutions and other data because the FTC and other federal banking agencies promulgate rules that financial institutions must follow when monitoring or processing data.
The law gives Connecticut consumers, or a person designated to serve as the consumer’s authorized agent, the right to (i) confirm whether a controller is processing consumer data; (ii) correct any inaccuracies in the data obtained; (iii) delete the obtained data; (iv) obtain a copy of the data held by the controller; and (v) opt-out of data processing for (A) targeted advertising, (B) data selling, or (C) profiling for the sole purpose of making automated decisions that produce legal or similar consumer effects. The law also requires controllers to receive consent from children (ages 13-16) before a controller can sell their data. These consumer rights mirror the rights that consumers get under the VCDPA, excluding consent to the sale of children’s data.
Notice Required and Other Obligations
Controllers must respond to a consumer’s request within 45 days of receiving the request. Where reasonably necessary, controllers may extend the 45-day period to respond to more complex consumer requests, but the controller must notify the consumer of the extension. Controllers who refuse to comply with a consumer’s request must notify the consumer of their decision within 45 days of the consumer’s request. All correspondence regarding a consumer’s request shall be free of charge, except where the consumer makes unfounded, excessive or repetitive requests.
The law states that controllers must (1) limit data collection, (2) process data only for the purposes that the controller discloses to the consumer, (3) create and implement administrative, technical, and physical, (4) prevent the processing of consumer data without obtaining consent, (5) prevent the processing of data in violation of anti-discrimination laws, and (6) provide a process by which a consumer can revoke the consent given for process the data and cease the data processing within 15 days of the consumer’s request.
Penalties and enforcement
The law does not provide for a private right of action. The Connecticut State Attorney General is the only party entitled to bring an action under the law.