August 14, 2022

Volume XII, Number 226


August 12, 2022

Subscribe to Latest Legal News and Analysis

August 11, 2022

Subscribe to Latest Legal News and Analysis

Connecticut General Assembly Passes Comprehensive Privacy Bill

Connecticut is gearing up to be the next state with a comprehensive privacy law. On April 28, 2022, the Connecticut General Assembly passed SB 6, “An Act Concerning Personal Data Privacy and Online Monitoring,” which is currently with the governor awaiting signature.  Of the state laws that have passed, SB 6 is most similar to the Colorado Privacy Act (“CPA”)Virginia Consumer Data Protection Act (“CDPA”), and Utah Consumer Privacy Act (“UCPA”). For example, under SB 6, the terms “controller,” “processor,” and “personal data” have similar definitions as under the CPA, CDPA, and UCPA.

Effective Date

If enacted, SB 6 will go into effect on July 1, 2023, with exceptions for certain provisions.


SB 6 applies to:

  1. individuals and entities doing business in Connecticut, or that produce products or services that are targeted to Connecticut residents;


  1. that in the preceding year, controlled or processed the personal data of at least:

    1. 100,000 Connecticut residents (excluding for the purpose of completing a payment transaction); or

    2. 25,000 Connecticut residents, if the individual or entity derived more than 25% of their annual gross revenue from selling personal data.

SB 6 does not apply to:

  1. certain entities, including state and local government entities, nonprofits, higher education institutions, financial institutions subject to the Gramm-Leach-Bliley Act, or qualifying covered entities and business associates subject to the Health Insurance Portability and Accountability Act (“HIPAA”); and

  2. certain information, such as “protected health information” under HIPAA, information regulated by the Fair Credit Reporting Act, or personal data regulated by the Family Educational Rights and Privacy Act.

Consumer Rights

SB 6 protects “consumers,” which are generally defined as Connecticut residents who are not acting (1) in a commercial or employment context, or (2) on behalf of a business, nonprofit, or government agencies (e.g., as an employee).  Subject to certain exceptions, the bill grants consumers the rights to: (1) know whether a controller is processing a consumer’s personal data; (2) access the personal data about such consumer maintained by the controller; (3) correct inaccuracies in such personal data; (4) delete such personal data; (5) obtain a copy of such personal data in a portable and readily usable format (if technically feasible); and (6) opt out of the processing of such personal data for the purposes of sale, targeted advertising, or profiling. The parent or legal guardian of a known child may exercise consumer rights on the child’s behalf.

A consumer may exercise their rights under the bill directly or through another person designated to serve as the consumer’s authorized agent. A controller must respond to consumers’ rights requests without undue delay, and within specific enumerated timelines, subject to verifying the identity of the consumer and authorized agent making the request. Information responsive to a consumer rights request must be provided to the consumer free of charge, once per 12-month period.

Consumers may also opt out of personal data processing for targeted advertising or sale through an opt-out preference signal (e.g., Global Privacy Control). The controller must honor the opt-out preference signal, but may inform the consumer if such conflicts with the consumer’s existing controller-specific privacy setting or with the terms of the consumer’s participation in the controller’s program (e.g., loyalty or rewards program) or service.

Controller Obligations

Similar to existing state privacy frameworks, SB 6 obligates controllers to, among other things: (1) practice data minimization; (2) refrain from processing personal data for unnecessary purposes or for purposes that are incompatible with the purposes to which the consumer consented; (3) have in place reasonable administrative, technical and physical data security practices to safeguard personal data; and (4) provide consumers with a reasonably accessible, clear and meaningful privacy notice.

Notably, SB 6 requires controllers to provide a mechanism for consumers to revoke consent that is at least as easy as the mechanism for providing consent.

Controllers must also conduct and document a data protection assessment for processing activities that present a heightened risk of harm to a consumer (e.g., processing of personal data for targeted advertising, sale, and/or profiling) created or generated after July 1, 2023. Data protection assessments for such activities prepared pursuant to other privacy frameworks (e.g., the CPA) satisfies this requirement, provided that data protection assessment is reasonably similar in scope and effect to what is required by SB 6.

These obligations do not restrict a controller’s (or processor’s) ability to collect, use or retain data for internal purposes to:  conduct product research and development; effectuate a product recall; identify and repair technical errors; or perform internal operations reasonably anticipated based on the consumer’s existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.

Dark Patterns

SB 6 expressly prohibits “dark patterns,” which are manipulative techniques that can impair consumer autonomy, decision-making or choice. Dark patterns are also explicitly prohibited under the CPA and the California Privacy Rights Act.


There is no private right of action under SB 6. While a violation of SB 6’s requirements constitutes an unfair trade practice under the Connecticut Unfair Trade Practices Act (“CUTPA”), the private right of action and class action provisions of CUTPA do not extend to violations of SB 6.

The Connecticut Attorney General (“AG”) has exclusive authority to enforce SB 6.  The bill provides for an enforcement grace period through December 31, 2024, meaning that between July 1, 2023, and December 31, 2024, the AG must provide entities with notice of alleged violations and an opportunity to cure any such violations within the 60-day period following delivery of such notice. After December 31, 2024, the AG has discretionary authority to provide an opportunity to cure alleged violations, subject to certain enumerated considerations.

Exploratory Task Force

SB 6 requires the General Law Committee, the Connecticut General Assembly committee in charge of matters pertaining to consumer protection, to establish a task force that will provide recommendations pertaining to certain issues, including but not limited to:

  1. healthcare data privacy (g., information sharing among healthcare and social care providers);

  2. algorithmic decision-making;

  3. children’s privacy (g., parental consent and parental requests submitted on behalf of a minor); and

  4. possible legislation to expand SB 6’s applicability.

The task force must submit a report of its findings and recommendations to the General Law Committee by January 1, 2023. The task force will be terminated upon submission of its final report.

What’s Next

In Connecticut, once a bill reaches concurrence (i.e., passes in both chambers of the Connecticut General Assembly), as it did here, the bill is sent to the governor for signature.  SB 6 will become law if: (1) the governor signs it; (2) the governor fails to sign it within five (5) days during the legislative session or 15 days after adjournment from the day it was presented; or (3) the governor vetoed the bill and the bill is repassed in each chamber by a 2/3 majority. The Connecticut General Assembly will adjourn on May 4, 2022.

Connecticut is inching closer to becoming the fifth state to enact a comprehensive privacy law.

© Copyright 2022 Squire Patton Boggs (US) LLPNational Law Review, Volume XII, Number 122

About this Author

Alan L. Friel Data Privacy & Cybersecurity Attorney Squire Patton Boggs Los Angeles, CA

Alan Friel is the deputy chair of the firm’s Data Privacy & Cybersecurity Practice.

Alan is a thought leader in digital media, intellectual property, and privacy and consumer protection law, with three decades of relevant experience to address the intersection of law and technology.

Prior to joining the firm, Alan was a partner at a US law firm, where he led the US Consumer Privacy practice (in which he counseled clients on compliance with the California Consumer Privacy Act (CCPA) and other data privacy regimes), and the retail, restaurant and e-commerce industry...

Kyle R. Fath Cybersecurity Attorney Squire Patton Boggs New York Los Angeles
Of Counsel

Kyle Fath is counsel in the Data Privacy & Cybersecurity Practice. He offers clients a unique blend of deep experience in counselling companies through compliance with data privacy laws, drafting and negotiating technology agreements, and advising on the privacy, IT, and IP implications of mergers & acquisitions and other corporate transactions. His practice has a particular focus on the the ingestion and sharing of data by way of strategic data transactions, data brokers, and vendor relationships, the implications of digital advertising (as companies look toward...

Glenn Brown Data Privacy & Cybersecurity Attorney Squire Patton Boggs Atlanta., GA
Of Counsel

A senior member of our Data Privacy & Cybersecurity Practice Group, Glenn Brown provides business-oriented advice to clients in numerous industries on data privacy and regulatory compliance matters, including regulatory investigations and examinations. He has experience driving privacy and compliance priorities within organizations and providing strategic counsel regarding privacy, compliance and risk to support the growth and success of the business.

Glenn also has deep experience advising clients regarding compliance with many of the US...

Gicel Tomimbang Los Angeles California Associate Attorney Data Privacy Cybersecurity Squire Patton Boggs LLP

Gicel Tomimbang is an associate in the Data Privacy, Cybersecurity & Digital Assets Practice.

A significant portion of Gicel’s practice focuses on the intersection of healthcare with privacy. Clients frequently turn to her for advice and counsel on complex issues that arise under the Health Insurance Portability and Accountability Act (HIPAA), the Confidentiality of Medical Information Act (CMIA), the California Consumer Privacy Act (CCPA), the FTC Act and the FTC Health Breach Notification Rule.

Gicel previously...