Connecticut is gearing up to be the next state with a comprehensive privacy law. On April 28, 2022, the Connecticut General Assembly passed SB 6, “An Act Concerning Personal Data Privacy and Online Monitoring,” which is currently with the governor awaiting signature. Of the state laws that have passed, SB 6 is most similar to the Colorado Privacy Act (“CPA”), Virginia Consumer Data Protection Act (“CDPA”), and Utah Consumer Privacy Act (“UCPA”). For example, under SB 6, the terms “controller,” “processor,” and “personal data” have similar definitions as under the CPA, CDPA, and UCPA.
If enacted, SB 6 will go into effect on July 1, 2023, with exceptions for certain provisions.
SB 6 applies to:
individuals and entities doing business in Connecticut, or that produce products or services that are targeted to Connecticut residents;
that in the preceding year, controlled or processed the personal data of at least:
100,000 Connecticut residents (excluding for the purpose of completing a payment transaction); or
25,000 Connecticut residents, if the individual or entity derived more than 25% of their annual gross revenue from selling personal data.
SB 6 does not apply to:
certain entities, including state and local government entities, nonprofits, higher education institutions, financial institutions subject to the Gramm-Leach-Bliley Act, or qualifying covered entities and business associates subject to the Health Insurance Portability and Accountability Act (“HIPAA”); and
certain information, such as “protected health information” under HIPAA, information regulated by the Fair Credit Reporting Act, or personal data regulated by the Family Educational Rights and Privacy Act.
SB 6 protects “consumers,” which are generally defined as Connecticut residents who are not acting (1) in a commercial or employment context, or (2) on behalf of a business, nonprofit, or government agencies (e.g., as an employee). Subject to certain exceptions, the bill grants consumers the rights to: (1) know whether a controller is processing a consumer’s personal data; (2) access the personal data about such consumer maintained by the controller; (3) correct inaccuracies in such personal data; (4) delete such personal data; (5) obtain a copy of such personal data in a portable and readily usable format (if technically feasible); and (6) opt out of the processing of such personal data for the purposes of sale, targeted advertising, or profiling. The parent or legal guardian of a known child may exercise consumer rights on the child’s behalf.
A consumer may exercise their rights under the bill directly or through another person designated to serve as the consumer’s authorized agent. A controller must respond to consumers’ rights requests without undue delay, and within specific enumerated timelines, subject to verifying the identity of the consumer and authorized agent making the request. Information responsive to a consumer rights request must be provided to the consumer free of charge, once per 12-month period.
Consumers may also opt out of personal data processing for targeted advertising or sale through an opt-out preference signal (e.g., Global Privacy Control). The controller must honor the opt-out preference signal, but may inform the consumer if such conflicts with the consumer’s existing controller-specific privacy setting or with the terms of the consumer’s participation in the controller’s program (e.g., loyalty or rewards program) or service.
Similar to existing state privacy frameworks, SB 6 obligates controllers to, among other things: (1) practice data minimization; (2) refrain from processing personal data for unnecessary purposes or for purposes that are incompatible with the purposes to which the consumer consented; (3) have in place reasonable administrative, technical and physical data security practices to safeguard personal data; and (4) provide consumers with a reasonably accessible, clear and meaningful privacy notice.
Notably, SB 6 requires controllers to provide a mechanism for consumers to revoke consent that is at least as easy as the mechanism for providing consent.
Controllers must also conduct and document a data protection assessment for processing activities that present a heightened risk of harm to a consumer (e.g., processing of personal data for targeted advertising, sale, and/or profiling) created or generated after July 1, 2023. Data protection assessments for such activities prepared pursuant to other privacy frameworks (e.g., the CPA) satisfies this requirement, provided that data protection assessment is reasonably similar in scope and effect to what is required by SB 6.
These obligations do not restrict a controller’s (or processor’s) ability to collect, use or retain data for internal purposes to: conduct product research and development; effectuate a product recall; identify and repair technical errors; or perform internal operations reasonably anticipated based on the consumer’s existing relationship with the controller, or are otherwise compatible with processing data in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party.
SB 6 expressly prohibits “dark patterns,” which are manipulative techniques that can impair consumer autonomy, decision-making or choice. Dark patterns are also explicitly prohibited under the CPA and the California Privacy Rights Act.
There is no private right of action under SB 6. While a violation of SB 6’s requirements constitutes an unfair trade practice under the Connecticut Unfair Trade Practices Act (“CUTPA”), the private right of action and class action provisions of CUTPA do not extend to violations of SB 6.
The Connecticut Attorney General (“AG”) has exclusive authority to enforce SB 6. The bill provides for an enforcement grace period through December 31, 2024, meaning that between July 1, 2023, and December 31, 2024, the AG must provide entities with notice of alleged violations and an opportunity to cure any such violations within the 60-day period following delivery of such notice. After December 31, 2024, the AG has discretionary authority to provide an opportunity to cure alleged violations, subject to certain enumerated considerations.
Exploratory Task Force
SB 6 requires the General Law Committee, the Connecticut General Assembly committee in charge of matters pertaining to consumer protection, to establish a task force that will provide recommendations pertaining to certain issues, including but not limited to:
healthcare data privacy (g., information sharing among healthcare and social care providers);
children’s privacy (g., parental consent and parental requests submitted on behalf of a minor); and
possible legislation to expand SB 6’s applicability.
The task force must submit a report of its findings and recommendations to the General Law Committee by January 1, 2023. The task force will be terminated upon submission of its final report.
In Connecticut, once a bill reaches concurrence (i.e., passes in both chambers of the Connecticut General Assembly), as it did here, the bill is sent to the governor for signature. SB 6 will become law if: (1) the governor signs it; (2) the governor fails to sign it within five (5) days during the legislative session or 15 days after adjournment from the day it was presented; or (3) the governor vetoed the bill and the bill is repassed in each chamber by a 2/3 majority. The Connecticut General Assembly will adjourn on May 4, 2022.
Connecticut is inching closer to becoming the fifth state to enact a comprehensive privacy law.