Skip to the content

Connecticut Passes Consumer Personal Privacy Act

Last summer, Governor Ned Lamont signed Senate Bill No. 6, An Act Concerning Personal Data Privacy and Online Monitoring (the “Act”) [1] which went in effect July 1, 2023.

Applicability

The Act applies to individuals or entities that conduct business or produce products or services that are targeted to residents of Connecticut and, during the preceding calendar year, the individual or entity either:

  • controlled or processed the personal data of not less than 100,000 consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or
  • controlled or processed the personal data of not less than 25,000 consumers and derived more than 25% of its gross revenue from the sale of personal data.[2]

The Act only applies to consumers who are Connecticut residents and specifically excludes persons “acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual’s” employment or commercial role.[3]  Also, if the data is publicly available or “de-identified” - “data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual,” the Act does not apply.[4] 

Exempt from the Act are government agencies, nonprofits, institutions of higher education, national securities associations registered under the Securities Exchange Act of 1934, financial institutions and data subject to the Gramm-Leach-Bliley Act, and covered entities and business associates as defined under the Social Security Act.[5] Also exempt from the Act are 16 categories of data such as protected health information under Health Insurance Portability and Accountability Act (“HIPAA”), consumer credit data, and others.[6]

Consumer Rights Under the Act

The Act is arguably very “consumer friendly,” and outlines five consumer rights:

  • Right to “confirm whether a controller[7] is processing the consumer’s personal data”;
  • Right to “correct inaccuracies in the consumer’s personal data”;
  • Right to “delete personal data provided by, or obtained about, the consumer”;
  • Right to “obtain a copy of the consumer’s personal data processed by the controller”; and
  • Right to opt out of processing personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that affect the consumer.[8]

Controllers must establish a secure and reliable means for consumers to submit a request to exercise their consumers rights.[9]  Controllers must provide a clear and conspicuous link on its internet website to enable a consumer or a consumer’s agent to opt out of targeted advertising or sale of the consumer’s personal data.[10]  And by January 1, 2025 a controller must clearly provide a way for a consumer to opt out of any processing of the consumer’s personal data for the purpose of targeted advertising and the sale of such data in a technological manner that is consumer friendly and allows the consumer to make an “make an affirmative, freely given and unambiguous choice to opt out of any processing of such consumer’s personal data.”[11] 

 The Act lays out the expectations for how personal consumer data must be handled, assessed, maintained, processed, and stored.[12]  A “processor” is “an individual who, or legal entity that, processes personal data on behalf of a controller.”[13]  The Act requires a contract between a controller and processor of consumer personal data and details the necessary elements of the contract.[14]

The Act requires a timely process to address a consumer’s request pertaining to their data.  Within 45 days, a controller must address any requests or concerns a consumer may have regarding their personal data. If the controller refuses to act on a consumer’s request within a reasonable time, the consumer will have the right to appeal.[15] 

Enforcement of the Act

There are no rights of a private action for individuals under the Act.[16] The Attorney General will have exclusive jurisdiction in enforcing the Act.[17] For the first 18 months that the Act is in effect (July 1, 2023 to December 31, 2024), the Attorney General may give the controller 60 days to cure any violations before commencing an action.[18]  Any violation of the Act will constitute an unfair trade practice pursuant to General Statutes § 42-110b.[19] 

 

Cristina Salamone is a Principal in UKS’ New Haven office, practicing in the areas of commercial litigation, products liability, and employment.  She can be reached at csalamone@uks.com or (203) 786-8309. 

Kaydeen Maitland is an Associate in UKS’ Hartford office, practicing in the areas of Healthcare, General Corporate Counsel, Administrative Proceedings, and Commercial Lending and Banking.  She can be reached at kmaitland@uks.com or (860) 548-2643. 

Disclaimer: The information contained in this material is not intended to be considered legal advice and should not be acted upon as such.  Because of the generality of this material, the information provided may not be applicable in all situations and should not be acted upon without legal advice based on the specific factual circumstances.

 

[1] S.B. No. 6, 2022 Leg., CT Gen. Assembly – Feb. Session 2022.
[2] Id. at Sec. 2.
[3] Id. at Sec. 1.
[4] Id.
[5] Id. at Sec. 3.
[6] Id.
[7] A controller is defined as “an individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.”
[8] Id. at Sec. 4.
[9] Id. at Sec. 6.
[10] Id.
[11] Id.
[12] Id. at Sec. 7.
[13] Id. at Sec. 1.
[14] Id. at Sec. 7.
[15] Id. at Sec. 4.
[16] Id. at Sec. 11.
[17] Id.
[18] Id.
[19] Id.