Connecticut Data Privacy Law to Take Effect

Connecticut Data Privacy Law

In April of 2022, houses of the Connecticut Legislature have passed S.B. 6, “An Act Concerning Personal Data Privacy and Online Monitoring.” This is a verbose phrase for “Connecticut Data Privacy Law.” The bill now awaits Governor LaMont’s (expected) signature. 

The Connecticut Data Privacy Law, if enacted, would become the nation’s fifth comprehensive state data privacy bill, following bills passed in California, Virginia, Colorado, and Utah. Details of the Connecticut Data Privacy law are provided below.

Connecticut Data Privacy Law: Coverage and Definitions

The Connecticut Data Privacy law, like the other four state data privacy laws, regulates certain entities engaged in commerce. 

To qualify as a regulated entity under the Connecticut Data Privacy law, a business must meet these two requirements:

  1. Either conduct business in Connecticut or produce products or services that are targeted to Connecticut residents.
  2. Have engaged in a certain amount of activity in the preceding calendar year, either by:
    1. Controlling or processing the personal data of at least 100,000 consumers (excluding personal data controlled or processed to complete payment transactions); or
    2. Controlling or processing the personal data of at least 25,000 consumers, AND having derived more than 25% of gross revenue from the sale of personal data.

The Connecticut Data Privacy Law contains the following definitions.

  • Personal data. Personal data means any information linked or reasonably linkable to an identified or identifiable individual. Examples of personal data include name, age, address, phone number, and email address. “Personal data” does not include de-identified data or publicly available information.
  • Sensitive data. Sensitive data is personal data that includes:
    • Data revealing racial or ethnic origin
    • Data revealing religious beliefs
    • Data revealing mental or physical health condition or diagnosis
    • Data revealing the sexual orientation or sex life of an individual
    • Data revealing citizenship or immigration status
    • The processing of genetic or biometric data for the purpose of uniquely identifying an individual
    • Personal data collected from a known child
    • Precise geolocation data
  • Controller. A controller is an entity that determines the purpose and means of processing personal data, either alone or jointly with others.
  • Processor. A processor is an entity that processes personal data on behalf of a controller.
  • Process or Processing. “Process” or “processing” means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data.
    • Examples: the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.

Let’s Simplify Compliance

Do you need help with HIPAA? Compliancy Group can help!

Learn More!
HIPAA Seal of Compliance

What Requirements Does the Connecticut Data Privacy Law Impose?

The Connecticut Data Privacy law requires that controllers provide consumers with a privacy notice containing the following information:

  1. The categories of personal data that are processed
  2. The purposes for which the categories of personal data are processed i.e., for sales-related activities, market research activities, etc.)
  3. How consumers m