Connecticut Data Privacy Law to Take Effect

The Connecticut Data Privacy Law, if enacted, would become the nation’s fifth comprehensive state data privacy bill, following bills passed in California, Virginia, Colorado, and Utah. Details of the Connecticut Data Privacy law are provided below.

Connecticut Data Privacy Law: Coverage and Definitions

The Connecticut Data Privacy law, like the other four state data privacy laws, regulates certain entities engaged in commerce. 

To qualify as a regulated entity under the Connecticut Data Privacy law, a business must meet these two requirements:

1. Either conduct business in Connecticut or produce products or services that are targeted to Connecticut residents.
2. Have engaged in a certain amount of activity in the preceding calendar year, either by:
   1. Controlling or processing the personal data of at least 100,000 consumers (excluding personal data controlled or processed to complete payment transactions); or
   2. Controlling or processing the personal data of at least 25,000 consumers, AND having derived more than 25% of gross revenue from the sale of personal data.

The Connecticut Data Privacy Law contains the following definitions.

• Personal data. Personal data means any information linked or reasonably linkable to an identified or identifiable individual. Examples of personal data include name, age, address, phone number, and email address. “Personal data” does not include de-identified data or publicly available information.
• Sensitive data. Sensitive data is personal data that includes:
  • Data revealing racial or ethnic origin
  • Data revealing religious beliefs
  • Data revealing mental or physical health condition or diagnosis
  • Data revealing the sexual orientation or sex life of an individual
  • Data revealing citizenship or immigration status
  • The processing of genetic or biometric data for the purpose of uniquely identifying an individual
  • Personal data collected from a known child
  • Precise geolocation data
• Controller. A controller is an entity that determines the purpose and means of processing personal data, either alone or jointly with others.
• Processor. A processor is an entity that processes personal data on behalf of a controller.
• Process or Processing. “Process” or “processing” means any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data.
  • Examples: the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.

What Requirements Does the Connecticut Data Privacy Law Impose?

The Connecticut Data Privacy law requires that controllers provide consumers with a privacy notice containing the following information:

1. The categories of personal data that are processed
2. The purposes for which the categories of personal data are processed i.e., for sales-related activities, market research activities, etc.)
3. How consumers may exercise a right provided by the Connecticut Data Privacy law 
4. The categories of personal data that the controller shares with third parties
5. The categories of third parties with whom the controller shares personal data
6. An active electronic mail address or another online mechanism that the consumer may use to contact the controller

The Connecticut Data Privacy law imposes limits on the collecting, processing, and use of data. Specifically, controllers must (among other things):

1. Limit the collection of data to what is adequate, relevant, and reasonably necessary in relation to the purpose for which data is processed (as disclosed to customers).
2. Not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which the data is being processed (unless the controller obtains consent).
3. Establish, implement, and maintain data security practices, among other requirements. This means the controller must adopt reasonable administrative, technical, and physical data security practices to protect personal data confidentiality, integrity, and accessibility. These practices must be appropriate to the volume and nature of the personal data at issue.
4. Obtain consent for the processing of sensitive data. “Consent” means a clear affirmative act indicating a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data related to the consumer. Consent may include a written statement or any other unambiguous positive (affirmative) action. 
5. Comply with opt-out requests received from the consumer.
6. Obtain opt-in consent for the collection and processing of “sensitive” information.

What Rights Does the Connecticut Data Privacy Law Give to Consumers?

The Connecticut Data Privacy law gives consumers the right to:

• Receive a privacy notice (see above)
• Confirm whether a controller is processing the consumer’s personal data
• Access personal data
• Opt out of the use of consumer personal data for certain purposes, including targeted advertising, the sale of personal data, and automated profiling decisions that “produce legal or similarly significant effects concerning the consumer
• Correct inaccuracies in the consumer’s personal data
• Obtain a copy of the consumer’s personal data processed by the controller in a portable and readily usable format. The format must be portable – that is, it must allow the consumer to transmit the data to another controller without hindrance

Connecticut Data Privacy Law: Safe Harbor for PHI

Protected health information under HIPAA is exempted from the application of the Connecticut Data Privacy Act. In other words, the Act does not specifically regulate PHI. Covered entities and business associates are exempt from the Connecticut Data Privacy Law to the extent their activities include creating, transmitting, receiving, or maintaining PHI. If a HIPAA covered entity happens to conduct an activity that the Connecticut Data Privacy Act regulates, the HIPAA-covered entity must comply with the relevant regulation (assuming the Act applies to it in the first instance; see “Coverage,” above). 

The legislation contains an effective date of July 1, 2023. The law would be enforced through actions brought by the Connecticut Attorney General.