Data Points: Privacy & Data Security Blog

Remember when we used to describe U.S. privacy regulation to our European colleagues as “sectoral” and thus limited to specific industries or circumstances—banking, healthcare, certain employment issues, identity theft, etc.? Or when we thought that the California Consumer Privacy Act (CCPA) would be an aberration? Those days seem to be fading fast. On May 10, 2022, Connecticut became the fifth state in the U.S. to enact a comprehensive data privacy statute.

Effective July 1, 2023, the law imposes CCPA-like requirements on covered businesses. In scope and requirements, the law more closely mirrors Virginia’s and Colorado’s comprehensive privacy laws, effective January 1, 2023 and July 1, 2023, respectively. 

For our DataPoints updates related to other state comprehensive privacy statutes, see here:

• Utah is Fourth State to Pass Comprehensive Privacy Legislation
• Colorado Becomes Third State to Pass Comprehensive Privacy Legislation
• Virginia Passes Comprehensive Data Privacy Law
• The California Privacy Rights Act of 2020
• The Wait is Over: Proposed Regulations Implementing the CCPA are Released

Exemptions and Enforcement.

As we’ve come to expect from comprehensive privacy legislation, the Connecticut Data Privacy Act (“CTDPA”) has a broad definition of “personal data.” It includes  any information that is linked or reasonably linkable to an identified or identifiable individual. It does not include, however, de-identified data or publicly available information. 

Good news for employers, the CTDPA also includes a carve out for employee data. Specifically, the CTDPA does not apply to data processed or maintained in the course of a person applying to, employed by or acting as an agent or independent contractor of a controller, processor or third party if the data is used in the conduct of that relationship. This leaves California’s CPRA as the only state comprehensive privacy law that does not have an exclusion (in whole or part) for information collected and used in the employment relationship. 

The CTDPA also does not apply to (among other exceptions) nonprofits, institutions of higher education, entities and business associates covered by HIPAA’s Privacy Rule and phi under HIPAA,  financial institutions and data subject to Title V of the Gramm-Leach-Bliley Act, and processing regulated and authorized by the Fair Credit Reporting Act. The CTDPA also does not limit a controller or processor from certain specified activities in the areas of legal compliance (including cooperating with law enforcement and defending or prosecuting legal claims), contract fulfillment, public safety, data security and health matters. Further, the CTDPA allows controllers and processors to collect, retain and use personal information for certain purposes solely internal to the business such as internal research to improve products and services and internal operations reasonably aligned with the expectations of the consumer or reasonably anticipated based on the consumer’s relationship with the controller.

In addition, there is no private cause of action under the CTDPA. The Act will be enforced by Connecticut’s Attorney General. A violation of the CTDPA, however, will be a violation of Connecticut’s unfair trade practices law (Conn. Stat. 42-110b), which can carry fines up to $5,000 per violation. From the effective date (July 1, 2023) through December 31, 2024, the Attorney General must provide violators notice and 60 days’ opportunity to cure the violation if the Attorney General determines that cure is “possible.” Beginning January 1, 2025, the Attorney General has the option to allow a violator to cure, and the Act outlines certain factors that the Attorney General will consider in making that decision.

Who is Covered?

The CTDPA applies to persons conducting business in Connecticut or producing products or services targeted to residents of Connecticut  if such persons in the preceding calendar year (i) control or process the personal data of at least 100,000 consumers (excluding data controlled or processed solely for the purposes of completing a payment transaction), or (ii) control or process the personal data of at least 25,000 consumers and derive at least 25% of its gross revenues from the sale of personal data. Coverage is closely aligned with, but not identical to, the Virginia, Utah and Colorado comprehensive privacy laws. For example, Virginia’s law requires that the business derive at least 50% of its gross revenue from the sale of personal data if the business is only controlling or processing the data of fewer than 100,000 consumers.

The law protects “consumers.” Consumers are limited to natural persons who are residents of consumer subject to the exceptions noted above (for example, residents acting in a commercial or employment context).

Opt-ins and Opt-outs.

Continuing the trend in other recent state comprehensive privacy laws, the CTDPA includes a special category of sensitive data—data revealing racial or ethnic origin, religious beliefs, mental or physical health conditions or diagnosis, sex life, sexual orientation or citizenship or immigration status, the processing of genetic or biometric data for the purpose of uniquely identifying an individual, personal data collected from a known child (as defined under COPPA), and precise geolocation data (identifying the location of an individual within a radius of 1,750 feet). Consumers must opt-in to the processing of sensitive personal data. The CTDPA is clear that a controller cannot rely on general or broad terms of use, hovering over, muting, pausing or closing a piece of content, or through dark patterns as consent to opt-in. For a known child, processing of sensitive personal data must comply with COPPA. 

CTDPA also limits targeted advertising and the sale of consumer personal information. If the consumer is a child between 13 years and 16 years, the CTDPA permits processing only with consent. 

In addition, consumers must be given the right to opt-out of (i) the  sale of their personal data, (ii) targeted advertising, and (iii) profiling if such profiling is in furtherance of automated decision-making that produces legal or other similarly significant effects. Sale is broadly defined as the exchange of personal data for monetary “or other valuable consideration” by a controller to a third party, but does not include disclosure to a processor who is processing on behalf of a controller, to a third party for the purpose of providing a product or service requested by the consumer, disclosure to an affiliate of the controller, or disclosure directed by the consumer, disclosure of personal data that the consumer intentionally made available to the general public via mass media and did not restrict to a specific audience, or disclosure or transfer as part of a merger and other acquisitions where the third party assumes control of all or part of the business’ assets. 

Targeted advertising does not include ads based on the consumer’s activities on the controllers website and online applications or in the context of the consumer’s current search query, or if the consumer requests feedback or information. It also does not include certain analytics—processing personal data solely to measure or report advertising frequency, performance or reach.

A consumer can exercise their opt-out rights through an agent, including through “a technology, including but not limited to, an Internet link or a browser setting, browser extension or global devices setting, indicating such consumer’s intent to opt out of such processing.”

Data Processing Assessments.

The CTDPA  includes a requirement that controllers conduct a data protection assessment (DPA), similar to that required under the other state’s comprehensive privacy laws, for processing activities that present a heightened risk of harm to the consumer including (i) targeted advertising, (ii) sale of personal data; (iii) processing of sensitive data; and (iv) processing for profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment of or unlawful disparate impact on consumers, financial, physical  or reputational injury to consumers, physical or other intrusion into the solitude, seclusion or private affairs or concerns of consumers that would be offensive to a reasonable person, or other substantial injury to consumers. The DPA must weigh the benefit of the processing to the controller, consumer and other stakeholders against the risk to the rights of the consumers, as mitigated by any safeguards and other mitigation measures. The Connecticut AG can require the controller to disclose the DPA. Fortunately, controllers can use a DPA conducted by it to comply with other laws or regulations if the DPA is reasonably similar in scope and effect to that required under the CTDPA. 

Consumer Rights.

Under the CTDPA, consumers have the right to know whether the controller is processing their personal data, to access that personal data, to correct inaccuracies, to obtain a copy of the personal data processed by the controller  (in a portable, and if feasible, readily usable format) where the processing is carried out by automated means, and to deletion of personal data provided by or obtained about the consumer. The controller must describe at least one “secure and reliable” method by which consumers can access these rights, and like the CCPA, that method must take into account the way in which the consumer normally interacts with the controller but the controller cannot require the consumer to set up a new account to exercise the rights. The consumer can exercise the right through an authorized agent. These rights do not apply to pseudonymous data where the controller can demonstrate that information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information. 

The controller must respond to the consumer’s request “without undue delay”—and no later than 45 days after receipt of the request, which can be extended by an additional 45 days if “reasonably necessary” if the controller notifies the consumer of the extension and the reason for the extension within the initial 45 day period. The consumer has the right to the requested information free of charge once during any 12 month period, but the covered business can charge a fee or decline to act on the request if the request(s) are “manifestly unfounded, excessive, or repetitive.” The covered business also can deny the request if it cannot authenticate the consumer. However, the controller does not need to authenticate a consumer in order to address an opt-out request, and the controller can deny the opt-out if it has a good faith, reasonably and documented belief that the request is fraudulent, but it must send a notice in response to the request stating why the controller believes the request if fraudulent and that the controller won’t comply.  

With respect to requests to delete, if the data is not from the consumer, the controller can either (i) opt the consumer out of processing for any purposes (except for those purposes already exempted under Sections 1 to 11 of the Act) or (ii) delete the data and keep a record of the deletion and the minimum data needed to ensuring that the information is deleted and not retained. If the controller denies the request, it must give the consumer both the reason for the denial and instructions on how to appeal. The appeal rights also must be “conspicuously” set forth in the covered person’s privacy policy. Appeals must be processed within 60 days, and if the appeal is denied, the covered person must provide an online or other method for the consumer to contact Connecticut’s Attorney General to complain.

FIPPS

The CTDPA includes familiar fair information practice principles, including data minimization (limiting collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed as disclosed to the consumer), use limitations (prohibiting processing that is “neither reasonably necessary to, nor compatible with” the purposes disclosed to the consumer unless the consumer consents), proportionality (requiring the processing is reasonably necessary and proportional to the purposes listed in the CTDPA), notice and consent (including notice to consumers of the purpose and scope of collection and processing, and requiring consent to processing of sensitive data and processing of personal data beyond the purpose disclosed by the covered person), and security (requiring the controller to have reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data). The controller must also provide a mechanism for the consumer to revoke consent that is at least as easy as the mechanism for the consumer to provide consent, and the controller must cease to process no later than 15 days after the receipt of the revocation. 

Controller Privacy Notice

The CTDPA requires the controller’s privacy notice to include the categories of personal data collected and processed, the purpose of processing, how consumers can exercise their rights (including appeal rights), categories of personal data that the controller shares with third parties, categories of third parties with whom the data is shared, and an active email address or other online mechanism that can be used to contact the controller. If the controller sells personal data to third parties or processes personal data for targeted advertising, the controller must “clearly and conspicuously” disclose the processed and the manner for exercising opt out rights. It must include a link in the controller’s website site to an Internet web page that enables the consumer or their agent to opt out of the targeted advertising and or sale.  By January 1, 2025, the controller must also be able to permit opt-out for targeting advertising or sale via an opt-out preference “signal sent, with such consumer’s consent, by a platform, technology or mechanism to the controller indicating such consumer’s intent to opt out.” The technology is not defined, but the CTDPA does state that it cannot be a default setting.  It will require the consumer to make an affirmative, freely given and unambiguous choice to opt out. 

Further, although de-identified information is excluded from the definition of personal data, the controller must publicly commit to not attempt to re-identify the data and contractually obligate recipients of the de-identified data to comply with the CTDPA

Processor Obligations/ Vendor Contracts. 

Like GDPR and other comprehensive state privacy regulation, the CTDPA requires a contract between the controller and the processor governing and specifying the obligations of the processor. The requirements are similar to those under these other laws. Processors are well-advised to carefully negotiate and adhere to instructions from the controller. The CTDPA states that “a person who is not limited in such person’s processing of personal data pursuant to a controller’s instructions, or who fails to adhere to such instructions,” is a controller with respect to the specific processing at issue. 

Nondiscrimination. 

The CTDPA prohibits discrimination against consumers in a manner that violates other state or federal laws or for exercising their rights under the CTDPA.  Like the CCPA,  the CTDPA permits offering preferred terms (such as preferred pricing or selection of goods or services) related to a consumer’s voluntary participation in a bona fide loyalty or rewards program. 

What’s Next?

Except more to come from Connecticut. The CTDPA requires the General Assembly to convene a task force to study various privacy related issues including information sharing among healthcare and social service providers, children’s privacy, and data colocation. In alignment with the focus on artificial intelligence by other lawmakers, the task force also is required to address reducing bias in algorithmic decision making. The task force must submit its report by January 1, 2023. 

We also will undoubtedly see more states jumping on the bandwagon. As of the date of this article, privacy bills have been introduced in Alaska, Louisiana, Massachusetts, Michigan, New York, North Carolina, Ohio, Pennsylvania, and Rhode Island. Not all will become law, but the wagons are circling.