Connecticut joins the ranks of California, Colorado, Virginia, and Utah in the passing of a data privacy law slated for enforcement beginning in 2023. The bill has been sent to the Governor’s desk, and it is expected to be signed. This means brands will be facing a onslaught of differing data privacy laws domestically which they will need to comply with in 2023.
Note: I am not a lawyer – if the below is concerning, please discuss with qualified legal counsel. The full law can be read here:
Notable Definitions
There are a few key definitions to be aware of for the rest of this post – pay particular attention to Targeted Advertising, which reads a fair bit differently than other privacy law definitions.
“Consent” means a clear affirmative act signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to the consumer. “Consent” may include a written statement, including by electronic means, or any other unambiguous affirmative action. “Consent” does not include (A) acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information, (B) hovering over, muting, pausing or closing a given piece of content, or (C) agreement obtained through the use of dark patterns.
“Dark pattern” (A) means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice, and (B) includes, but is not limited to, any practice the Federal Trade Commission refers to as a “dark pattern”.
“Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual. “Personal data” does not include de-identified data or publicly available information.
“Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party. “Sale of personal data” does not include (A) the disclosure of personal data to a processor that processes the personal data on behalf of the controller, (B) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer, (C) the disclosure or transfer of personal data to an affiliate of the controller, (D) the disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party, (E) the disclosure of personal data that the consumer (i) intentionally made available to the general public via a channel of mass media, and (ii) did not restrict to a specific audience, or (F) the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy or other transaction, in which the third party assumes control of all or part of the controller’s assets.
“Sensitive data” means personal data that includes (A) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, (B) the processing of genetic or biometric data for the purpose of uniquely identifying an individual, (C) personal data collected from a known child, or (D) precise geolocation data.
“Targeted advertising” means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated Internet web sites or online applications to predict such consumer’s preferences or interests.
“Targeted advertising” does not include (A) advertisements based on activities within a controller’s own Internet web sites or online applications, (B) advertisements based on the context of a consumer’s current search query, visit to an Internet web site or online application, (C) advertisements directed to a consumer in response to the consumer’s request for information or feedback, or (D) processing personal data solely to measure or report advertising frequency, performance or reach
What is the effective date?
The law will begin enforcement on July 1st, 2023. This is the same effective date as Colorado’s data privacy law.
Who does it apply to?
It applies to persons that conduct business in the State of Connecticut or that product products or services that are targeted to residents of the State and during the preceding calendar year:
- Controlled or Processed personal data of not less than one hundred thousand consumers (excluding data controlled or processed for completing a payment transaction; or
- Controlled or processed the personal data of not less than twenty-five thousand consumers and derived more than 25% of gross revenue from sale of personal data.
What is exempted?
The law does not apply to the State Agencies, Non-Profits, Institutes of Higher Education, the National Securities Association , financial institutions subject to Title V of the Gramm-Leach-Bliley Act or a covered entity or business associates as defined by 45 CFR.160.103.
There are also nearly two pages of data which is not covered under the law, because it is covered under different laws – such as Health Data (HIPPA), data related to children (COPPA) and the like. It is strongly encouraged to review the data affected by the law with legal counsel.
What rights do residents obtain?
Consumers gain the right to:
- Confirm if a controller is processing the consumer’s personal information and access such personal data – unless such access requires the controller to reveal a trade secert.
- Correct inaccuracies in the consumer’s personal data.
- Delete personal data provided by, or obtained about the consumer.
- Obtain a copy of the consumer’s personal data processed by the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance – provided such a controller shall not be required to reveal any trade secret.
- Opt-Out of the processing of personal data for the purposes of: Targeted Advertising, Sale of personal data (except as outlined in subsection (b) of Section 6 of the act, or profiling in furtherance of solely automated decisions that produce a legal or similarly significant effect concerning the consumer.
The consumer may exercise rights by a secure and reliable means established by the controller and described to the consumer in the controller’s privacy notice. The consumer may designate an authorized agent to exercise the rights.
Data Subject Requests
Controllers are on the clock once a request to exercise rights is received. The request must be answered within forty-five days of the receipt of the request. The controller may extend the response by an additional forty-five days when reasonable necessary provided that the controller informs the consumer of an extension in the initial forty-five day respond period and the reason for the extension.
If the controller declines to take action regarding the consumer request, they must inform the consumer with undue delay, but not later that forty-five days from receipt of the request and include the justification for declining and inform the consumer how they may appeal.
Information provided in response to a consumer request must be provided free of charge, once per consumer during any 12 month period. If the requests from a consumer are unfounded, excessive or repetitive the controller may charge a reasonable fee to cover the administrative costs of complying with the rest, or elect to decline to act on the request. The controller bears the responsibility of demonstrating the manifestly unfounded, excessive or repetitive nature of the request.
If the controller is unable to authenticate a request, using commercial reasonable efforts, the controller shall not be required to comply with the request to initate an action and shall provide notice to the consumer that the controller is unable to authenticate the request to exercise such right or rights until the consumer provided additional information reasonably necessary to authenticate the consumer.
A controller is not required to authenticate an opt-out request, but may deny an opt-out request if the controller has a good faith, reasonable and documented belief that such a request is fraudulent. If a controller denies an opt=out request because of such as belief, the controller shall send notice to the person who made such request disclosing that the controller believes the request is fraudulent, why they believe it is fraudulent and that they will not be complying.
A controller that has obtained personal data shall be deemed in compliance with a consumer’s request to delete such data pursuant to subdivision (3) of subjection (a) of this section by:
A: retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the controller’s records and not using such retained data for any other purpose, or
B: opting the consumer out of the processing of such personal data for any purpose except for those exempted.
Controllers shall establish a process for the consumer to appeal the refusal to take action on a request within a reasonable period of time after the consumer’s receipt of the decision. Not to exceed sixty days after receipt of an appeal, the controller shall inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, the controller shall provide the consumer with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint.
Privacy Policy
The controller shall provide consumers with a reasonable accessible clear and meaningful privacy notice that includes:
- The categories of personal data processed by the controller
- The purpose for processing said personal data
- How consumer’s may exercise their consumer rights, including how they may appeal a controller’s decision in regard to the consumer’s request
- the categories of personal data that the controller shares with third parties, if any;
- the categories of third parties, if any, with which the controller shares personal data; and
- an active electronic mail address or other online mechanism that the consomer may use to contact the controller.
If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller shall clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing.
The controller must also describe in the privacy policy one or more secure and reliable means for consumer’s to submit a request to exercise their rights. A controller can not require a consumer to create an account, but may require a user to use an existing account.
Such means shall include:
Providing a clear link on the controller’s website that enables a consumer or an agency of the consoler to opt out of targeted advertising or sale of the consumer’s personal data; and Not later than January 1st, 2025 allow a consumer to opt out of processing of personal data for the purposes of targeted advertising or any sale of such personal data, through the user of an opt out preference signal sent with the consumer’s consent by a platform.
Such a platform, technology or mechanism shall:
- Not disadvantage another controller
- Not make use of a default setting, but rather require the consumer to make an affirmative, freely given and unambiguous choice to opt out of processing
- Be consumer-friendly and easy to use by the average consumer
- Be as consistent as possible with other similar platform technology required by any federal or state law or regulation; and
- Enable the controller or determine whether the consumer is a resident of this state and whether the consumer has made a legitimate request to opt out of sale of the consumer’s personal data or targeted advertising
If the consumer decision to opt-out conflicts with a previously obtained consent preference, the controller must honor the new preference signal, but may notify such consumer of such conflict and offer a choice to confirm.
Data Protection Assessments
A controller shall conduct and document a data protection assessment for reach of the controller’s processing activities that present a heightened risk of harm to the consumer. Processing that presents a heighten risk of harm to a consumer includes:
- Processing of personal data for targeted advertising
- Sale of personal data
- Processing of personal data for the purposes of profiling where such profiling presents a reasonable foreseeable risk
- Processing of sensitive data
The Attorney General may require that a controller disclose any data protection assessment that is relevant to an investigation conducted by the Attorney General and the controller shall make the assessment available.
Data Protection Assessments are exempted from disclosure under the Freedom of Information Act.
Data Processing Assessments requirements shall apply to processing activities created or generated after July 1st 2023, and are not retroactive.
Controllers are allowed to use data for
Nothing in this law prevents a controller from:
- Conduct internal research to develop, improve or repair products or services
- Execute a product recall
- indentify and repair tecnical errors that impair existing or intended functionalityl or
- preform internal operations that are reasonable aligned with the expectations of the consumer
Enforcement
From July 1st, 2023 until December 31st, 2024 the Attorney General may issue a cure notice upon violation where the affected controller has sixty days to correct the violation. In the event the controller does not correct with-in sixty days, they may be subject to enforcement action.
On February 1st, 2024 the Attorney General is required to submit a report containing the number of notices of violation that have been issued, the nature of each violation, the number of violations that were cured during the cure period and any other matter the Attorney General deems relevant for such a report.
Beginning on January 1st, 2025 the Attorney General may make a decision on weather to issue a cure notice or not, based on the number of violations, the size and complexity of the controller, the nature and extent of the controller’s or processors processing activities, the likelihood of injury to the public, the safety of persons or property and if such a alleged violation was likely caused by human or technical error.