Connecticut’s new privacy law: What you need to know

As part of its growing privacy practice, Verrill is pleased to share this advisory on Connecticut’s new privacy law. Verrill is pleased to offer a sophisticated range of privacy and cybersecurity services.

On May 10, 2022, Connecticut became the fifth state to enact comprehensive consumer privacy legislation, creating new rights for Connecticut residents and new obligations for certain organizations doing business in the Constitution State.

Companies operating in Connecticut or otherwise targeting or selling products or services to Connecticut residents should carefully evaluate whether they are subject to this new law, and if so, how to revise their existing data privacy policies to conform to the new law’s requirements.

Key Provisions

Connecticut’s “An Act Concerning Personal Data Privacy And Online Monitoring” will go into effect on July 1, 2023. The law shares and expands upon provisions of privacy laws recently enacted by Virginia, Utah, Colorado, and California. Broadly, this law offers Connecticut residents several key rights regarding their personal data maintained by a business, including the right:

1. to access the data,
2. to correct inaccuracies in the data,
3. to request copies of the data, and
4. to delete personal data that is maintained by the business.

Further, Connecticut residents will have the right to opt-out of the sale or processing of their personal data for the purposes of targeted advertising or profiling.

In addition to requiring businesses to respond to consumer requests regarding their personal data described above, this law creates further affirmative obligations for businesses, including that they must:

1. Minimize the collection of personal data and refrain from processing personal data for purposes not disclosed to the consumer (unless the business has otherwise obtained consumer consent);
2. Establish and maintain reasonable technical and physical data security practices to protect personal data; and
3. Provide Connecticut residents with a privacy notice describing the categories of personal data processed and the purpose of the processing, if the entity shares or sells personal data with third parties, and how the consumer may exercise their right to access, modify, delete, or opt-out of the business’s use of personal data for targeted advertising or sale.

Critically, this law does not create private right of action for consumers, but instead invests exclusive enforcement authority in the Connecticut Attorney General. During the first two years of implementation, the Attorney General must issue a notice of violation and permit the business an opportunity to cure the violation within 60 days of notice. Beginning in 2025, however, the opportunity to cure is no longer guaranteed. Violations of this privacy law automatically constitute an “unfair trade practice” permitting the Attorney General bring a claim under the Connecticut Unfair Trade Practices Act (CUTPA), further exposing violators to injunctive action, actual and punitive damages, and civil penalties.

Practical takeaways:

1. Determine if this law applies to your business.Generally, this law applies to persons and entities that
   1. conduct business in Connecticut; or
   2. produce products or services targeted or sold to Connecticut residents and, during the previous calendar year either:
      1. controlled or processed the personal data of at least 100,000 Connecticut consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
      2. controlled or processed the personal data of at least 25,000 Connecticut consumers if the business derived more than 25% of their gross revenue from the sale of personal data.

Certain organizations are exempt from compliance with the law. Notably, these organizations include non-profit entities, institutions of higher education, financial institutions subject to the Gramm-Leach-Bliley Act, and covered entities and business associates as defined by HIPAA.

2. Update and revise policies and practices to conform to Connecticut requirements.

If your company is subject to Connecticut’s new law, now is the time to evaluate your existing consumer data policies and update them as necessary to comply with new obligations. For example, does your current Privacy Notice outline the types of consumer data collected and used, or inform consumers how they may contact you to access, modify, or delete their data? What technical and physical safeguards are in place to protect consumer data? Do you have a mechanism to respond to a browser plug-in indicating that a consumer intends to opt-out of the processing of the personal?

3. Connecticut is just the latest piece in the consumer privacy compliance puzzle.

Given the overlap with other similar legislation recently enacted by California, Virginia, Colorado, and Utah, you may already have a solid foundation to respond to Connecticut’s requirements. Nevertheless, some aspects of Connecticut’s law are different from what is required in other states, necessitating a careful analysis of each law’s requirements to minimize exposure.

Contact Verrill if you have questions about whether this law applies to your business and to learn more about how your organization can develop practical and comprehensive data privacy policies to respond to the constantly evolving patchwork of state consumer data privacy requirements.