Connecticut became the fifth state to enact comprehensive consumer data privacy legislation on May 10, with Governor Ned Lamont’s signing of Substitute Senate Bill 6 (Public Act 22-15 or Act).  This makes Connecticut the fifth state to enact such legislation following California, Virginia, Colorado, and Utah. The Act will go into effect July 1, 2023.

As described below, the Act is similar to the laws passed in Virginia, Colorado, and Utah.

Applicability

The Act applies to persons that conduct business in Connecticut or persons that produce products or services that are targeted to Connecticut residents and that during the preceding calendar year:

  1. Controlled or processed the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  2. Controlled or processed the personal data of not less than 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.

Exemptions

The Act includes exemptions for:

  1. Financial institutions or data subject to the Gramm-Leach-Bliley Act (GLBA);
  2. Covered entities and business associates as defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule;
  3. Personal information used pursuant to the Fair Credit Reporting Act;
  4. Nonprofit organizations;
  5. Protected health information under HIPAA, and certain other health related data;
  6. Institutions of higher education;
  7. Boards, agencies, and political subdivisions of the state;
  8. National securities associations;
  9. Data processed or maintained for certain employment purposes.

Consumer Rights

The Act provides consumers with the right to:

  1. Confirm and access personal information being processed;
  2. Correct inaccuracies;
  3. Delete personal data provided by the consumer or obtained from other sources;
  4. Obtain a portable copy of the consumer’s personal data;
  5. Opt-out of the processing of personal data if the purpose of the processing is: a) targeted advertising; b) sale of personal data; or c) profiling.

Contractual Requirements

A contract between a controller (an individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data) and a processor (an individual who, or legal entity that, processes personal data on behalf of a controller) must ensure:

  1. Each person processing personal data is subject to a duty of confidentiality;
  2. Deletion or return of all personal data at the end of the processor’s provisions of services;
  3. Availability to the controller of information evidencing the processor’s compliance with the Act;
  4. Processor’s contracts with subcontractors are in writing and mirror the obligations of the processor with respect to personal data;
  5. Cooperation from the processor with the controller’s reasonable assessment requirements.

Risk Assessments

Under the Act, some processing is considered to present a “heightened risk of harm” to consumers, in which case, a controller is required to conduct and document a data protection assessment to “identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks.”

Such processing includes:

  1. Processing for the purpose of targeted advertising
  2. Processing for the purpose of sale
  3. Processing for the purpose of profiling, in some instances
  4. Processing sensitive data, such as personal data related to race, religion or health conditions, genetic or biometric data, personal data collected from a known child, and precise geolocation data.

The Attorney General may require the disclosure of an assessment if relevant to an investigation, but the assessment is confidential and not subject to public disclosure.

Enforcement

The Attorney General has the exclusive authority to enforce the Act but must first provide a 60-day opportunity to cure if, in the Attorney General’s opinion, cure is possible. The cure provision sunsets December 31, 2024.

In the absence of a cure, a violation is enforced as an unfair trade practice pursuant to Conn. Gen. Stat. § 42-110b, allowing for a temporary restraining order or permanent injunction which, if violated can result in a civil penalty of not more than $25,000 per violation. Additionally, a violative act or practice that was willful may result in a civil penalty of not more than $5,000 per violation.

RMAI recommends that you share this Member Alert with those in your business responsible for consumer data privacy.

This Member Alert is intended for members of the Receivables Management Association International, is for informational purposes only, and is in no way intended to provide legal advice. Members are encouraged to consult with an attorney of their choice for legal advice concerning this matter.