Connecticut Poised to Enact Consumer Privacy Law
Proposed Legislation Draws Heavily from Virginia, But Further Complicates Landscape
- Connecticut has positioned itself to become the fifth state to implement comprehensive consumer privacy legislation, after both chambers of the state legislature approved draft bill SB 6 in late April.
- Connecticut's "Act Concerning Personal Data Privacy and Online Monitoring" adopts the same approach as the Virginia Consumer Data Protection Law (VCDPA), with only minor variations. The bill will become law if signed by Gov. Ned Lamont or if no action is taken by mid-May.
- This Holland & Knight alert provides key details on Connecticut's consumer privacy legislation and a comparison with four other states that have passed similar privacy legislation.
Connecticut has positioned itself to become the fifth state to implement comprehensive consumer privacy legislation, after both chambers of the state legislature approved draft bill SB 6 on April 22, 2022, and April 28, 2022, respectively. The "Act Concerning Personal Data Privacy and Online Monitoring" adopts the same approach as the Virginia Consumer Data Protection Law (VCDPA), with only minor variations. The bill will become law if signed by Gov. Ned Lamont or if no action is taken by mid-May.
The following tables compare the Connecticut bill to the laws of the four other states that have passed comprehensive consumer privacy legislations. A State Consumer Privacy Laws "cheat sheet" is also available for download.
With the passage of SB 6, some trends become clear: California is an outlier in extending rights to workforce members and business-to-business contacts. It is also an outlier in containing any sort of private right of action – the laws of the other four states can only be enforced by state regulators. The emerging trend is for laws to require notice and certain consumer rights, opt-in consent for processing of sensitive personal information in some circumstances, data minimization and other data management obligations, to require data protection impact assessments, and protection of personal information when shared with vendors.
The Connecticut bill, if it becomes law, will create new rights for Connecticut residents similar to those of consumers in Virginia and Colorado. The few minor distinctions in SB 6 include an explicit requirement to obtain consent to sell the personal information of a minor between ages 13-16 or process such information for advertising – an expansion past Virginia, which only requires opt-in consent up to age 13, to align with California.
Connecticut followed the approach of recent VCDPA amendments by including language related to the deletion right that allows for businesses to address issues of repopulating data feeds by opting the consumer out of processing, instead of full deletion. But since the other three states do not offer that option, it is unclear whether this will provide operational relief.
Request Submission and Handling
On the submission and handling of consumer rights requests, Connecticut's new law closely parallels the Colorado Privacy Act (CPA) as opposed to Virginia. Connecticut follows California and Colorado in setting forth a requirement that businesses allow consumers to opt-out of targeted advertising or sale via an opt-out preference signal sent by some sort of technical mechanism (such as a user-enabled browser control). Unlike California and Colorado, however, there is no requirement in the Connecticut law that specifications for the technical mechanism be approved by the state regulator, creating uncertainty as to whether industry norms can develop around user-enabled controls.
All five of the laws being implemented in 2023 expand past the consumer-facing requirements put in place by California in 2020 through the California Consumer Privacy Act (CCPA) and require businesses to implement certain obligations related to the handling of data from all consumers.
Connecticut follows the trend in allowing violations to be enforced only by its state Attorney General. Like Colorado, the Connecticut attorney general must provide a 60-day notice and opportunity to cure violations. The cure window, however, sunsets at the end of 2024. Violations of SB 6 are treated as a deceptive trade practice under the state Unfair and Deceptive Acts and Practices (UDAP) statute, and punishable by civil penalties of up to $5,000 plus actual and punitive damages and attorneys' fees and costs. California continues to be the only state to allow a private right of action – limited to certain types of data breaches only.
For more information or questions regarding Connecticut's consumer privacy legislation, its impact or relation to the four other state privacy laws, contact the authors or another member of Holland & Knight's Data Strategy, Security and Privacy Team.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.