And Then There Were Five: Connecticut Joins the Privacy Bandwagon

Late last month, after two years of negotiation, the Connecticut legislature passed an omnibus data privacy bill, which the governor signed this week, making Connecticut the fifth state to enact comprehensive privacy legislation.

Connecticut's Act Concerning Personal Data Privacy and Online Monitoring (the Act) most closely resembles the Colorado Privacy Act while borrowing elements from the Virginia Consumer Data Protection Act and the other state privacy laws as well. (For information about the other recently passed state laws, see our alerts here, here, and here.)

The Act gives consumers the right to access, delete, correct, and port their personal data; allows them to opt out of targeted advertising, profiling, and the sale of their personal data; and to prohibit the processing of sensitive data. It gives businesses a right to cure, which sunsets after 18 months; imposes data governance obligations on them; and requires them to conduct data protection assessments, among other things.

The Act does not provide a private right of action—the Connecticut attorney general has sole enforcement authority.

Scope of Coverage

Who Is Covered

The Act applies to for-profit entities that conduct business in Connecticut or produce products and services that are intentionally targeted to Connecticut residents ("consumers") and that during the preceding calendar year fall into one of the following two categories:

• (1) Processed the personal data of at least 100,000 consumers (excluding personal data processed solely to complete transactions); or
• (2) Processed the personal data of at least 25,000 consumers and derived more than 25 percent of gross revenue from the sale of personal data.

Like Colorado and Virginia, the Act focuses on the amount of personal data a business processes, not the amount of gross revenue that the business generates (under the CCPA, companies that generate $25 million or more annually are covered), although, as under Colorado and Virginia, businesses that process a certain amount of personal data and generate a certain amount of revenue from the sale of personal data will satisfy the threshold.

Things get complicated in the details: under Virginia and Utah law, businesses must receive 50 percent of annual revenue from such sales, whereas under Colorado, any amount of revenue or discounts on goods or services from the sales of personal data will satisfy the jurisdictional requirement.

Connecticut splits the difference and sets the threshold at 25 percent or more of gross revenues derived from such sales. Companies that "sell" personal data will need to pay attention to their annual revenue from "sales" of personal data to determine whether and when they cross this threshold in the various states.

What Data Is Covered

Connecticut follows Virginia, Utah, and Colorado in defining "personal data" to mean information that is linked or reasonably linkable to an identified or identifiable individual. But it takes a different approach from all the other laws with respect to the carve-out for "publicly available information" and, as a result, it will regulate more data than Virginia and Utah but less information than Colorado.

Specifically, Connecticut exempts from the definition of "personal data" any information lawfully made available through government records or widely distributed media, as well as information that a controller has a reasonable basis to believe that a consumer has lawfully made available to the general public.

Colorado is more restrictive because it does not exempt information made available through "widely distributed media," while Virginia and Utah open the spigot for more unregulated data sharing by exempting from the definition of "personal data" any information lawfully made public by a person to whom the consumer has disclosed the information so long as the consumer did not restrict the information to a specific audience.

If this sounds complicated, that is because it is: These subtle but important distinctions mean that businesses that want to apply the state laws only when applicable will have to develop and implement processes to analyze and tag data obtained from and about different state consumers to ensure compliance.

Exempt Data and Businesses

Finally, Connecticut exempts certain information entirely, such as certain types of health-related information including protected health information regulated under the Health Insurance Portability and Accountability Act (HIPAA); data regulated under other federal statutes, including the Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act, the Driver's Privacy Protection Act, and the Family Educational Rights and Privacy Act; and data collected from individuals acting in an employment or commercial context.

Connecticut also exempts certain entities in their entirety, including non-profits, institutions of higher education, and those covered by the GLBA and HIPAA.

Consumer Rights

Connecticut gives consumers a range of rights that will be familiar to those who have been following the evolution of state privacy laws. Specifically, consumers are given the right to:

• (1) Confirm whether their personal data is being processed and to access such data;
• (2) Correct inaccuracies in their personal data;
• (3) Delete personal data provided by or obtained about the consumer;
• (4) Obtain a copy of their personal data (once a year) in a portable and—if technically feasible—readily usable format;
• (5) Opt out of "sales," targeted advertising, and profiling (or parent/guardian opt-in for a child) used to make "solely automated" decisions that produce legal or similarly significant effects;
• (6) Control the processing of their "sensitive" data; and
• (7) Be free from retaliation (by increasing costs or decreasing availability of products or services) for exercising rights under the Act.

Controller/Processor Obligations

Agreements between Controllers and Processors

Like Virginia, Utah, and Colorado, the Act uses the Eurocentric terms "controller" to describe entities that determine the purpose and means of processing and "processor" to define those that process data on behalf of controllers.

Controllers and processors must enter into contracts that govern their relationship, although—like Colorado—the Act imposes greater restrictions on processors, requiring them to subject themselves to "audits" (rather than "assessments," as required in Virginia) and to give controllers the opportunity to object to specific subcontractors.

Privacy Notices

The Act requires controllers to provide consumers with privacy notices that describe the categories of personal data collected and processed, the purpose for processing, the consumers' rights and how to exercise them, the categories of personal data that the controller shares with third parties and the categories of such third parties, and whether the company sells personal data or uses it for targeted advertising or profiling.

Data Governance

Controllers also must develop and implement business processes to ensure strong data governance (e.g., limit the collection of personal data to what is adequate, relevant, and reasonably necessary to achieve the purpose of processing, and not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed).

Controllers must also protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue.

Data Protection Assessments

The Act requires controllers to conduct data protection assessments of processing that "presents a heightened risk of harm," including processing for targeted advertising; sales; processing for profiling when such profiling presents a reasonably foreseeable risk of unfair treatment, injury, intrusion into private affairs, or other substantial injury; and processing sensitive data.

Controllers must turn data protection assessments over to the attorney general upon request when such assessments are relevant to an investigation. Data protection assessments conducted to comply with other applicable laws or regulations may satisfy this requirement if they are reasonably similar in scope and effect to the assessment that the Act requires.

Other Things to Know

Businesses should understand other key elements of the Act as they develop their privacy programs.

Rights Apply to Personal Data Collected From and About the Consumer:

Like Colorado, Connecticut's consumer rights apply to personal data collected both from and about consumers. (Virginia and Utah allow consumers to port only data that consumers have provided to the controller, and—to make things more complicated—California and Utah limit the right to delete to the personal information that the consumer has provided to the business.)

Controllers May Deny Opt-Out Requests in Certain Circumstances:

Connecticut allows controllers to deny opt-out requests when they have a good faith, reasonable, and documented belief that such requests are fraudulent. Neither Virginia nor Colorado give controllers this discretion, but Utah allows controllers to deny a request when they reasonably believe that (1) the primary purpose in making the request was something other than exercising a right, or (2) the request was part of an organized effort to interfere with the controller's business.

Trade Secrets Protected:

Unlike the other state laws, Connecticut includes provisions that allow businesses to protect trade secrets when responding to consumer requests. Specifically, controllers are not required to comply with requests to confirm or access personal data or to port personal data in ways that would reveal trade secrets.

Sales Include Exchanges of Personal Data for Non-monetary Consideration:

Like California and Colorado (but unlike Virginia and Utah), Connecticut defines "sale" broadly to include not just an exchange of personal data for money but also for "other valuable consideration." Certain exchanges for non-monetary consideration are excluded, however, including:

• Disclosures to processors or "affiliates," which—helpfully—include entities under common control with the business even if they do not share common branding;
• Disclosures to third parties for the purpose of providing the product or service that the consumer requested; in the context of corporate change such as a merger;
• Where the consumer directs or uses the controller to disclose the data to a third party; and
• Information that the consumer intentionally makes to the general public through mass media, so long as the consumer has not restricted the disclosure to a specific audience.

Targeted Advertising Does Not Include Ads Based on Activities on Affiliated Websites:

Like Virginia, Colorado, and Utah, Connecticut gives consumers the right to opt out of "targeted advertising," which is defined narrowly to exclude ads based on a consumer's activities within the controller's own websites and apps, as well as:

• (1) Ads based on activities on the controller's affiliated websites;
• (2) Contextual ads;
• (3) Ads displayed in response to a request for information or feedback; and
• (4) The processing of personal data solely for measuring or reporting ad performance, frequency, or reach.

Also, like Colorado, Connecticut includes in the definition of "targeted advertising" ads that are based on data "inferred" from consumers' online activity across non-affiliated websites and not just personal data "obtained" from such activity.

Therefore, any advertising targeted to consumers based on profiles developed from consumers' online activity—even if not based on the actual data itself—would be "targeted advertising" under the Connecticut law, although this is unlikely to have much operational impact in practice.

The ability to use data obtained from consumers' activities across affiliated websites that are not co-branded will be helpful for larger companies that manage many different brands whose affiliation with the parent entity is not apparent to consumers.

Consumers Must Opt In to Processing of Sensitive Data:

As under the Virginia and Colorado laws, businesses must obtain opt-in consent from consumers before processing their "sensitive data." Connecticut follows California and requires parental consent for children under 16 instead of under 13, as is the case in the other states.

"Sensitive data" includes data that reveals:

• Racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, and citizenship or immigration status;
• Genetic or biometric data used to uniquely identify a natural person;
• Data collected from a known child; and
• Precise geolocation data. (Virginia includes precise geolocation data in its definition of "sensitive data," while Colorado does not.)

Connecticut joins the other states in providing consumers more control over their sensitive data than they have under California law, which gives consumers a limited right, under certain circumstances, to opt out of the use and disclosure of their sensitive data for purposes other than to provide the goods or services requested and several other limited purposes.

Like Virginia, Connecticut defines the term "biometric data" (Colorado does not) and expressly excludes from the definition digital or physical photographs and audio and video recordings. Because Connecticut excludes such information only if it is not "used to identify a specific individual," companies using "biometric data" in Connecticut will need to get opt-in consent from consumers before using photo or video images to train facial recognition technology or before using facial recognition technology to identify consumers.

The opt-in consent requirement does not appear to apply when digital or physical photos or audio or video recordings are used to authenticate a consumer, however, so long as the sole purpose of using the biometric data is to authenticate and not identify a particular individual. (Virginia's law takes a similar approach by limiting the type of "biometric data" that will be considered "sensitive" to biometric data used to uniquely identify an individual.)

Authorized Agents May Make Requests

Connecticut follows Colorado and California and allows authorized agents to make requests on behalf of consumers and requires controllers to verify such agents' authority to make such requests. Because Utah and Virginia do not allow authorized agents to make requests, companies dealing with consumers in Utah and Virginia will need to limit responses in those states to requests from residents only.

Appeals Process Required

Like Virginia and Colorado, Connecticut requires controllers to allow consumers to appeal decisions to deny their requests to exercise their rights. Neither California nor Utah requires an appeals process.

Pseudonymous Data Is Excluded From Some Requirements

Also like Colorado, Virginia, and Utah, Connecticut recognizes a separate category of data—"pseudonymous data"—that is not subject to the rights to access, correct, delete, or port personal data. Pseudonymous data is information that "cannot be attributed to a specific individual without the use of additional information, provided such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual."

Companies' ability to maintain and use pseudonymous data may increase operational flexibility and reduce compliance burdens. Like Virginia, Connecticut expressly requires controllers to exercise reasonable oversight to monitor compliance with contractual commitments necessary to maintain data in pseudonymous form when they disclose such data to other entities.

Global Opt-Out Mechanism

Like Colorado, Connecticut requires controllers to recognize opt-out preference signals that indicate a consumer's request to opt out of targeted advertising or sales. The platform, technology, or mechanism sending the signal must, among other things, allow the controller to determine whether a consumer is a Connecticut resident and be as consistent as possible with similar mechanisms required under other laws or regulations (although unlike Colorado, which directs the Colorado attorney general to address this issue through the rulemaking process, Connecticut does not provide for a method to ensure such interoperability).

Controllers will be required to recognize such signals beginning no later than January 1, 2025.

Right to Cure

During the first 18 months during which the Act is in effect (from July 1, 2023, through December 31, 2024), controllers will have 60 days to cure alleged violations after receiving notice from the attorney general, if the attorney general determines that a cure is possible. If the controller is unable to cure the alleged violation, the attorney general may bring an enforcement action.

Beginning January 1, 2025, however, the right to cure becomes discretionary, and the attorney general may consider not just whether a cure is possible but several other factors including the number of violations involved, the size and complexity of the controller or processor and the nature of their activities, the substantial likelihood of injury to the public and safety of persons or property, and whether the alleged violation was likely caused by human or technical error.

Enforcement

Violations of the Act are deemed an unfair trade practice under the Connecticut Unfair Trade Practices Act (CUTPA), which provides for civil penalties of up to $5,000 per willful violation. Although CUTPA provides consumers a private right of action, the Act expressly precludes a private right of action for consumers and gives the attorney general exclusive authority to enforce the Act.

Just the Beginning

By September 1, 2022, Members of the Connecticut General Assembly must convene a task force to study and submit a report by January 1, 2023, with recommendations regarding the following issues:

• (1) Information-sharing among health care providers and social care providers and the elimination of disparities and inequities;
• (2) Ways to reduce bias in algorithmic decision-making;
• (3) Children's privacy legislation;
• (4) Age verification of children on social media;
• (5) The impact of the Act on data storage and colocation services;
• (6) Expansion of the Act to cover additional persons or groups; and
• (7) Any other data privacy topics.

Connecticut legislators remain committed to expanding the scope of privacy protections for Connecticut consumers, so watch this space.