Understanding the Connecticut Personal Data Privacy and Online Monitoring Act

What Does the Connecticut Privacy Law Mean for Businesses?

Connecticut passed the fifth US State privacy law on May 10, 2022.

The Connecticut privacy law will apply to persons that conduct business in Connecticut or that produce products or services that target Connecticut residents.

For businesses operating in Connecticut or across the US, there are some key differences in Connecticut’s law worth your attention.

Heads Up Small Businesses

There is no minimum revenue requirement for applicability. Thus, small businesses may be subject to the Connecticut Privacy Act.

Whether the Connecticut law applies depends on the amount of consumers’ data collected and processed and how the data is classified in a calendar year.

The Connecticut Personal Data Privacy and Online Monitoring Act applies to businesses that:

• Control or process the personal data of 100,000 or more Connecticut residents.
  • Consumer data that is exclusively controlled or processed for the purpose of completing a payment transaction is excluded from that minimum threshold.
• Control or process the data of 25,000 or more consumers and derive more than 25% of its gross income from the sale of personal data.
  • Sale is broadly defined to include monetary along with valuable consideration.

How will the Connecticut Privacy Act be Enforced?

The Connecticut Privacy law will be effective on July 1, 2023. But until December 31, 2024, there will be a mandatory 60-day cure period.

During this time, the Attorney General (AG) can’t enforce a violation if it is cured within that time. But this will only apply to violations that the AG feels can be cured.

Between July 1, 2023, and December 21, 2024, the AG will track violations and cures for a report detailing the number and nature of violations.

It will include the number of violations cured and any other relevant information.

This will likely be a valuable resource for businesses looking to learn from others’ mistakes.

Moving forward, the cure period will be optional up to the discretion of the AG.

For those who aren’t familiar, a cure period is similar to a grace period, in which you are given the chance to remedy the situation.

The AG will consider elements of the violation:

• Number of violations
• Size and complexity of the data controller or processor
• Nature and extent of processing activities
• Substantial likelihood of injury to the public
• Safety of persons or property
• Whether such alleged violation was likely caused by a human or technical error

The Difference Between Personal Data and Sensitive Data in the Connecticut Privacy Act

Personal Data refers to any information that is linked or reasonably linkable to an identified or identifiable individual. It doesn’t include de-identified data or publicly available information.

Sensitive Data refers to personal data that includes:

• Data revealing
  • Racial or ethnic origin
  • Religious beliefs
  • A mental or physical health condition or diagnosis
  • Sex life
  • Sexual orientation
  • Citizenship or immigration status
• The processing of genetic or biometric data for the purpose of uniquely identifying an individual
• Personal data collected from a known child, or
• Precise geolocation data

Consumer Rights You Need to Know About

The Connecticut Privacy Act provides Connecticut residents with the following rights.

Confirm whether or not a controller is processing the resident’s personal data.

Access to such personal data.

Correct inaccuracies in the resident’s personal data.

Delete personal data provided or obtained about the resident.

Obtain a copy of the resident’s personal data processed by the controller, in a portable, readily usable format that allows the resident to transmit the data to another controller without hindrance.

Opt-out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the resident.

The above rights are just a summary of the requirements provided in the Connecticut Privacy Act. To ensure you are in compliance with the law, please consult legal counsel.

Submitting Requests

Data controllers or organizations must provide a blatantly obvious and easy-to-use process for Connecticut residents to submit rights requests.

Take into account how the resident typically interacts with the controller and how the controller could identify the consumer.

Timing and Appeals

The requests mentioned above must be responded to without undue delay. The response time should be no later than 45 days.

Only due to the complexity and number of requests received, this can be extended another 45 days. But the consumer must be informed during the first 45 days.

Opt Outs

Provide a clear and obvious means for Connecticut residents to opt-out of the sale of their data or targeted advertising.

Opt-Out Mechanism Requirement

Data controllers or businesses will have until January 1, 2025, to implement a platform, technology, or mechanism to accommodate opt-outs.

This signal should be sent to the controller to indicate the resident’s intent to opt-out of any such data processing or sale.

The platform, technology, or mechanism will need to comply with these requirements:

• It can’t unfairly disadvantage another controller.
• It doesn’t use a default “on” setting. Instead, require the resident to make an affirmative, freely given, and clear choice to opt-out of any processing of their personal data.
• Be consumer-friendly and easy to use by the average Connecticut resident.
• Be as consistent as possible with any other similar platform, technology, or mechanism required by any federal or state law or regulation.
• Enable the controller to accurately determine whether the consumer is a resident of Connecticut and whether they’ve made a legitimate request to opt-out of any sale of personal data or targeted advertising.

Connecticut Privacy Act: DPIAs

Starting July 1, 2023, controllers shall conduct and document a data protection assessment for each of their new or changed processing activities that presents a heightened risk of harm to a consumer.

Processing that may present a heightened risk of harm to a consumer includes:

• Processing sensitive data.
• Data used for targeted advertising.
• The sale of personal data.
• Data used for profiling where profiling presents a reasonably foreseeable risk of
  • unfair or deceptive treatment of, or unlawful disparate impact on, consumers
  • financial, physical, or reputational injury to consumers
  • physical or other intrusions upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person, or
  • other substantial injuries to consumers.

Data protection assessments shall identify the benefits that may flow directly and indirectly from the processing to the controller, the consumer, and other stakeholders.

The benefits should be weighed against the potential risks to the rights of the consumer associated with such processing. And mitigated by safeguards that can be employed by the controller to reduce such risks.

Controller Responsibilities You Need to Know About

While this is not an exhaustive list, controllers must:

• Limit the collection of personal data to what is adequate and reasonably necessary in relation to the purpose of the data being processed.
• Avoid processing personal data for purposes that are not reasonably necessary or compatible with the purposes disclosed to the resident.
• Establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data.
• Not process sensitive data concerning a resident without obtaining the consumer’s consent.
  • Or in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with the Children’s Online Privacy Protection Act (COPPA).
• Not process personal data in violation of the laws of Connecticut and federal laws that prohibit unlawful discrimination against consumers.
• Not process the personal data of a Connecticut resident for purposes of targeted advertising, or sell the consumer’s personal data without the consumer’s consent.

De-identified Data

Any controller in possession of de-identified data shall:

• Take reasonable measures to ensure that the data cannot be associated with an individual.
• Publicly commit to maintaining and using de-identified data without attempting to reidentify the data.
• Contractually obligate any recipients of the de-identified data to comply with all provisions of the Connecticut privacy act.

Processor Responsibilities You Need to Know About

Under Section 7 of the Connecticut privacy law, processors must adhere to the instructions of a controller and shall assist the controller in meeting the controller’s obligations, including:

• Responding to Connecticut consumer rights requests.
• Security and breach notification, under Connecticut General Statutes § 36a-701b.
• Providing information for controllers to conduct data protection assessments.

Processors that act outside the controller’s instructions will be deemed a controller. This could include a processor that de-identifies data, without instruction to, so that they can use it for their own purposes.