On April 28, the Connecticut state legislature passed through Senate Bill 6, “An Act Concerning Personal Data Privacy and Online Monitoring,” making Connecticut the fifth state to pass a comprehensive state privacy law (the second of this year following Utah). The measure now heads to the desk of Governor Ned Lamont, where it waits signature to become law. Once signed, the law will take effect on July 1, 2023.
Connecticut’s bill most closely aligns with Colorado’s "Colorado Privacy Act," with some of the main differences being that it does not contain rulemaking provisions (it instead creates a working group to make recommendations to amend the law to the Connecticut legislature), and contains restrictions on use of children’s data up to 16 years of age. The bill provides Connecticut residents with the right to access, correct, delete, and get a copy of personal data and to opt out of the processing of personal data for certain purposes (e.g., targeted advertising).
The bill defines businesses as controllers or processors. Controllers and processors must enter into a contract that governs the processor’s data processing procedures for processing performed on the controller’s behalf.
Controllers are responsible for: (1) limiting the collection of data to what is adequate, relevant and reasonably necessary in relation to the purpose for which data is processed (as disclosed to customers), (2) establishing, implementing, and maintaining data security practices, among other requirements, and (3) must offer an effective mechanism for a consumer to revoke his or her consent that is at least as easy as the mechanism the consumer used to give consent.
Processors must adhere to the controller’s instructions and assist the controller in meeting the controller’s obligations under the bill. Processors must also provide necessary information to enable the controller to conduct and document data protection assessments.
Of note, the measure does not contain a private right of action and instead provides enforcement authority to the Connecticut Attorney General (AG). It also creates a sixty-day cure period once the AG provides written notice of an alleged violation, between the period of July 1, 2023 to December 31, 2024. Starting January 1, 2025, the bill provides the AG discretion to provide an opportunity to correct an alleged violation.
RILA and other industry stakeholders continue to advocate for a federal privacy framework establishing a single set of rules that provide strong protections for consumers and accountability for all businesses within the digital ecosystem.
For more information on the bill, click here.