Take Five! Connecticut Enacts Fifth Comprehensive State Privacy Law

Updated: May 10, 2022

The Connecticut General Assembly has passed S.B. No. 6, An Act Concerning Personal Data Privacy and Online Monitoring (CTDPA). The CTDPA was signed by Governor Lamont on May 10, 2022, making Connecticut the fifth U.S. state to pass comprehensive privacy legislation. Aligning with the ColoPA’s effective date, the majority of provisions under the CTDPA will take effect on July 1, 2023 (see universal opt-out and cure period exceptions below).

The CTDPA applies to those who conduct business in the state (or target their products and services to Connecticut consumers) and either (i) control or process the data of 100,000+ Connecticut consumers, specifically excluding personal data used for the purpose of completing a payment transaction, or (ii) control or process the data of 25,000+ Connecticut consumers and derive more than 25% of gross revenue from the sale of personal data. The exclusion of personal data used for payment transactions from the applicability threshold is unique to the CTDPA. 

You may be wondering “has anything really changed here?” The good news is that the CTDPA is fundamentally similar to California, Virginia, Colorado, and Utah’s privacy laws. But there are some key things to note.  Below, we have outlined five significant provisions of the CTDPA, along with recommendations on how your team may approach these changes.

Automated Profiling Opt-Out: Connecticut joins Virginia and Colorado in providing consumers with an opt-out of the automated profiling of decisions that result in either the “provision or denial” of employment opportunities. If a consumer exercises this opt-out right, companies may be restricted from engaging in automated processing that impacts candidate data in the context of employment opportunities. This opt-out right also extends to decisions affecting financial or lending services, housing, insurance, education enrollment, criminal justice, health care services, and/or access to essential goods and services. 

Right to Delete: Following suit with the new VCDPA amendment, creating an exemption to the right to delete, the CTDPA provides controllers with two options to comply with a consumer’s right to delete request when the data at issue has been collected from a source other than the consumer. Controllers can either (i) delete the data and retain a record of the deletion request or (ii) opt the consumer out of the processing of such data, with no requirement to delete the original data. Note that if the data has been provided to the controller by the consumer, a controller’s sole option to comply with the deletion request, if appropriately verified, is to delete the data.

Dark Patterns: California, Colorado, and now Connecticut all prohibit the use of dark patterns to obtain consumer consent. However, the CTDPA has broadened the definition of dark patterns to include “any practice the Federal Trade Commission refers to as a “dark pattern””. This is particularly important given the FTC’s recent trend of classifying various deceptive business practices as dark patterns and their current status as the primary federal enforcer of privacy. 

Universal Opt-Outs: The CTDPA includes a provision that businesses honor universal opt-outs by a set date. ”Universal opt-out” is a hot topic for the states, with both Colorado and California containing reference to the concept, but there remain many open questions around what this will look like in practice.  For additional clarity, we have outlined the scope of universal opt-outs across these three states below: 

California: Forthcoming regulations will specify the technical specifications of the universal opt-out signal under the CPRA. Businesses will then have the option of either (i) honoring the universal opt-out preference signal or (ii) utilizing with the opt-out link requirement on the business’s internet homepage. 

Colorado: Forthcoming regulations will specify the technical specifications of the universal opt-out signal under the ColoPA. Beginning July 1, 2024, businesses under the ColoPA will be required to honor the universal opt-out mechanism.  

Connecticut: While Connecticut has not listed universal opt-outs as one of the subjects for consideration by the task force (detailed below), the CTDPA will require that businesses honor universal opt-outs beginning January 1, 2025, and the law states that the technology of the opt-out “be as consistent as possible with any other similar platform, technology, or mechanism required by any federal or state law or regulation”. 

Cure Period: From July 1, 2023, to December 31, 2024, businesses will have a 60-day cure period for violations under the CTDPA. However, beginning January 1, 2025, the Connecticut Attorney General will have complete discretion on whether to grant businesses an opportunity to cure. 

Final Takeaways

The CTDPA has directed the joint standing committee of the Connecticut General Assembly to establish a task force by September 1, 2022, to study and provide recommendations for (i) information sharing among health and social care providers, (ii) algorithmic decision-making, (iii) children’s privacy and personal data, (iv) potential legislation to expand the scope of the CTDPA, and (v) other related topics to data privacy. These recommendations will be submitted to the General Assembly by January 1, 2023, which may result in amendments to the law. 

While recommendations from the task force have the potential to alter the scope of the CTDPA, companies should continue (or begin!) to prepare for 2023 privacy legislation enforcement as planned, given the close parallels of the bill to California, Colorado, Virginia, and Utah.

Originally published by InfoLawGroup LLP. If you would like to receive regular emails from us, in which we share updates and our take on current legal news, please subscribe to InfoLawGroup’s Insights HERE.