May 12, 2022
On May 10, 2022, Connecticut Governor Ned Lamont signed the Connecticut Data Privacy Act (“DPA”) into law, which makes Connecticut the fifth state to enact comprehensive legislation with respect to consumer privacy.
The DPA becomes effective on July 1, 2023 and applies to businesses that: (a) transact business in Connecticut or otherwise utilize products or services targeted to Connecticut residents; and (b) either (i) control or process the personal data of at least 100,000 Connecticut residents on an annual basis; or (ii) derive over 25% of their gross revenue from the sale of personal data and control or process the personal data of at least 25,000 Connecticut residents on an annual basis. Certain entities are exempt from the DPA including state and local governments, tax-exempt organizations, higher education institutions, financial institutions subject to the Gramm-Leach-Bliley Act, and “covered entities” and “business associates” as defined by the Health Insurance Portability and Accountability Act (“HIPAA”).
Similar to other state laws already enacted (e.g., California Consumer Privacy Act), the DPA will require opt-in consent for the collection and processing of a consumer’s “sensitive” information, such as information revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or immigration status, genetic or biometric data, children’s data and precise geolocation data.
The DPA also provides consumers with rights of notice, access, portability, correction and deletion, provided, however, that businesses are afforded certain exemptions in this regard (e.g., to combat fraud). The DPA will also allow consumers to opt out of using their information for certain purposes, such as the sale of personal data and targeted advertising (and similarly require opt-in consent from minors). The DPA will be enforced through the Office of Connecticut’s Attorney General.
Passage of the DPA comes shortly after the enactment of new cybersecurity legislation on July 6, 2021 (Public Act 21-119), which came into effect on October 1, 2021. This law creates a safe harbor for businesses that adhere to certain cybersecurity protocols in the event of a security breach. Like other states, Connecticut now incentivizes businesses to adopt nationally recognized cybersecurity standards and grants them safe harbor from certain state tort law claims for doing so. In determining applicability of safe harbor, each business will be individually assessed based on the scale and scope of the cybersecurity program in effect.
In sum, over the last twelve months, Connecticut has made sweeping changes to its cybersecurity and consumer privacy laws to emerge as one of the nation’s leaders in addressing these critical issues that are at the forefront of 21st century commerce. Organizations conducting business in Connecticut (or contemplating entering the Connecticut market) should take careful note of the new legislation and take corresponding steps to audit their internal privacy control procedures.