Skip to Content
Our History

Events In the News

Connecticut Passes Consumer Data Privacy Law

on Wednesday, 25 May 2022 in Technology & Intellectual Property Update: Arianna C. Goldstein, Editor

Connecticut has joined California, Colorado, Utah, and Virginia in passing a comprehensive consumer data privacy law that establishes obligations for businesses that collect and process the personal data of Connecticut residents.  The Connecticut Data Privacy Act (the “Act”) was signed by Governor Ned Lamont on May 10, 2022.  The new privacy law takes effect on July 1, 2023 (the same date as the Colorado Privacy Act), which gives businesses just under 14 months to implement policies and procedures to comply with the Act.

The Act includes many of the same rights, obligations and exceptions as the consumer privacy laws passed by California, Colorado, Utah and Virginia, drawing heavily from Colorado’s law and the Virginia Consumer Data Protection Act — with many of the law’s provisions mirroring either the Colorado or Virginia laws.  

 

Scope of the Act

The Act defines “consumer” as a Connecticut resident and, like Virginia, Colorado, and Utah, expressly excludes individuals “acting in a commercial or employment context.”  As such, the personal data of those individuals can be excluded from the Act’s applicability.

The Act applies to all persons (a) that conduct business in Connecticut or produce products or services targeted to Connecticut residents, and (b) in the last year either controlled or processed the personal data of at least 100,000 consumers (unless solely for the purpose of completing a payment transaction) or controlled or processed the personal data of at least 25,000 consumers and derived 25% of their gross revenue from the sale of personal data.  Note that the law expressly excludes personal data processed solely for payment transactions, which means that entities that process card transactions only to the extent necessary to complete a sale will not be subject to the Act’s requirements.

 

Consumer Rights

Consumers engaging with covered businesses will be entitled to multiple privacy rights, including the right to (a) confirm that the business processes their personal data; (b) delete personal data provided by, or obtained about, the consumer; (c) correct inaccuracies; (d) obtain a copy of personal data in a “portable, and to the extent technically feasible, readily usable format”; and (e) opt out of the processing of personal data for the purposes of targeted advertising, the sale of personal data (subject to certain exceptions), or “profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.” The Act also requires that covered businesses obtain consent from consumers before processing sensitive data, and explicitly excludes from its definition of consent certain methods, including through acceptance of general terms of use or by use of dark patterns.

 

Data Minimization

The Act includes certain data-minimization requirements, limiting the collection of personal data to what is “adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed” and prohibits the processing of such data for “purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such data is processed” without consumer consent.

 

Enforcement

The Act does not provide a private right of action.  Enforcement authority is granted exclusively to the Connecticut Attorney General.  However, there is an enforcement grace period following enactment, meaning that starting on July 1, 2023 and ending on December 31, 2024, the Connecticut Attorney General must provide businesses with notice of alleged violations and a 60-day period to cure any such violation.

 

Exemptions

The Act exempts certain types of entities and data from its requirements. The following entities, irrespective of whether the data collected and processed would otherwise be subject to the law, are exempt: (a) state and local governments, (b) higher education institutions, (c) nonprofits, (d) national securities associations registered under the Securities Exchange Act of 1934, (e) financial institutions and data subject to the Gramm-Leach-Bliley Act, and (f) covered entities and business associates as defined by HIPAA.

Grayson J. Derrick
back

1700 Farnam Street | Suite 1500 | Omaha, NE 68102 | 402.344.0500