Connecticut Passes Consumer Data Privacy Law
Connecticut has joined California, Colorado, Utah, and Virginia in passing a comprehensive consumer data privacy law that establishes obligations for businesses that collect and process the personal data of Connecticut residents. The Connecticut Data Privacy Act (the “Act”) was signed by Governor Ned Lamont on May 10, 2022. The new privacy law takes effect on July 1, 2023 (the same date as the Colorado Privacy Act), which gives businesses just under 14 months to implement policies and procedures to comply with the Act.
The Act includes many of the same rights, obligations and exceptions as the consumer privacy laws passed by California, Colorado, Utah and Virginia, drawing heavily from Colorado’s law and the Virginia Consumer Data Protection Act — with many of the law’s provisions mirroring either the Colorado or Virginia laws.
Scope of the Act
The Act defines “consumer” as a Connecticut resident and, like Virginia, Colorado, and Utah, expressly excludes individuals “acting in a commercial or employment context.” As such, the personal data of those individuals can be excluded from the Act’s applicability.
The Act applies to all persons (a) that conduct business in Connecticut or produce products or services targeted to Connecticut residents, and (b) in the last year either controlled or processed the personal data of at least 100,000 consumers (unless solely for the purpose of completing a payment transaction) or controlled or processed the personal data of at least 25,000 consumers and derived 25% of their gross revenue from the sale of personal data. Note that the law expressly excludes personal data processed solely for payment transactions, which means that entities that process card transactions only to the extent necessary to complete a sale will not be subject to the Act’s requirements.
The Act includes certain data-minimization requirements, limiting the collection of personal data to what is “adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed” and prohibits the processing of such data for “purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such data is processed” without consumer consent.
The Act does not provide a private right of action. Enforcement authority is granted exclusively to the Connecticut Attorney General. However, there is an enforcement grace period following enactment, meaning that starting on July 1, 2023 and ending on December 31, 2024, the Connecticut Attorney General must provide businesses with notice of alleged violations and a 60-day period to cure any such violation.
The Act exempts certain types of entities and data from its requirements. The following entities, irrespective of whether the data collected and processed would otherwise be subject to the law, are exempt: (a) state and local governments, (b) higher education institutions, (c) nonprofits, (d) national securities associations registered under the Securities Exchange Act of 1934, (e) financial institutions and data subject to the Gramm-Leach-Bliley Act, and (f) covered entities and business associates as defined by HIPAA.