After a failed attempt in 2021, Connecticut has become the fifth U.S. state to enact comprehensive data privacy legislation with the passing of “An Act Concerning Personal Data Privacy and Online Monitoring” or the Connecticut Data Privacy Act (the “CDPA” or the “Act”). The Act will take effect July 1, 2023 giving covered organizations about 14 months to become compliant.
The CDPA largely follows the model set forth by the Virginia Consumer Data Protection Act (“VCDPA”) and the Colorado Privacy Act (“ColoPA”) which both passed last year and have served as a standard for U.S. privacy legislation after Utah adopted a similar model a few weeks ago (as discussed here). Whereas Utah and Virginia are slightly more business-friendly versions, the CDPA is slightly more protective of consumer rights, aligning more closely with ColoPA and the California Privacy Rights Act (“CPRA”) which will amend the California Consumer Privacy Act (“CCPA”) when it comes into effect January 1, 2023. Despite similarities with the aforementioned state laws, the CDPA does have some noteworthy features, including a carve out to the applicability threshold intended to exempt small- and medium-sized businesses, broader deletion and opt-out rights for consumers, consent revocation requirements, prohibitions on the use of dark patterns, requirements to recognize user-selected universal opt-out mechanisms, strong protections for children’s and biometric data and a sun setting right to cure.
Below we summarize key elements of the Act while highlighting its similarities and differences with the CCPA/CPRA, VCDPA, ColoPA and UCPA.[1]
Who must comply?
The CDPA contains similar triggering thresholds as previously enacted state privacy laws and applies to (i) any person that conducts business in the state of Connecticut or produces products or services targeted to Connecticut residents and (ii) during the preceding calendar year, controls or processes the personal data of (a) not less than 100,000 consumers, excluding personal data collected or processed solely for the purpose of completing a payment transaction, or (b) not less than 25,000 consumers and derives more than 25% of their gross revenue from the sale of personal data.
- The CDPA is the first state to include an explicit carve-out to its triggering thresholds for the processing of payment card information. Such limitation is likely welcome news to small- and medium-sized businesses who process such personal data solely to complete payment card transactions and but for such processing would be unlikely to incur obligations under the Act.
What data is protected?
Like other state privacy laws, the CDPA defines personal data as any information that is linked or reasonably linkable to an identified or identifiable individual, and excludes de-identified[2] or publicly available data.
- Unlike the CCPA/CPRA and similar to ColoPA and the UCPA, the CDPA does not tie the definition of “personal data” to “consumers”[3], meaning that where obligations are placed on data controllers with respect to the processing personal data, but without specific reference to “consumers” in the text of the Act, such obligations may be broadly interpreted to apply to all such processing by the controller and not only with respect to the personal data of Connecticut residents. By way of an example, under Section 6 of the Act, controllers have an obligation to “establish, implement and maintain reasonable administrative, technical and physical data security practice to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue,” but “personal data” is not qualified by “consumer” in any way as it is in other sections of the Act.[4]
The CDPA also includes a definition of “sensitive data”, which is subject to additional obligations as discussed herein, and includes (i) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, (ii) the processing of genetic or biometric data for the purpose of uniquely identifying an individual, (iii) personal data collected from a known child or (iv) precise geolocation data. In line with the approach adopted in Virginia and Colorado, the CDPA requires affirmative, unambiguous, revocable consent prior to the processing of sensitive data, or, in the case of a known child, verifiable parental consent in compliance with the mechanisms prescribed under the Children’s Online Privacy Protection Act as discussed in more detail below.
- Aligning with the laws in Virginia, Utah and Colorado, the CDPA provides a slightly narrower definition of “sensitive data”, which does not include categories included in the CPRA’s definition such as a consumer’s social security and driver’s license number, financial data or contents of a consumer’s mail.
- The CDPA’s definition of “biometric data”[5], an enumerated special category of data, is broader than the approaches adopted by other states. For example, unlike the definition of biometric data under the VCDPA, the CDPA makes clear that any data is generated from photographs, audio or video recordings to identify a specific individual will constitute biometric data and thus be subject to the Act’s requirements.
As expected based on other state privacy laws, the CDPA does not apply to certain enumerated entities, such as any state and local governments, nonprofits, institutions of higher education, national securities associations covered by the Securities Exchange Act, financial institutions subject to the Gramm-Leach-Bliley Act, or qualifying covered entities and business associates subject to the Health Insurance Portability and Accountability Act (“HIPAA”), nor does it apply to certain information or data, such as protected health information under HIPAA or other health-related information covered by federal law or policy, information regulated by the Fair Credit Reporting Act or personal data regulated by the Family Educational Rights and Privacy Act.
What obligations are placed on covered entities?
Like the VCDPA, ColoPA and UCPA, the Act distinguishes between data controllers (i.e., individuals or legal entities that alone or jointly with others determine the purpose and means of processing personal data) and data processors (i.e., individuals or legal entities that process personal data on behalf of a controller), providing specific requirements for each with respect to the processing of personal data. Controllers and processors should recognize many of their obligations from preexisting state privacy laws, such as obligations of data minimization and purpose limitation, as well as requirements to (i) provide consumers notice of such processing activities via an easily accessible privacy notice, (ii) enter into data processing agreements akin to those required under Article 28 of the EU General Data Protection Regulation (“GDPR”), (iii) conduct data protection assessments for processing of personal data that presents a heightened risk to consumers, including the processing of sensitive personal data, the processing of personal data for purposes of profiling or targeted advertising and sales of personal data and (iv) employ reasonable administrative, technical and physical data security practices to safeguard personal data.
While these obligations are largely reminiscent of controllers and processors’ obligations under other data protection laws, there are a few noteworthy aspects with respect to a controller’s compliance obligations under the CDPA:
- Consent Revocation Mechanism. Adopting a concept from the GDPR, controllers are required to provide consumers with an effective mechanism to revoke their consent that is “at least as easy as the mechanism by which the consumer provided the consumer’s consent” and must, upon revocation of such consent, cease to process the data as soon as practicable but not later than 15 days after the receipt of such request.
- Consent Requirements for Processing Minors’ Data. While largely tracking previously-enacted legislation and requiring verifiable parental consent for the collection of the personal data of known children under the age of 13, the CDPA goes one step further and requires opt-in consent to either (i) sell a consumer’s personal data or (ii) process a consumer’s personal data for purposes of targeted advertising, where the controller has actual knowledge, and willfully disregards, that the consumer is at least 13 years of age but younger than 16 years of age. This is similar to, but not exactly on point with, the CPRA’s prohibition on selling or sharing the personal data of a minor between the ages of 13 and 16 without receiving opt-in consent.
- Prohibitions on Use of Dark Patterns. Like the ColoPA and CPRA, the CDPA prohibits the use of “dark patterns” (i.e., a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice) as a means of obtaining consumer consent.
- Requirement to Recognize Opt-Out Preference Signals. Beginning on January 1, 2025, the CDPA will require covered entities to recognize consumer opt-out requests (discussed more fully below) via user-enabled universal opt-out mechanisms. Note that this date comes shortly after a similar requirement under ColoPA which requires recognition of global user-enabled privacy controls beginning on July 1, 2024. Conversely, the CPRA makes the recognition of such signals optional, whereas the VCDPA and UCPA do not include any such requirements.
What rights do Connecticut consumers have under the Act?
Connecticut consumers are provided the same suite of rights as seen in similar state acts, including the rights to (i) know and access their personal data, (ii) correct their personal data, (iii) delete their personal data, (iv) data portability and (v) opt out of the processing of their personal data for the purposes of targeted advertising, sales of personal data or profiling. Like with prior statutes, a consumer may designate an agent to exercise the consumer’s rights on their behalf or, in the case of a known child, a parent or guardian may exercise such rights. A few additional items worth noting:
- Notice of and Link to Opt-Out Rights for Sales of Personal Data and Targeting Advertising. The CDPA adopts the CCPA/CPRA and ColoPA definition of sale, and includes any exchange of personal data for monetary or other valuable consideration from a controller to a third party, subject to certain standard exemptions. Further, like the CPRA, if a controller determines that it is “selling” personal data to third parties or processing personal data for targeted advertising, it must provide conspicuous notice of such processing, as well as the manner in which a consumer may exercise the right to opt out, and provide a clear and conspicuous link on the controller’s website to a page that enables a consumer or their agent to opt out of the targeted advertising or sale of the consumer’s personal data.
- Like the CPRA, the CDPA does not require covered entities to authenticate whether a request to opt out of certain processing came from a bona fide Connecticut resident; however, a controller may deny an opt-out request if the controller has a good faith, reasonable and documented belief that such request is fraudulent and notice is provided to the person who submitted the request. Additionally, as discussed above, starting January 1, 2025, controllers must recognize consumer opt-out requests made via user-selected universal opt-out mechanisms.
- Data Broker Deletion Exception. Notably, unlike the UCPA passed earlier this year, the CDPA provides a slightly broader deletion right to consumers similar to those provided in the VCDPA and ColoPA, permitting them to request deletion of not only the personal data that they have provided to the business, but also any personal data that the business has obtained about the consumer from a third party. Where a controller possesses personal data about a consumer from a source other than the consumer, the CDPA has included what has been termed the “data broker exception” pursuant to which a controller is deemed to have complied with a consumer’s deletion right where it either (a) retains a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted or (b) opts the consumer out of the processing of such personal data for any purpose except for those exempted pursuant to the Act.[6] Given the complexities of deleting original consumer data, this provision should assist data brokers and other companies that do not directly process consumer data to comply with requests to delete more easily while still providing consumers with control over the usage of their data.
No private right of action – what are the penalties for non-compliance?
The CDPA vests exclusive enforcement authority in the Connecticut Attorney General’s office, which has a nationally-renowned data privacy unit. Until December 31, 2024, businesses will have the ability to cure alleged violations of the Act within sixty (60) days of receipt of the notice of violation, which is comparable to sunset provisions in California (January 1, 2023) and Colorado (January 1, 2025). After January 1, 2025, the Attorney General will maintain discretion to grant a controller or processor a cure period taking into account certain enumerated factors including the number of violations, the size of the controller or processor and the substantial likelihood of injury to the public.
While the CDPA rejects California’s position of providing consumers a private right of action, beginning January 1, 2025, Connecticut, California and Colorado will be positioned to engage in multistate enforcement actions where appropriate, increasing the likelihood of substantial penalties for instances of noncompliance under each law.
Finally, while no rulemaking authority is provided under the Act, it does create a task force to study certain additional topics, including algorithmic decision making, information sharing amongst health care providers and social care providers and issues with respect to children’s privacy rights, and provide a report to the joint standing committee of the General Assembly no later than January 1, 2023.
Conclusion
As an increasing number of state legislatures enshrine consumer privacy laws, we expect it is only a matter of time before federal legislation or regulation is introduced to align the increasingly disparate requirements that companies face, especially those active in interstate commerce. Until then, businesses will continue to operate under the existing patchwork of privacy legislation, including those which may impose conflicting obligations for companies when operating across multiple jurisdictions.
[1] The full text of the Connecticut Data Privacy Act is available here.
[2] Interestingly, while the definition of personal data is tied only to reasonably identified or identifiable individuals, the definition of de-identified data under the Act includes any data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual or a device linked to such individual.
[3] The CDPA defines “consumer” as an individual who is a resident of Connecticut and does not include individuals acting in an employment or commercial (i.e. B2B) context.
[4] In contrast, the CCPA/CPRA clearly define personal information to mean information that identifies or could reasonably be linked, directly or indirectly, with a particular “consumer” (which is in turn defined as a California resident); thus, the statute makes clear that the rights of consumers, as well as the obligations and restrictions placed on covered entities, are specific to California residents.
[5] Biometric data is defined as data generated by automatic measurements of an individual’s biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises or other unique biological patterns or characteristics that are used to identify a specific individual, and does not include a digital or physical photograph, an audio or video recording or any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual.
[6] Those following developments in U.S. privacy law will note that this drafting is likely responsive to a key concern raised by the Virginia legislative working group and subsequent amendment signed into law by Virginia’s governor a few weeks ago.