Connecticut Enacts Consumer Data Privacy Law, Adding To Compliance Complexity

Connecticut S.B. No. 6 – The ‘Act Concerning Personal Data Privacy and Online Monitoring.’

A win for consumers, Connecticut became the fifth state to enact a comprehensive data privacy law. Following in the footsteps as such states as California, Colorado, Virginia, and Utah, the law allows residents to opt out of sales, targeted advertising, and profiling.

The Connecticut data privacy law, S.B. No. 6, effective July 1, 2023, requires websites and organizations to collect explicit consent to process sensitive data. Furthermore, they must offer Connecticut residents means to revoke that consent. Organizations will have no more than 15 days to stop processing data as soon as consent is revoked. The law reads: 

To: (1) Establish (A) a framework for controlling and processing personal data, and (B) responsibilities and privacy protection standards for data controllers and processors; and (2) grant consumers the right to (A) access, correct, delete and obtain a copy of personal data, and (B) opt out of the processing of personal data for the purposes of (i) targeted advertising, (ii) certain sales of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning consumers.”

By 2025, S.B. No. 6 will require companies to acknowledge opt-out preference signals for targeted advertising and sales.

Additional protections require websites that collect parental consent in order to gather personal data from children under 13 years of age, and bans businesses from collecting or using personal data from children ages 13-16 for targeted advertising.

The bill forces companies to honor browser privacy signals, like the Global Privacy Control, so that consumers can opt out of data sales at all companies in a single step. 

Right to Cure Contingencies

“Connecticut’s “right to cure” provision grants businesses who are not compliant with the new law until December 31, 2024 to adjust practices and avoid penalties. Once the provision sunsets, the state can take enforcement action against organizations that violate the law. 

“Right to cure” contingencies can be a hot-button issue among privacy hawks. States such as New York, Washington, and Texas have struggled to pass privacy laws due to backlash from businesses claiming the bills would create significant amounts of extra work for any business with a website. 

Added Complexity to the Regulatory Patchwork

Compared to GDPR, Connecticut’s data privacy law isn’t a home run for consumers, but it does take important steps to prioritize definitions and mechanisms of consent.

Like the NAIC Data Security Model Laws, S.B. No. 6 is great for consumers, but adds complexity to businesses collecting data in the state. Until a federal law unifies privacy management, organizations who collect personal data will need to remain nimble but thorough in their approach to compliance with regulations. 

As new states adopt privacy laws, the nuances between those laws are stacking up in ways that make organizations scramble to meet compliance with a myriad of provisions within each state law such as varying definitions of personal information and unique breach notification requirements.

In the event of a data breach, organizations must quickly assess the risk of the incident while researching the specific breach notification laws of impacted jurisdiction.

As Lisa Sotto head of global privacy and cybersecurity practice at the law firm Hunton Andrews Kurth, said in her interview with The Record, “…data does not respect state boundaries and businesses often need to process personal data of residents in multiple states, it is inefficient and ultimately less protective of privacy to have varying privacy laws in the U.S.”