On April 20, 2022, the Connecticut Senate unanimously voted to advance CT SB 6 (An Act Concerning Personal Data Privacy and Online Monitoring) to the House floor, where it was enrolled on April 28th. If the bill is signed by Governor Ned Lamont, Connecticut will become the fifth state to enact comprehensive privacy legislation.
The majority of the law’s substantive provisions will take effect July 1, 2023, although a task force to study additional privacy issues will be convened immediately upon its passage.
SB 6 is modeled after the Colorado Privacy Act (CPA) and the Virginia Consumer Data Protection Act (VCDPA), using many of the same definitions and provisions in an effort to be interoperable with these laws. The core elements of SB 6 include:
Consumer rights. SB 6 affords consumers the following rights:
- The right to access personal data
- The right to correct personal data
- The right to delete personal data provided by or obtained about the consumer
- The right to port the consumer’s data to another entity and
- The right to opt out of the sale of personal data, targeted advertising, and profiling.
SB 6 also provides controllers and processors protection from revealing trade secrets when responding to access and portability requests.
Appeals of consumer requests. Like the CPA and the VCDPA, SB 6 allows consumers to exercise a right of appeal when their consumer requests are denied. Similarly, SB 6 requires controllers who deny a consumer’s appeal to provide that consumer with an online mechanism or other method through which the consumer may contact the Connecticut Attorney General to submit a complaint.
Definition of sale. The bill defines “sale” to mean “the exchange personal data for monetary or other valuable consideration.” This definition aligns with the CPA but is distinct from both the California Consumer Privacy Act (CCPA) and the VCDPA. The outer boundaries of the CCPA’s definition include “making available” any personal information “in exchange for monetary or other valuable consideration.” The VCDPA’s definition defines “sale” as “the exchange of personal data for monetary consideration.”
Universal opt-out mechanism. Like the CPA and the California Privacy Rights Act (CPRA), SB 6 will require controllers to honor Universal Opt-Out signals that enable users to opt out of all sales of personal data and targeted advertising on their browser instead of on a site-by-site basis. Unlike the CPA, however, SB 6 does not require the Attorney General to adopt rules governing the UOOM. Notably, this requirement is optional until January 1, 2025, when it becomes mandatory,
Data protection impact assessments. As with the CPA and VCDPA, documented impact assessments are required when a controller’s processing activities present a heightened risk of harm to a consumer. These include (1) processing personal data for purposes of targeted advertising; (2) the sale of personal data; (3) processing personal data for purposes of profiling in cases of significant consumer risk or injury; and (4) processing sensitive data.
Data minimization/secondary use. Similar to the CPA and VCDPA, SB 6 includes two obligations relating to data minimization and secondary use: the first prohibiting the processing of personal data beyond what is adequate, relevant, and reasonably necessary in relation to the purposes disclosed to the consumer; and second, a prohibition on processing personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed without the consumer’s consent.
Children’s data. SB 6 goes beyond the CCPA by requiring opt-in consent for those under 16 years of age for not only the sale of data (which CCPA requires) but also for targeted advertising and data sales. However, the standard of knowledge is somewhat higher, as it prohibits using an opt-out mechanism when controllers have actual knowledge and willfully disregard that the consumer is at least 13 years of age but younger than 16 years of age.
Attorney General enforcement. SB 6 grants the Attorney General exclusive authority to enforce violations. Like the CPA and VCDPA, SB 6 forbids a private right of action for violations of SB 6.
Limited right to cure. Beginning July 1, 2023, and until December 31, 2024, the Attorney General, prior to initiating an action, must issue a notice of violation to the controller – but only if that office concludes a cure is possible. If a controller fails to cure the violation within 60 days after receiving notice, the Attorney General may bring an action to enforce SB 6’s provisions.
Going forward. SB 6 is significant because it demonstrates the growing trend across states to model privacy legislation derived from the frameworks of the CPA and its predecessor, the VCDPA. Conversely, it further isolates the CCPA/CPRA as a model for new state privacy legislation. When planning for 2023, businesses should be prepared to assess the extent to which they will be subject to SB 6’s substantive provisions.
For more information, please contact our data privacy team via PrivacyGroup@dlapiper.com.