Skip to content

Menu

LexBlog, Inc. logo
CommunitySub-MenuPublishersChannelsProductsSub-MenuBlog ProBlog PlusBlog PremierMicrositeSyndication PortalsAboutContactResourcesSubscribeSupport
Join
Search
Close

Connecticut’s Privacy Law Signed by Governor

By Linn Foster Freedman on May 13, 2022
Email this postTweet this postLike this postShare this post on LinkedIn

Connecticut Governor Ned Lamont signed the Personal Data Privacy and Online Monitoring Act (CPDPA) into law on May 10, 2022, making Connecticut the most recent state to pass its own privacy law in the absence of comprehensive federal privacy legislation. Connecticut follows in the steps of Nevada, California, Virginia, Colorado and Utah in enacting its own comprehensive privacy legislation, with more pending in various state legislatures.

The Connecticut law goes into effect on July 1, 2023, giving companies just over a year to determine whether it applies, and if so to take steps to comply. Luckily, many organizations have already put compliance programs in place for the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), so adding some nuances from other state laws, including Connecticut, will not be as daunting as the first go-round with California’s law.

The CPDPA is designed to establish a framework for controlling and processing personal data. It:

  1. sets responsibilities and privacy protection standards for data controllers;
  2. gives consumers the right to access, correct, delete, and obtain a copy of personal data and to opt out of the processing or personal data for certain purposes (e.g., targeted advertising);
  3. requires controllers to conduct data protection assessments;
  4. authorizes the state attorney general to bring an action to enforce the bill’s requirements; and
  5. deems violations to be Connecticut Unfair Trade Practices Act violations. https://cga.ct.gov/2022/ACT/PA/PDF/2022PA-00015-R00SB-00006-PA.PDF

The CPDPA applies to individuals and entities that conduct business in the state of Connecticut or target products or services to Connecticut residents and either: control or process personal data of at least 100,000 Connecticut consumers (except if the data is processed solely for completing a payment transaction) or control or process the personal data of at least 25,000 Connecticut consumers and derives more than 25 percent of their gross revenue from the sale of personal data. The application of the law is not tied to an actual gross revenue figure like the CCPA is ($25 million), which is an important distinction that may narrow its applicability to organizations.

The law does not apply to nonprofits, state and local governments, higher education institutions, or national securities associations registered under the Securities Exchange Act. Consistent with other state data privacy laws, it also exempts financial institutions and data subject to the Gramm-Leach-Bliley Act and covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA).

The law excludes 16 different categories of data from its purview, including protected health information under HIPAA, information subject to the Fair Credit Reporting Act, employee and job applicant data, and information protected by the Family Educational Rights and Privacy Act.

A “consumer” is defined as a Connecticut resident, and excludes individuals “acting in a commercial or employment context,” also known as a business-to-business exception, which is consistent with other state privacy laws.

Connecticut consumers will have the right to opt out of the processing of their personal data for targeted advertising, the sale of their data, or profiling for automated decisions that produce legal or significant effects on the consumer. Entities subject to the law will have to provide “clear and conspicuous” links on their websites giving consumers the choice to opt-out of that type of processing and provide a universal opt-out preference signal by January 1, 2025. Consistent with other state privacy laws, the CPDPA contains an anti-discrimination clause. These requirements, along with those of the other state laws that go into effect in 2023, warrant another look at companies’ websites to see if they need to be updated.

The CPDPA requires controllers to limit:

  • collection of personal data to the minimum amount necessary for the purpose of the collection;
  • use of the personal data to only the purpose of the collection or as the consumer has authorized; and
  • establish and implement data security practices to protect the data
  • obtain consent before processing sensitive data, including data of any individual under the age of 13, and follow the provisions of the Children’s Online Privacy Protection Act.

Controllers will be required to update their website and other Privacy notices to be transparent about the categories of data collected, the purpose of the collection, how consumers can exercise their rights under the law, including an active email address at which to contact the controller, what information is shared with third parties, and the categories of third parties with which the controller shares the information. In addition, a controller must disclose that it is selling personal data for targeted advertising and provide consumers with information on how they can opt-out of the sale of their information.

Also consistent with the other state data privacy laws, the CPDPA requires that data controllers enter into a written contract with data processors prior to disclosing the personal data, outlining specific instructions for the data processing and data security requirements for the protection of the personal data. This requires organizations to review third-party contracts to determine whether they are disclosing personal data to third parties, whether CPDPA applies and to amend contracts with those third parties, as appropriate.

Violation of the CPDPA may land companies in an enforcement action by the Connecticut Attorney General (AG), who can levy fines and penalties under the Connecticut Unfair Trade Practices Act. However, there is a grace period for enforcement actions until December 31, 2024, for the AG to provide organizations an opportunity to cure any alleged violations. Beginning on January 1, 2025, the AG has discretion to provide companies with that opportunity to cure and can look at the conduct of the organization during the cure period to determine fines and penalties.

Significantly, consistent with Colorado, Virginia, and Utah, but tacking away from California, the CPDPA is clear that the law does not provide a private right of action for consumers to seek damages against organizations for violation of the law.  Jurisdiction for violations is solely with the AG 2023 will be a busy compliance year for state data privacy laws as laws in Virginia, Colorado, Utah, and now Connecticut will all go into effect. Now is the time to determine whether these new privacy laws apply to your organization and to start planning compliance obligations.

This post is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman is chair of the firm’s Data Privacy + Security Team. She is also an active member of firm’s Health Law Group, education practice, Environmental + Utilities Group, Insurance + Reinsurance Group, and Business Litigation Group. Her practice focuses on data privacy…

Linn Freedman is chair of the firm’s Data Privacy + Security Team. She is also an active member of firm’s Health Law Group, education practice, Environmental + Utilities Group, Insurance + Reinsurance Group, and Business Litigation Group. Her practice focuses on data privacy and security law, responses to data breaches, compliance with federal and state privacy and security laws, breach notification laws, and assisting clients with regulatory investigations.

Ms. Freedman is experienced in providing counsel to health care organizations, Regional Health Information Organizations, and privacy and security issues related to interoperability of electronic health records. She has litigated complex cases, including privacy cases, and class action data breach litigation in state, federal, and appellate courts, government investigations, and serves as general counsel of the Rhode Island Quality Institute. Read her full rc.com bio here.

Read more about Linn Foster FreedmanEmail
Show more Show less
  • Posted in:
    Health Care
  • Blog:
    Health Law Diagnosis
  • Organization:
    Robinson & Cole LLP
  • Article: View Original Source
LexBlog, Inc. logo
Facebook LinkedIn Twitter RSS
Real Lawyers
99 Park Row
  • About LexBlog
  • Careers
  • Press
  • Contact LexBlog
  • Privacy Policy
  • Editorial Policy
  • Disclaimer
  • Terms of Service
  • RSS Terms of Service
  • Products
  • Blog Pro
  • Blog Plus
  • Blog Premier
  • Microsite
  • Syndication Portals
  • LexBlog Community
  • 1-800-913-0988
  • Submit a Request
  • Support Center
  • System Status
  • Resource Center

New to the Network

  • LaborLess Blog
  • Scott Technology Attorneys Blog
  • Joe Raczynski | Technologist
  • Coronavirus (COVID-19): Guidance for Businesses
  • GovCon & Trade
Copyright © 2022, LexBlog, Inc. All Rights Reserved.
Law blog design & platform by LexBlog LexBlog Logo