Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Connecticut Becomes the Fifth State to Adopt a Data Privacy Law

June 2, 2022

On May 31, law firm Clark Hill published a post about Connecticut’s new consumer data privacy law, which was passed on May 10. The new law gives Connecticut consumers more control over what companies can do with personal data collected from Connecticut consumers.

The law will take effect on July 1, 2023.

It applies to individuals and entities that conduct business in Connecticut or produce products or services that are targeted to Connecticut residents; and

During the preceding calendar year, either controlled or processed personal data of at least 100,000 consumers (excluding for the purpose of completing a payment transaction), or controlled or processed personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.

The law specifically excludes from the statute state and local governments, nonprofits, higher education institutions, national securities associations registered with the SEC, financial institutions and data subject to the Gramm-Leach Bliley Act, and covered entities and business associates under HIPAA.

The Connecticut law provides consumers with the following new rights:

The right to know what personal data a company has collected about them. However, unlike the other laws, Connecticut’s right to access does not apply to personal data that would require the company to reveal a trade secret.

The right to correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purpose for which the company processes that personal data.

The right to have the company delete any and all personal data provided by or obtained about the consumer.

The right to obtain a copy of all the personal data that the company has acquired about the consumer (so long as it’s technically feasible). This right is broader than some laws as it is not limited to data provided by the consumer but encompasses all data obtained about the consumer regardless of source.

The right to opt out of the processing of data for the purposes of targeted advertising, the sale of personal data or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects on the consumer.

The law also imposes requirements on companies subject to the statute when collecting consumer personal data. Companies can only collect personal data that is adequate, relevant, and reasonably necessary in relation to the purpose of the collection. The company cannot use personal data, without consent or meeting another exception, unless it is reasonably necessary for or compatible with the purposes of the collection.

The law also requires companies to maintain reasonable administrative, technical and physical data security practices to protect collected personal data. Companies must also make specific disclosures in privacy notices about what they do with personal data they collect (including the categories of data collected, how consumers can exercise their rights and appeal, and contact information for the company). Companies must conduct risk assessments when activities present a “heightened risk of harm” to consumers.

Just like Colorado, Virginia, and Utah, the law does not allow for private rights of action to enforce rights under the law—leaving enforcement solely to the Connecticut Attorney General. Prior to any enforcement action, entities are permitted 60 days to cure any violation (twice as long as allowed in California, Virginia, and Utah), but that cure period ceases as of Jan. 1, 2025. Violations can result in penalties up to $5,000 per willful violation or equitable remedies like restitution, disgorgement, and injunctive relief.

More states will undoubtedly pass similar consumer data privacy laws. And given the lack of bipartisanship in Congress, a federal consumer data privacy law seems highly unlikely.

Hat tip to Dave Ries.

Sharon D. Nelson, Esq., PresidentSensei Enterprises, Inc.
3975 University Drive, Suite 225Fairfax, VA 22030
Email:   Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology