Data Privacy Act Expansion Clears Senate

A major expansion of the Connecticut Data Privacy Act cleared the state Senate May 14 following an amendment that broadened regulatory requirements for businesses.

SB 1356, which passed on a 26-9 vote, significantly changes current state law by lowering compliance thresholds and adding strict rules around how companies can use data.

Adopted in 2022, the CTDPA was a compromise with the business community, implementing one of the first comprehensive laws in the country providing consumers with certain rights over personal data and established responsibilities and privacy protection standards for data controllers.

The law has since been cited across the country as a model legislation adopted in other states.

The CTDPA currently provides exemptions to businesses that process the personal data of 100,000 consumers or less or process the personal data of 25,000 consumers or less and derive 25% or less of their yearly revenue from the sale of data.

These thresholds were part of the original compromise to protect small businesses from the costly burdens of CTDPA compliance.

Small Business Impact

SB 1356, however, drastically reduces these thresholds, exempting only covered entities that annually process the personal data of 35,000 consumers or less.

The amended version of the bill also requires any processors of sensitive data to comply with the CTDPA, pulling in any business, no matter the size, that processes credit or debit cards for payments.

If enacted, the bill’s burdensome and unnecessary restrictions and obligations will make it significantly harder and more expensive for small businesses to connect with new and existing customers—undermining their ability to grow, compete, and contribute to our state economy. 

CBIA joined with several chambers of commerce and other statewide trade organizations opposing the amended bill, warning it would harm Connecticut’s economic competitiveness and make it more difficult for a broad range of organizations to meet the needs of the communities, customers, and individuals they serve.

The bill leaves many of the state’s smallest employers saddled with hefty new compliance and legal fees they can’t afford.

The significant increase in coverage, coupled with the expansion to all sensitive data—including all credit and debit transactions—will impact a broad range of businesses and nonprofits, leaving many of the state’s smallest employers saddled with hefty new compliance and legal fees they can’t afford.

Additionally, the proposed changes to knowledge standards for minors are unclear and conflicting with other existing and proposed state and federal law. 

The inclusion of impact assessment requirements will also subject Connecticut’s smallest employers to the same costly and burdensome assessment requirements as multi-national corporations.

The bill now awaits action by the House.

---

For more information, contact CBIA’s CBIA’s Chris Davis (860.244.1931).