Amended Data Privacy Expansion Adopted

An expansion of the Connecticut Data Privacy Act cleared both chambers of the state legislature, but not before key sections were amended to limit the impact on small businesses and many industry sectors.  

SB 1295 became an omnibus consumer protection bill in the final days of the legislative session.

The amended bill addressed broadband access, online gaming, social media, and subscription renewals.

It also adopted concepts previously found in SB 1356 from earlier in the session that significantly changed the CTDPA by lowering compliance thresholds and adding additional restrictions around companies’ use of data. 

Adopted in 2022, the CTDPA was a compromise with the business community to implement one of the first comprehensive laws in the country to provide residents with certain rights over personal data and established responsibilities and privacy protection standards for data controllers.

Reduced Thresholds, Exemptions

The CTDPA currently provides exemptions to businesses that process the personal data of 100,000 consumers or less or process the personal data of 25,000 consumers or less and derive 25% or less of their yearly revenue from the sale of data. 

These thresholds were part of the original compromise to protect small businesses from the costly burdens of CTDPA compliance. 

Following a series of negotiations with industry associations in the state, SB 1295 reduces these thresholds, exempting only covered entities that annually process the personal data of 35,000 consumers or less.

Key exemptions were added to the final bill however, exempting data collected for payment processing and limiting the type of activities that would trigger anti-bias profiling assessments.  

Many key industries are also now largely excluded through either entity-level or data-level exemptions.

Many key industries are also now largely excluded through either entity-level or data-level exemptions, including nonprofits, insurers, financial institutions, healthcare providers, and the defense industry. 

Under the bill, each non-exempt data controller that engages in any profiling for the purposes of making a decision that produces any legal or similarly significant effect related to a consumer must conduct an impact assessment for the profiling.

The amended bill, however, removed the inclusion of offering essential goods and services under this requirement, significantly narrowing the scope of compliance for many businesses. 

CBIA previously joined with several chambers of commerce and other statewide trade organizations in a letter of opposition to the original data privacy expansion bill warning that it would harm Connecticut’s economic competitiveness and make it more difficult for a broad range of organizations to meet the needs of the communities, customers, and individuals they serve. 

The bill now awaits action by the Governor. 

---

For more information, contact CBIA’s CBIA’s Chris Davis (860.244.1931).