Businesses Face New Data Privacy Requirements

Connecticut businesses face new consumer data privacy protection standards and compliance requirements.

The General Assembly approved statewide data privacy legislation this session, following years of negotiation with the business community.

SB 6 establishes a framework for controlling and processing of personal data, implementing responsibilities and privacy protection standards for data controllers and processors.

It provides consumers the right to access, correct, delete, and obtain a copy of their personal information for specific purposes. 

Further, it requires controllers to conduct regular data protection assessments and authorizes the attorney general to enforce the requirements, with violations deemed unfair trade practices under Connecticut law.

Covered Entities

The data privacy requirements apply to individuals doing business in Connecticut, producing products or services that target residents.

Specifically, the bill affects Connecticut businesses that controlled and processed personal data of at least 100,000 consumers in the state and excludes personal data controlled and processed solely for the purpose of completing payment transactions.

Additionally, the bill applies to businesses that derive 25% of their gross revenue from 25,000 Connecticut residents.

The bill exempts various entities, including institutions of higher education, nonprofits, and state and local governments. 

The bill affects Connecticut businesses that controlled and processed personal data of at least 100,000 consumers.

It also exempts specific types of information and data, including but not limited to, health records, identifiable private information for human research, credit-related information, and certain information collected under federal laws. 

Specifically, the bill does not apply to any: state body, authority, board, bureau, commission, district or agency or those of its political subdivisions; nonprofits; higher education institutions; national securities association registered under federal law; financial institutions subject to the Gramm Leach-Bliley Act, or entities covered by HIPAA.

The bill does not apply to certain information and data collected under federal acts, for example: PHI under HIPAA; patient identifying information on substance use disorder treatment; identifiable private information for protecting human subjects; information created for the Healthcare Quality Improvement Act; and information collected in accordance with Patient Safety and Quality Improvement Act; information associated with Fair Credit Reporting Act, Driver’s Privacy Act, Family Educational Right and Privacy Act, Farm Credit Act, and the Airline Deregulation Act.

Consumer Rights

Under the law, consumers retain and exercise certain articulable rights.

Consumers are afforded the ability to confirm whether a controller is processing personal information and has access to the data, correct inaccuracies, delete personal information, obtain copy of personal information, and opt out of personal information being used. 

The controller must comply with an individual’s request within 45 days after receiving a consumer’s request and provide consumer-requested information at no cost once per calendar year. 

The bill requires data controllers to limit the amount of consumer data to what is adequate, relevant, and reasonably necessary.

Controllers must maintain proper data security measures to protect confidential information of consumers.

Controllers must maintain proper data security measures to protect confidential information of consumers and provide a mechanism for consumers to provide consent.

Additionally, the bill prohibits controllers from processing consumer data if it is not reasonably necessary.

It prohibits the use of sensitive personal data without consumer consent and prohibits the use of personal data for targeted advertising and the selling of the data without consent. 

Controllers are required to provide consumers a privacy notice, to include: categories of personal data being processed, purpose of processing consumer data, explanation of data privacy rights, data provided to third parties, email address the consumer can use to contact the controller, and instructions on how the consumer can exercise opt-out rights.

Enforcement

The state attorney general has exclusive authority to enforce the law’s requirements.

The bill requires the attorney general’s office to provide notice before initiating any action and allow the controller to cure the violation.

The attorney general’s office may bring suit if the controller does not act within 60 days.

The controller has 60 days from the date of notice to cure. The attorney general’s office may bring suit if the controller does not act within 60 days.

SB 6 also establishes a task force convened by the General Law Committee to look into: the elimination of health disparities, reduction of bias-based decision, a further look at parental consent, issues related to data colocation and impact on third parties providers.

The task force is to report to the committee by Jan. 1, 2023 with any findings and recommendations. 

---

For more information, contact CBIA’s John Blair (860.244.1921).