A bill that mirrors the California Consumer Privacy Act by restricting how companies share personal information could hurt small businesses through its harsh penalties.

The legislature's Government Administration and Elections Committee heard testimony March 25 on SB 1108, which is designed to enhance privacy rights and consumer protections for residents.

CBIA's Eric Brown says the version the committee sponsored has many flaws.

"Small businesses—many with razor-thin margins that host even just a few customers a day—would be subject to expensive and otherwise overly burdensome requirements of this proposal," Brown said.

"As we understand the bill, a small coffee shop, restaurant, or hardware store that accepts even a modest online payment from a Connecticut resident would be held accountable for compliance with this bill."

Severe Penalties

What's worse, Brown said, is that severe penalties associated with even one violation could cripple a small- or mid-sized business.

California passed its law in June 2018 but it won't take effect until January 2020.

The proposal demonstrates that a state-by-state quick fix is not the way to approach consumer privacy, Brown testified.

"Instead, federal lawmakers should craft a careful and comprehensive policy that ensures transparency and protections against data misuse," he said.

Brown urged committee members to take no action on SB 1108.


For more information, contact CBIA's Eric Brown (860.944.8792) | @CBIAericb

Filed Under: Business Law
  • The bill states that a business must do 25 million a year in revenue and/or is in the business of (or substantially profiting from) selling user’s data or is owned by a company that conducts that business. I’m not a fan of regulations but this one doesn’t seem to be geared towards hurting small businesses. Data brokers and large companies that store personally identifiable information have proven again and again that they are incapable of securely storing information. If you are like me, you get at least 1 notice a year that your information has been compromised. There doesn’t appear to be a market yet for biometric data but that will change and being able to have your information deleted from the system is beneficial.

    • CBIANews

      The definition of business has a threshold of 50k pieces of personal information collected annually. Because personal information is defined so broadly (IP addresses included, for example), this dramatically expands the scope of businesses covered. For example, 50,000 annual visitors to a website = 137 visitors/day; for a small business, it’s about 14 transactions an hour for a 10 hour day.