New Data Protection Legislation in The State of Connecticut

Connecticut’s Senate Bill No. 6, otherwise known as the Connecticut Data Privacy Act, is a comprehensive data privacy and protection law that was recently passed in April of 2022. With the enactment of the law, the state of Connecticut has become the fifth state within the U.S. to pass data privacy legislation geared at protecting and safeguarding the various forms of personally identifiable information that residents of the state disclose when browsing the internet, making purchases, and using public services, among other things. To this point, the law outlines the steps that data controllers and processors must take when obtaining data from citizens within Connecticut.

How is data processing defined under the law?

Under the Connecticut Data Privacy Act, a data processor is defined as “an individual who, or legal entity that, processes personal data on behalf of a controller.” Alternatively, the law defines a data controller as “an individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.” Moreover, the law defines the act of data processing as “any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion or modification of personal data.”

What are the duties of data controllers and processors under the law?

Some of the data protection and privacy requirements that data controllers and processors operating within the state of Connecticut must abide by under the provisions of the Connecticut Data Privacy Act include but are not limited to:

• Data controllers are responsible for providing consumers with a privacy notice prior to collecting their personal information. This privacy notice must describe the specific data elements that will be collected, what these data elements will be used for, and the means and methods by which consumers can exercise their rights under the law, among other pertinent provisions.
• Data controllers must limit the collection of personal data to what is relevant, adequate, and reasonably necessary in relation to the purposes for which said data is processed.
• Data processors are forbidden from processing personal data for any purpose other than the purpose for which said data was collected, as well as the purposes that were disclosed to a consumer at the time of collection.
• Data controllers must obtain consent from consumers prior to collecting their personal data.
• Data controllers and processors are responsible for establishing, implementing, and maintaining reasonable technical, administrative, and physical data security safeguards, measures, and practices that can be used to protect all personal data that is collected or processed.
• Data processors are prohibited from processing personal data in a manner that violates applicable state and federal laws.
• Data controllers are responsible for providing consumers with a mechanism that they can use to revoke their consent. In the event that a consumer revokes their consent to having their personal data processed, data processors are responsible for ceasing the processing of their personal data as soon as possible, but no later than fifteen days after receiving such notification.

What are the penalties for violating the Connecticut Data Privacy Act?

The Connecticut Data Privacy Act provides residents of the state with the following rights as it concerns the collection and processing of their personal data:

• The right to access their personal information.
• The right to request that their personal information be corrected or deleted.
• The right to restrict the processing of their sensitive personal information.
• The right to opt-out of the sale or use of their personal information for targeted advertising or marketing purposes, including minors (age 16).
• The right to opt-out of data profiling processes that are made solely on the basis of automated decision making.
• The right to have their personal information collected and processed in a manner that is non-discriminatory.

Conversely, as it pertains to the enforcement of the law, the various sections of the Connecticut Data Privacy Act are enforced by the Connecticut attorney general. With this being said, data controllers and processors operating within the state of Connecticut that are found to be in violation of the law are subject to a wide range of sanctions and penalties. Such punishments include a monetary penalty of up to $5,000 per violation, in accordance with the Connecticut Unfair Trade Practice Act, as well as punitive damages, costs, and reasonable attorney fees. However, the law also gives violators a 60-day cure period to correct any infractions that have been imposed by the attorney general.

As many states around the country have looked to legislative means to secure the personal data of their respective citizens in recent years, such as the California Privacy Rights Act (CCPA) and the Virginia Consumer Data Protection Act (VCDPA), the Connecticut Data Privacy Act is the latest of such laws to be passed. What’s more, when compared to many other U.S. data protection laws, the rights that are offered to citizens under the Connecticut Data Privacy Act are numerous. To this end, the provisions of the law provide Connecticut residents with the means to ensure that their personal information remains confidential and secure at all times.