On July 1, 2023, Connecticut’s comprehensive consumer privacy law, the Connecticut Data Privacy Act (the “CTDPA”), will go into effect. Businesses should carefully review the CTDPA now to ensure their privacy policies and practices are in compliance, if they have not done so already.

Generally, the CTDPA applies to for-profit businesses that conduct business in Connecticut or produce products or services targeted to Connecticut residents and that, during the prior calendar year, either (a) controlled or processed the personal data of at least 100,000 consumers; or (b) controlled or processed the personal data of at least 25,000 consumers and derived over 25% of their gross revenue from the sale of personal data, with some exceptions (“Covered Businesses”).

Among other things, the CTDPA requires Covered Businesses to: (1) limit their collection of personal data to what is adequate, relevant, and reasonably necessary for their disclosed purposes; (2) if applicable, clearly and conspicuously disclose to consumers that they sell personal data or use it for targeted advertising and how the consumer can opt out; (3) establish, implement, and maintain reasonable data security practices; and (4) heed specific requirements relating to biometric data, data relating to minors, and other sensitive data.

The CTDPA also provides consumers in Connecticut with new rights to protect their personal data, including the rights to access, correct, and delete personal data and the right to opt out of certain uses and most sales of personal data. Covered Businesses must provide consumers with a privacy notice that clearly describes (a) the types of personal data the business collects; (b) the purpose for which the business uses such data; and (c) how consumers can exercise their consumer rights, among other things. Covered Businesses may not discriminate against consumers for exercising their consumer rights. Each Covered Business must also conduct data protection assessments and enter into binding contracts with any third parties that process data on its behalf.

The CTDPA does not contain a private right of action and the Connecticut Attorney General has exclusive authority to enforce any violations of the CTDPA. The CTDPA contains a limited safe harbor, and Covered Businesses will have a 60-day period to correct or cure certain violations until the end of 2024.

On June 26, 2023, Connecticut Governor Lamont signed into law An Act Concerning Online Privacy, Data and Safety Protections (“SB3”). SB3 imposes requirements on businesses relating to consumer health data and children’s online privacy protection, and amends relevant portions of the CTDPA accordingly. SB3 provisions related to consumer health data become effective on July 1, 2023, while provisions relating to children’s online privacy protection become effective on October 1, 2024. Like the CTDPA, SB3 does not contain a private right of action and the Connecticut Attorney General has exclusive enforcement authority thereunder.

There are several other states – California, Colorado, Florida, Indiana, Iowa, Montana, Tennessee, Texas, Utah and Virginia – that have also enacted comprehensive data privacy laws, with similar rights and obligations, but also nuances and distinctions. Multiple additional states have introduced and/or adopted bills that address a wide range of privacy issues, including biometric information and health data. It is important to note that the applicability of many of these laws is not tied to where a company is physically located, but rather where the people about whom it collects personal information reside. Until a federal privacy law is enacted, businesses will need to continue to refine their privacy policies and practices as each applicable state law becomes effective. Failure to comply with applicable privacy laws could lead to fines, class action lawsuits, enforcement actions and reputational harm.

This article is only a summary of certain state privacy laws, and the texts of the relevant laws should be consulted for further information.

Please call your Hinckley Allen lawyer if you would like assistance with your privacy policy, vendor contracts, or other privacy or data security needs in this ever changing landscape.