Connecticut became the fifth U.S. state to enact a comprehensive consumer privacy law following California, Virginia, Colorado, and Utah. On May 10, 2022, Connecticut Governor Ned Lamont signed "An Act Concerning Personal Data Privacy and Online Monitoring" (SB 6) (CPOMA).¹

Substantively, CPOMA largely tracks the Colorado Privacy Act (ColoPA) and Virginia Consumer Data Protection Act (VCDPA). CPOMA's substantive provisions will become effective July 1, 2023. Indeed, 2023 will be a busy year for privacy compliance teams as several other U.S. state privacy laws will take effect throughout the year. Both the VCDPA and California Privacy Rights Act (CPRA) (which replaces the current California Consumer Privacy Act (CCPA)) will take effect on January 1, 2023, ColoPA will take effect the same day as CPOMA, and the Utah Consumer Privacy Act (UCPA) will take effect on December 31, 2023.

Key Takeaways

• CPOMA contains substantially similar obligations and rights as existing U.S. state privacy laws in Colorado and Virginia. Thus, companies already preparing for compliance with those laws will likely require minimal updates to comply with CPOMA.
• CPOMA requires controllers to conduct data protection assessments (DPAs), using a risk-of-harm analysis following the example of the VCDPA, ColoPA, and the EU General Data Protection Regulation (GDPR).
• CPOMA requires controllers to obtain consent before processing sensitive data, consistent with the VCDPA, ColoPA, and the UCPA. This contrasts with the CPRA's more limited opt-out approach for certain uses of sensitive data.
• CPOMA prohibits controllers from processing personal data for purposes that are not reasonably necessary to nor compatible with the disclosed purposes for which personal data is processed, unless the controller obtains the consumer's consent.
• CPOMA requires an opt-out mechanism for targeted advertising and the sale² of personal data. In addition, similar to ColoPA, controllers will need to honor opt-out signals that consumers implement through a platform, technology, or mechanism indicating the consumer's intent to opt out of such processing or sale no later than January 1, 2025. CPOMA provides general parameters for the mechanism that are substantially similar to ColoPA, but unlike ColoPA, does not direct the state attorney general to promulgate rules setting forth technical specifications.
• Similar to other state privacy laws, compliance with the Children's Online Privacy Protection Act (COPPA) parental consent requirements are deemed compliant with CPOMA's parental consent obligations. For minors aged 13-15, however, companies must obtain opt-in consent before either selling their personal data or using it for targeted advertising. This obligation is similar to the CPRA's requirement to obtain consent from consumers less than 16 years of age before selling or "sharing" (for cross-context behavioral advertising purposes) their personal information.
• CPOMA is the third state privacy law, after the CPRA and ColoPA, to address "dark patterns." CPOMA expressly excludes agreement obtained via dark patterns from the definition of consent.
• Connecticut is the second U.S. state to have a privacy law that mentions financial incentive terms, after California.
• Unlike the UCPA, but similar to the VCDPA and ColoPA, CPOMA grants consumers the right to appeal a denial of a consumer request.
• CPOMA does not provide any private right of action; the law is exclusively enforced by the state attorney general. CPOMA enforcement is subject to an initial 60-day cure period, but starting in 2025 the attorney general will have discretion on whether to offer companies an opportunity to cure alleged violations.

Scope

CPOMA applies to persons that conduct business in Connecticut or produce products or services targeted to Connecticut residents ("consumers") and that during the preceding calendar year: 1) controlled or processed the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing payment transactions; or 2) controlled or processed the personal data of not less than 25,000 consumers and derived more than 25 percent of their gross revenue from the sale of personal data. While CPOMA's two threshold requirements are similar to other U.S. state privacy laws, particularly to the VCDPA, CPOMA's threshold calculation is the first to exclude personal data controlled or processed solely for the purpose of completing a payment transaction. Like the Virginia, Colorado, and Utah privacy laws, CPOMA's definition of consumer excludes an individual acting in a commercial or employment context. CPOMA extends broad, status-based, and data-based exemptions,³ closely resembling the VCDPA.

Consumer Rights

Similar to existing U.S. state privacy laws, CPOMA grants consumers certain rights regarding their personal data.⁴ Specifically, CPOMA grants consumers rights of confirmation, access, correction, deletion of personal data provided by or obtained about the consumer, and data portability. Like the VCDPA and ColoPA, CPOMA also grants consumers the right to opt out of the processing of their personal data for the purpose of targeted advertising, sale, and profiling decisions that have legal or similarly significant effects. CPOMA prohibits the processing of sensitive data without first obtaining the consumer's consent, or in cases of sensitive data concerning a known child, obtaining verifiable parental consent in accordance with COPPA. Similar to ColoPA, CPOMA will eventually allow consumers to opt out of personal data processing for either targeted advertising or sale via an opt-out preference signal. Similar to ColoPA, CPOMA permits consumers to designate another person to act as their authorized agent to exercise opt-out rights on their behalf.

Consistent with other U.S. state privacy laws, controllers have 45 days to respond to consumer requests and this time period can be extended once by an additional 45 days. CPOMA also incorporates a consumer appeals process for denied requests that mirrors the VCDPA and is substantially similar to ColoPA.

Controller/Processor Obligations

As is becoming increasingly familiar, CPOMA uses a controller/processor framework consistent with all other U.S. states with omnibus consumer privacy laws so far, except California. CPOMA's controller obligations are most similar to those imposed under ColoPA, including requirements to adhere to data minimization and purpose limitation requirements, to avoid unnecessary and incompatible secondary uses of data unless the controller obtains the consumer's consent, and to maintain reasonable data security practices. Similar to the existing U.S. state privacy laws, CPOMA requires controllers to post a reasonably accessible, clear, and meaningful privacy notice. CPOMA's privacy notice requirements are functionally identical to ColoPA's notice requirements.⁵

Controllers must also provide an effective mechanism for a consumer to revoke consent that is at least as easy as the mechanism by which the consumer provided consent. Controllers must cease processing data within 15 days of receiving a consumer's consent revocation. Additionally, controllers may not process personal data for targeted advertising, or sell the consumer's personal data without the consumer's consent, under circumstances where a controller has actual knowledge, and willfully disregards, that the consumer is a minor between 13-15 years of age. This obligation is similar to the CPRA's requirement to obtain consent from consumers less than 16 years of age before selling or "sharing" (for cross-context behavioral advertising purposes) their personal information. CPOMA prohibits controllers from discriminating against consumers for exercising their rights, but clarifies that if a consumer's decision to opt out of processing conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller program (e.g., loyalty or rewards program), the controller may notify the consumer of the conflict and provide a choice to confirm the privacy setting or participation in the program.

Controllers must provide a clear and conspicuous opt-out link on their website to enable consumers to opt out of targeted advertising or the sale of personal data, similar to the CPRA's "Do Not Sell or Share My Personal Information" link (though CPOMA is not prescriptive on the labeling of this link). Beginning January 1, 2025, controllers must also permit consumers to opt out of targeted advertising and sale of personal data via an opt-out preference signal sent with the consumer's consent via a platform, technology, or mechanism, similar to the global opt-out proposed under ColoPA. Under CPOMA, the opt-out preference signal must require the consumer to make an affirmative unambiguous choice; it cannot rely on a default setting. The opt-out mechanism must also be as consistent as possible with any other similar mechanisms required by any law. As more states roll out state-specific privacy laws, the ability to determine whether an individual attempting an opt-out is a resident of a particular state will likely become more and more critical for businesses' compliance efforts.

As with existing U.S. state privacy laws, CPOMA requires a binding written contract between controllers and processors that clearly sets out instructions for processing data, the nature and purpose of processing, the type of data subject to processing, duration of processing, rights, and obligations of both parties.⁶

Data Protection Assessments

CPOMA requires controllers to conduct DPAs for processing activities that present a risk of harm to a consumer.⁷ This DPA obligation closely follows that of the VCDPA and ColoPA, including the obligation to produce assessments to the state attorney general. As with ColoPA, DPAs are required for processing activities created or generated after July 1, 2023, and are not retroactive. To ease the compliance burden, CPOMA specifies that DPAs conducted for the purpose of satisfying another law shall be deemed to satisfy CPOMA, if the DPA is reasonably similar in scope and effect.

Enforcement and Civil Penalties

CPOMA does not provide a private right of action; the Connecticut attorney general has exclusive enforcement authority. Initially, from the period of July 1, 2023-December 31, 2024, the attorney general will provide companies with a notice of alleged violations and a 60-day cure period, if the attorney general determines that a cure is possible. Beginning on January 1, 2025, the Connecticut attorney general will have discretion on whether to grant a controller or processor an opportunity to cure, and will consider various factors including: 1) the number of violations; 2) the size and complexity of the controller or processor; 3) the nature and extent of the processing; 4) the substantial likelihood of injury to the public; 5) safety of persons or property; and 6) whether the alleged violation was likely caused by human or technical error.

Legislative Task Force

Beginning September 1, 2022, the Connecticut General Assembly will convene a task force to study and provide recommendations on various privacy topics including information sharing among healthcare and social care providers; algorithmic decision making and ways to reduce bias; possible legislation related to parent's deletion requests under COPPA; age verification for children on social media accounts; data colocation issues; possible legislation that would expand CPOMA; and other data privacy topics. The task force must submit a report of its findings and recommendations to the joint standing committee of the General Assembly by January 1, 2023.

^[1]Wilson Sonsini derived the CPOMA acronym from the Act’s title: Connecticut personal data Privacy and Online Monitoring Act. Despite its unique name, CPOMA does not expressly regulate “online monitoring”; the sole reference to online monitoring is in the Act’s title.

^[2]Consistent with ColoPA and the California privacy laws, CPOMA defines “sale” of personal data as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.” This is in contrast to the VCDPA and UCPA’s more narrow definition of sale as merely an exchange of personal data for monetary consideration.

^[3]CPOMA extends status-based exemptions for state governmental entities, nonprofit organizations, institutions of higher education, national securities associations, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), and covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA) or the HITECH Act. CPOMA extends certain data-based exemptions, particularly regarding protected health information under HIPAA and health records under other related laws, and personal information regulated by the Fair Credit Reporting Act (FCRA), federal Driver's Privacy Protection Act (DPPA), the family Educational Rights and Privacy Act (FERPA), the federal Farm Credit Act, or personal data processed under the Airline Deregulation Act by an air carrier. Employment-related data and business-to-business (B2B) data are also exempt.

^[4]Mirroring the definition of ColoPA (and substantially similar to that of the VCDPA and UCPA), CPOMA defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable individual” and excludes de-identified or publicly available information.

^[5]Under CPOMA, the privacy notice must include the categories of personal data processed, the purposes for processing, how consumers may exercise their consumer rights and appeal a controller’s decision, the categories of personal data shared with third parties, the categories of third parties, and an active email address or other online mechanism to contact the controller.

^[6]Under CPOMA, the contract must require a processor to assist a controller in: 1) responding to consumer requests; 2) meeting its security and data breach notification obligations; and 3) providing information to the controller for the purpose of conducting DPAs. Processors are also required to 1) ensure that each person processing personal data is subject to a duty of confidentiality; 2) return or delete data as requested at the end of the provision of services, unless retention required by law; 3) make available information to demonstrate compliance; 4) provide controllers an opportunity to object to engage any subcontractor and require in written contract that subcontractors to meet the same obligations with respect to personal data as the processor; 5) allow, and cooperate with, reasonable assessments by the controller, controller’s designated assessor, or provide a report of an independent assessment to controller upon request.

^[7]Such processing activities include targeted advertising, selling personal data, or processing sensitive data. A DPA is also required where processing for profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of, or unlawful disparate impact on, consumers; risks the financial, physical, or reputational injury to a consumer; risks an intrusion into the consumer's private affairs that would be offensive to a reasonable person; or risks other substantial injury to consumers. When conducting a DPA, controllers must identify and weigh the benefits of processing activities against the risk of harm to consumers.