Last year, Connecticut became the fifth state to enact comprehensive legislation with respect to consumer privacy.
The Connecticut Data Privacy Act (“DPA”) becomes effective on July 1st and applies to businesses that: (a) transact business in Connecticut or otherwise utilize products or services targeted to Connecticut residents; and (b) either (i) control or process the personal data of at least 100,000 Connecticut residents on an annual basis; or (ii) derive over 25% of their gross revenue from the sale of personal data and control or process the personal data of at least 25,000 Connecticut residents on an annual basis. Certain entities are exempt from the DPA, including state and local governments, tax-exempt organizations, higher education institutions, financial institutions subject to the Gramm-Leach-Bliley Act, and “covered entities” and “business associates” as defined by the Health Insurance Portability and Accountability Act (HIPAA).
Akin to the California Consumer Privacy Act and similar state laws already in effect, the DPA will require opt-in consent for the collection and processing of a consumer’s “sensitive” information, such as information revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or immigration status, genetic or biometric data, children’s data and precise geolocation data.
The DPA also provides consumers with rights of notice, access, portability, correction and deletion, provided, however, that businesses are afforded certain exemptions in this regard (e.g., to combat fraud). The DPA will also allow consumers to opt out of using their information for certain purposes, such as the sale of personal data and targeted advertising (and similarly require opt in consent from minors). The DPA will be enforced through the Office of Connecticut’s Attorney General.
Organizations conducting business in Connecticut (or contemplating entering the Connecticut market) should take careful note of this new legislation and take appropriate steps to audit their internal privacy control procedures.