Update: Like several other state privacy bills introduced this year, SB 893 died in chamber.
Connecticut is the latest state to introduce consumer privacy legislation. If enacted, the Connecticut Act Concerning Consumer Privacy (The Act) would join the existing nationwide patchwork of state privacy laws. The Act would establish a framework for controlling and processing personal data, and include the now-typical consumer rights to access, correct, delete, and know how businesses are using their personal data. The current draft also includes an opt-out for targeted advertising. It does not, however, contain a private right of action.
The Act would apply to persons that conduct business in Connecticut or produce products or services that are targeted to residents of Connecticut that:
"Controller" would mean a natural or legal person that, alone or jointly with others, determines the purpose and means of processing personal data.
"Processor" means a natural or legal entity that processes personal data on behalf of a controller.
The Act would not apply to:
"Personal data" would mean any information that is linked or reasonably linkable to an identified or identifiable natural person. It would not include de-identified data or publicly available information.
"Sensitive data" would mean personal data that includes:
In a departure from other consumer privacy laws, the term "Sale" is more narrowly defined. "Sale of personal data" means the exchange of personal data for monetary consideration by the controller to a third party. The Act would expressly exclude the following actions from the definition:
"Consumer" means a natural person who is a resident of Connecticut and acting only in an individual or household context. Consumers would have the right to:
In addition to other obligations not identified here, Controllers would be required to do the following:
The obligations, however, would not restrict a controller's ability to:
The obligations would not apply if compliance would violate an evidentiary privilege under Connecticut law.
The Attorney General would have exclusive authority to enforce violations. The Attorney General may require that a controller disclose any data protection assessment that is relevant to an investigation conducted by the Attorney General. The disclosure of an assessment would not constitute a waiver of attorney-client privilege or work-product protection, and would be considered confidential and exempt from disclosure pursuant to a Freedom of Information Act request.
The Act would permit a 30 day cure period after notice of a violation and provide for a civil fine of up to $7,500 per violation.
There would be no private right of action under the Act.
If enacted, the Act would become operative on January 1, 2023.
The Act was reported out of the Legislative Commissioner's Office on April 8, 2021, and is tabled for the calendar.