Connecticut is set to join the list of states with a comprehensive privacy law. On April 28, 2022, the state’s proposed privacy law, Senate Bill 6, cleared the Connecticut State House after clearing the State Senate on April 20. The bill is still awaiting signature by Governor Lamont. SB 6 most similarly resembles the Colorado Privacy Act (“CPA”) but incorporates some aspects of the Virginia Consumer Data Protection Act (“VCDPA”) and includes some significant differences with existing privacy laws. Below we have identified some notable aspects of SB 6.
If enacted, SB 6 would become effective on July 1, 2023, the same day CPA takes effect. In comparison, VCDPA becomes effective January 1, 2023. The California Privacy Rights Act (“CPRA”), which replaced the California Consumer Privacy Act (“CCPA”) also becomes effective beginning January 1, 2023.
SB 6 will apply to companies that:
- Conduct business in Connecticut or persons that produce products or services that are targeted to residents of Connecticut and that during the preceding year:
- Controlled or processed the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- Controlled or processed the personal data of not less than 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.
These requirements are generally very similar to CPA, VCDPA, and CPRA. However, the exclusion of data used solely for payment transactions is unique among the other enacted state laws.
Enforcement and Penalties
Similarly to existing laws, SB 6 will be enforced by the state Attorney General. The bill also provides for a limited cure period between July 1, 2023 and December 31, 2024 where the Attorney General shall, prior to initiating an action, issue a notice of violation to a controller if the AG determines a cure to the alleged violation is possible. The controller shall then have a period of 60 days to cure the violation.
Violations of SB 6 will constitute an unfair trade practice under the state’s general statutes, and will carry a civil fine of up to $5,000 for each violation.
Consumer Rights and Affirmative Consent
The generally expected consumer rights to access, correct, delete, and obtain a copy of personal data are included in Connecticut’s bill. SB 6 also requires affirmative consumer consent to process: (1) data “for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer”; (2) sensitive data; and (3) adolescent data.
This requirement for opt-in consent for the processing of adolescent data is unique to Connecticut. The bill requires consumer consent for the processing of data for the purposes of targeted advertising and for the sale of data where a controller has actual knowledge, and willfully disregards that a consumer is at least 13 years of age but younger than 16 years of age. Although the CPRA also has limitations around the processing of data of users between 13-15 years of age, SB 6’s requirement differs by adding the requirement that a controller not only have actual knowledge of the user’s age but further “willfully disregards” that the user is aged 13-15.
Opt-Out Preference Signals
SB 6 explicitly requires controllers to honor opt-out preference signals for certain data processing sent with a consumer’s consent, by a platform, technology, or mechanism to the controller. This provision would have Connecticut join Colorado as the only two states to explicitly require controllers to honor these preference signals.
* * * *
We will continue tracking any changes to Connecticut’s bill before enactment as well as emerging bills and report back with any notable changes.