As the United States continues without a comprehensive national privacy law, individual states continue to take it upon themselves to protect their respective citizens. On May 10, 2022, Connecticut became the fifth U.S. state to enact an omnibus privacy law: Senate Bill No. 6, An Act Concerning Personal Data Privacy and Online Monitoring (“CTPA”).
The CTPA goes into effect on July 1, 2023. Provided below is a cursory overview of the CTPA, which includes a high-level comparison of the differences and similarities to the California Consumer Protection Act (CCPA), including as it has been amended by California Privacy Rights Act (“CPRA”).
The CTPA is comprised of twelve sections and is very similar to most recently passed privacy laws:
- Section 1 provides the definitions for terms to be used in the CTPA. This section includes commonly used or synonymous terms as seen in most privacy laws, such as definitions for personal data, sensitive data, biometrics, consent, controller, dark pattern, geolocation data, and many others. Notably, the CTPA adotps terms more aligned with the Colorado law than the CCPA, for example, using “Controller” rather than “business.”
- Section 2 covers the scope of the CTPA. The CTPA applies to persons who conduct business in CT or provides services or products directed at CT consumers and during the preceding calendar year: (1) control or process the personal data of no less than 100,000 consumers (excluding when controlled or process to complete a payment transaction); or (2) controls or processes personal data for no less than 25,000 consumers and derives 25% of their gross revenue from sales of personal data.
- vs. CPRA: although the CTPA is similar to other state privacy laws regarding application thresholds, it differs from the CPRA as the CPRA has a blanket revenue limit of $25,000,000; and has a general 50% revenue determination regardless of consumer information processed. A key difference is the fact that the CTPA excludes information processing solely for payment transaction which could be considered to limit application and thus protections afforded to consumers.
- Section 3 provides for the exemptions from the CTPA to include: (1) state bodies, authorities, bureaus, districts, other subdivisions; (2) nonprofits; (3) high education institutions; (4) securities associations registered under the Securities Act; (5) Gramm-Leach-Bliley Act entities (“GLBA”); and (6) entities covered by The Health Insurance Portability and Accountability Act (“HIPAA”).
- CPRA: the CPRA does not contain as broad of exemptions as the CTPA but it does provide for some similar exemptions such as those under the GLBA and HIPAA and does not apply to nonprofits or government agencies by the nature of the law.
- Section 4 provides general rights afforded by most privacy laws: (1) confirm processing and access to personal data; (2) correct inaccurate personal data; (3) delete personal data; (4) portability of personal data; and (5) opt-out of targeting advertising, sale of personal data, or profiling.
- CPRA: the CPRA affords the same rights as those above in Section 4.
- Section 5 provides authority for consumers to designate an authorized agent to act on consumers behalf, to opt out of processing, which appears to include signals such as a global privacy control from a device or browser.
- CPRA: under the CCPA, the California Attorney General’s Office adopted regulations that required businesses to acknowledge global privacy controls, and under the CPRA, the California Privacy Protection Agency (“CPPA”) is afforded that same right and directed to adopt regulations concerning the same topic.
- Section 6 requires controllers to: (1) limit data to what is “adequate, relevant and reasonably necessary in relation to the purpose for which such data is processed,” i.e., data minimization; (2) not process personal data beyond what it was collected for; (3) have “have reasonable administrative, technical and physical data security practices” as appropriate based on volute and nature of personal data; (4) “not process sensitive data concerning a consumer without obtaining the consumer’s consent”; (5) “not process personal data in violation of the laws of this state and federal laws that prohibit unlawful discrimination against consumers”; (6) allow consent revocation as easy as consent was given; and (7) not process personal data for targeted advertising or sell personal data without consent when controller knows consumer is at least thirteen years old but younger than sixteen. Further addressed are privacy notice requirements, including notice regarding personal data for categories processed, purpose processing, exercise of rights under CTPA, third-party notices, contact information for controllers, and whether personal data is sold.
- Like the CTPA, the CPRA addresses many of the notice requirements, purpose limitations and data minimization requirements for personal information (as used in lieu of personal data), security requirements, revoke consent easily, targeted advertising, and children between the ages of thirteen and sixteen. However, missing from the CPRA is the inclusion of prohibition against discriminatory processing in violation of state and federal law. Second, and most importantly, is how the CTPA requires a consumer to opt-in to process sensitive personal information while the CPRA only affords consumers the right to opt-out of and limit the use and disclosure of what is known under the CCPA (CPRA) as sensitive personal information. It could be argued under the CTPA that CT consumers are afforded more protection by this opt-in requirement rather than under the CCPA’s opt-out.
- Section 7 addresses processor requirements, such as to follow controller instructions and assist controllers with obligations under CTPA. Furthermore, it addresses contracting requirements such as confidentiality, return or deletion of personal data at termination of services, controller’s opportunity to object to subcontractors, and compliance audit rights.
- CPRA: the CPRA has many of the same requirements but lacks an express requirement to return or delete personal information at the termination of the service provider agreement. However, this provision can be included by the business and is implied by the fact that personal information is not to be retained for longer than reasonably necessary under the CPRA.
- Section 8 sets forth the requirement for controllers to “conduct and document data protection assessment for each of the controller’s processing activities that presents a heightened risk of harm to a consumer” and goes on to provide examples.
- CPRA: while the CPRA does not expressly provide this requirement, it introduces the topic and tasks the CPPA with issuing regulations for when an assessment is necessary.
- Section 9: addresses the handling of deidentified data and the requirements to prevent association with consumers, public commitment to keep deidentified, and contractual obligation that any recipients comply with the same.
- CPRA: essentially includes near identical terms and requirements for deidentified information.
- Section 10’s express statement that the CTPA does not impose obligations that shall restrict a controller or processor’s ability to comply with federal, state, local laws, court orders, subpoenas, and other related legal obligations.
- CPRA: essentially includes nearly identical terms regarding compliance with federal, state, local laws, court orders, subpoenas, and other related legal obligations.
- Section 11 states that the CT Attorney General “shall have exclusive authority to enforce violations” of the CTPA.
- CPRA: new with the adoption of the CPRA was the introduction of the CPPA, which will have full administrative power, authority, and jurisdiction to implement and enforce the CCPA and CPRA. The Board will appoint the Agency’s executive director, officers, counsel and employees. The Agency may bring enforcement actions related to the CCPA or CPRA before an administrative law judge. The Attorney General will retain civil enforcement authority over the CCPA and the CPRA.
- Section 12 appears to be mostly state-focused with setting up a task-force no later than September 1, 2022, which is to produce and submit a report on its findings and recommendations to the joint standing committee of the General Assembly having cognizance of matters relating to general law, no later than January 1, 2023..
- CPRA: California has its CPPA which will perform a variety of functions including monitoring the CPRA and addressing privacy topics as they arise.