Connecticut’s Passes Data Breach Notification Bill
Previously, we reported that the Connecticut Senate had unanimously voted to approve Senate Bill 6 (“S.B. No. 6”) on April 20, 2022.
On May 10, 2022, the Connecticut Governor signed into law a Substitute for S.B. No. 6[1] (“Bill”). This Bill outlines requirements relating to personal data privacy and online monitoring on organizations and individuals:
“doing business in Connecticut, or that produce products or services that are targeted to Connecticut residents;” and
“that in the preceding year, controlled or processed the personal data of at least:
100,000 Connecticut residents (excluding for the purpose of completing a payment transaction); or
25,000 Connecticut residents, if the individual or entity derived more than 25% of their annual gross revenue from selling personal data.”
Under the Bill, consumers and parents or legal guardians of a known child have a right to:
Knowledge of and access to their personal data that is being maintained by the data controller;
Correct inaccuracies as to their personal data inaccurately recorded and to delete certain personal data;
Obtain a copy of their personal data in a “portable and readily usable format”;
Opt-out of the processing of their personal data “for the purposes of sale, targeted advertising, or profiling.”
In addition to granting consumers these rights, the Bill requires data controllers to:
respond to consumers’ rights requests “without undue delay” and to respond within the enumerated timelines under the provisions of the Bill;
practice data minimization and refrain from processing personal data for “unnecessary purposes” or for purpose incompatible with the purposes that the consumer consented to;
implement and maintain “reasonable administrative, technical and physical data security practices to safeguard personal data”;
provide consumers with a reasonable accessible, clear and meaningful privacy notice;
provide consumers with a mechanism for revoking consent that is comparable to the mechanism to providing consent;
conduct and document a data protection assessment for processing activities with a heightened risk of harm to a consumer; and
comply with the prohibition against utilizing “dark patterns,” which are “manipulative techniques that can impair consumer autonomy, decision-making or choice.”
This Bill is scheduled to be effective on July 1, 2023 and will have an enforcement grace period through December 31, 2024. During that grace period, the Connecticut Attorney General (“AG”) — the party granted exclusive enforcement authority — will be required to give violating parties with a notice of alleged violations and grant these entities an opportunity to cure these violations within the 60-days following receipt of notice. Following this grace period, the AG will have discretionary authority to grant a cure period to violating parties.
In addition to enforcement of the provisions of the Bill, the General Law Committee will be required to establish a task force that will provide recommendations pertaining to issues of healthcare data privacy; algorithmic decision-making; children’s privacy; and expansive efforts for SB 6’s applicability. The task force will submit a report of its findings to the General Law Committee by January 1, 2023 and the task force will be terminated upon submission of its final report.