On July 1, 2023, the Connecticut Privacy Act will take effect adding another legislative layer of complexity to running a business.
Connecticut’s Act Applies to Almost Every Business
The Act applies to both individuals or entities who conducts business in Connecticut or target products or services to Connecticut residents and either (1) controlled or processed the personal data at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) controlled or processed the personal data of at least 25,000 consumers and earned more than 25% of their gross revenue from the sale of personal data. This means that the Act reaches beyond Connecticut and applies to businesses around the globe who meet the above conditions.
The Act, however, exempts non-profits, institutes of higher education, Connecticut governmental agencies, national securities associations, financial institutions, and covered entities and business associates under HIPAA.
For purposes of the Act, “processing” personal data means taking any action with personal data. “Control” of personal data means the business determines the purposes and means of processing personal data. Like Colorado’s Privacy Act and the General Data Protection Regulation (GDPR), businesses cannot contract around either the controller or processor roles.
Controllers and Processors Must Take Specific Actions to Avoid Violating the Act
The Act requires controllers to implement multiple privacy practices and policies including, but not limited to, providing consumers with privacy notices, limit the collection of personal data, obtain consent before processing sensitive data, and allow consumers to exercise their rights under the Act.
Processors also must implement privacy practices and policies including, but not limited to, following the controller’s directions and implementing reasonable safeguards to secure the personal data.
Businesses Must Respect Consumers’ New Rights Created by the Act
In addition to other requirements, businesses must respect the new rights granted to consumers to avoid liability. Those rights include, but are not limited to:
- The right to access personal data.
- The right to correct inaccuracies in their personal data.
- The right to delete their personal data.
- The right to obtain a portable copy of their personal data to move to a different controller.
- The right to opt-out of the sale of their personal data and targeted advertising.
What Happens if You Violate the Act?
Any violation of the Act is a deceptive trade practice that the Connecticut Attorney General can pursue. Each violation can result in a civil penalty of $5,000 as well as injunctive relief, disgorgement, and restitution.
Key Takeaways
- The Connecticut Privacy Act takes effect July 1, 2023.
- The Act covers almost any business that transacts with consumers.
- Enforcement of the Act can lead to significant civil penalties for violators.
- Businesses should begin taking steps to comply with the Act now to avoid those penalties.
This blog was drafted by David Brininger, an attorney in the Spencer Fane Houston office. For more information, visit spencerfane.com.
Please note that the entirety of the Act is not in this article. Also, because the Act is not yet in effect, no Connecticut court has yet to analyze or clarify any portion of the Act such that the information and opinions stated above may be subject to change.
