Connecticut becomes fifth state with data privacy law
Connecticut’s recently passed data privacy bill became law on Wednesday, making it the fifth state in the U.S. with some form of data privacy protections for its residents.
S.B. No. 6 – The ‘Act Concerning Personal Data Privacy and Online Monitoring’ – became law without the governor’s signature because the state has a rule that passed bills become law automatically five days after they are passed during a legislative session.
Last week, a spokesperson for Governor Ned Lamont told The Record that they were going to “carefully review the bill” but noted that there were no concerns about the content of the bill.
The Connecticut bill – which would take effect July 1, 2023 – resembles the privacy laws passed in Colorado, Virginia and Utah in that it allows residents to opt out of sales, targeted advertising, and profiling. By 2025, the law will require companies to acknowledge opt-out preference signals for targeted advertising and sales.
Websites and companies now have to get consent to process sensitive data and need to offer Connecticut residents ways to revoke that consent. Organizations will have no more than 15 days to stop processing data as soon as consent is revoked, according to the law.
Parental consent is needed for any website to collect personal data from children under the age of 13 but businesses are banned from collecting personal data and using targeted advertising on children between the ages of 13 and 16.
The bill forces companies to honor browser privacy signals, like the Global Privacy Control, so that consumers can opt out of data sales at all companies in a single step.
Privacy law expert Dan Clarke, who has helped lawmakers in multiple states craft their own privacy laws, said the Connecticut law is more consumer-centric compared to the recently passed law in Utah, which was much more influenced by business interests.
“The focus on opt-out is the most significant we’ve seen thus far, requiring companies to respect a global opt-out signal without authentication and defining a ‘sale’ in the broadest terms. While it may sound minor to remove the need for authentication, especially with Colorado already observing a global privacy control (GPC), many companies use this to their advantage by making this more taxing on a consumer,” said Clarke, who serves as president of privacy company Truyo.
“Typically they’ll require a specific verification––an additional step many companies hope consumers won’t take––to avoid the opt-out. By firmly stating this requirement––as it does in the Connecticut law––without additional rulemaking, browsers can be set to ‘opt-out’ as a default and it will be difficult for companies to get around selling consumer data.”
He noted that the 15-day provision and the restrictive rules around children’s data were part of what made the law extremely consumer-friendly.
Like many other US data privacy laws, the Connecticut rules are not as comprehensive as the EU’s GDPR but they better align with some of the definitions and especially the mechanisms of consent, according to Clarke.
Lisa Sotto, head of global privacy and cybersecurity practice at the law firm Hunton Andrews Kurth, told The Record that businesses now have to keep up with a myriad of state privacy laws full of different provisions.
“Each of the laws is different, making compliance with all of them together a complex and inefficient exercise. Ultimately, this will lead to a disparity in privacy protections for US residents, with some residents benefiting from stronger protections in one area of the law and weaker protections in another,” Sotto said.
“There is no better time for the federal government to step in and pass an overarching preemptive privacy law. Because data does not respect state boundaries and businesses often need to process personal data of residents in multiple states, it is inefficient and ultimately less protective of privacy to have varying privacy laws in the U.S.”