Connecticut inches closer to becoming fifth state with data privacy law

Connecticut moved one step closer to becoming the fifth state in the U.S. to pass a privacy law after the Connecticut General Assembly advanced a bill on Thursday that would offer residents baseline privacy rights.

SB 6 – named an ‘Act Concerning Personal Data Privacy and Online Monitoring’ – now heads to the desk of Governor Ned Lamont. A spokesperson for Lamont told The Record that he “appreciates the intentions behind the bill.” 

“We are not immediately aware of any concerns, but as always the governor and his staff will need to carefully review the bill once it is transmitted to our office,” the governor’s spokesperson said.

If signed, Connecticut would follow California, Virginia, Colorado and Utah as the states to create their own privacy law in lieu of federal action on the issue. 

The Connecticut bill – which would take effect July 1, 2023 – resembles the privacy laws passed in Colorado, Virginia and Utah in that it allows residents to opt out of sales, targeted advertising, and profiling. By 2025, the law will require companies to acknowledge opt-out preference signals for targeted advertising and sales.

Websites and companies now have to get consent to process sensitive data and need to offer Connecticut residents ways to revoke that consent. Organizations will have no more than 15 days to stop processing data as soon as consent is revoked, according to the law. 

Parental consent is needed for any website to collect personal data from children under the age of 13 but businesses are banned from collecting personal data and using targeted advertising on children between the ages of 13 and 16. 

The bill forces companies to honor browser privacy signals, like the Global Privacy Control, so that consumers can opt out of data sales at all companies in a single step. 

Keir Lamont, senior counsel at the Future of Privacy Forum, added that Connecticut’s privacy bill goes beyond existing state privacy laws by “directly limiting the use of facial recognition technology, establishing default protections for adolescent data, and strengthening consumer choice, including through requiring recognition of many global opt-out signals.” 

“Nevertheless, a federal privacy law remains necessary to ensure that all Americans are guaranteed strong, baseline protections for the processing of their personal information,” Lamont said. 

The law also joins California and Colorado in adding sunset clauses to the “right to cure” – a term used to describe a process where companies are given a set amount of time to fix violations before enforcement action can be taken or lawsuits can be filed. 

"Right to cure" provisions are a hotly debated topic and have been one of the fulcrums upon which several privacy bills have failed in state assemblies across the country. 

Consumer Reports, which worked with Connecticut lawmakers on their bill, called the “right to cure” provisions in most privacy laws a “get out of jail free” card for companies violating consumer privacy. 

Connecticut’s right to cure provision sunsets on December 31, 2024. Colorado’s provision sunsets on January 1, 2025 while California’s sunsets on January 1, 2023. Once these sunset, the states will be able to take enforcement action against organizations that violate the law. 

“Through joint enforcement, the 3Cs of state privacy law will be in a unique position to dictate the future of US privacy law (assuming the continuing absence of a federal law). This will not be the case with VA and UT where controllers will still be able to cure violations,” said lawyer David Stauss, who serves as chair of the HuschBlackwell law firm's Privacy and Cybersecurity Practice Group.

“There is more to be done. SB6 establishes a privacy work group that will analyze a number of issues and provide a report by September 1, 2022.”

Several states have spent years attempting to pass their own privacy laws due to the lack of any movement on privacy legislation at the federal level. Calls for a federal privacy law have ramped up since the European Union's General Data Protection Regulation became enforceable in 2018, which has served as a model for similar laws in Japan, Brazil, South Korea and elsewhere.

New York, Texas, Washington, and dozens of other states have faced issues in pushing through their own privacy laws through due to backlash from businesses that complain the bills will create a significant amount of extra work for effectively any business with a website.