On Wednesday May 11, 2022, Governor Ned Lamont signed the Connecticut privacy act and businesses are considering how this will affect preparation for all upcoming legislation with yet another state being added to the list. Truyo President Dan Clark gives his thoughts on how Connecticut compares to other upcoming legislation in California, Colorado, and Utah. We will also be holding a webinar covering Connecticut’s privacy law and how it will affect your business. Click here to register.
Colorado served as the basis for Connecticut’s law, and other state laws besides California, but there are significant differences between all of them. Utah was much more influenced by business and Connecticut is more consumer-centric. The focus on opt-out is the most significant, requiring companies to respect a global opt-out signal without authentication and defining a “sale” in the broadest terms. While it may sound minor to remove the need for authentication, especially with Colorado already requiring observance of GPC (it is less formalized under CPRA at the moment but likely to be addressed in rulemaking), there is always a way for companies to make this more taxing on a consumer by allowing specific verification – an additional step many companies hope consumers will not take. By firmly stating this requirement, without additional rulemaking, browsers can be set to this as a default and it will be difficult to get around selling consumer data.
All consent for sensitive data must be freely given and controllers must “provide an effective mechanism for a consumer to revoke the consumer’s consent under this section that is at least as easy as the mechanism by which the consumer provided the consumer’s consent and, upon revocation of such consent, cease to process the data as soon as practicable, but no later than fifteen days after the receipt of such request.” This clear definition, requirement, and short timeframe for a reversal process are definitely more consumer-friendly.
For children’s data, it is even more strict. As in Colorado, Connecticut requires controllers to obtain parental consent to collect a child’s personal data (i.e., children under 13 years of age), but it goes extends requirements by saying you shall “…not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer’s personal data without the consumer’s consent, under circumstances where a controller has actual knowledge, and willfully disregards, that the consumer is at least thirteen years of age but younger than eighteen years of age.”
Enforcement will see the right to cure sunset in Connecticut at the end of 2024 – a year before Colorado and a year after California. They did not want a long-term or lingering crutch, particularly for businesses that actively avoid compliance or violate the children’s rules, as evidenced by testimony. This was a major focus of consumer groups. Also, the Attorney General somewhat surprisingly relinquished rulemaking, saying that none is required. This could make it easier for other states to follow Connecticut’s lead without having to go through the rulemaking process themselves, like California.
While not as comprehensive as GDPR, Connecticut is more in line with definitions and, in particular, consent mechanisms. Aside from those GDPR similarities, it’s derivative mostly of Colorado. Other international laws, including as that in Australia, the Middle East, and India’s large draft bill, closely follow GDPR.