Keypoint: Subject to the Governor’s approval, Connecticut will become the fifth state to pass a broad consumer privacy act with a bill that is comparable to the Colorado Privacy Act.
On April 28, 2022, the Connecticut legislature passed what we are calling the Connecticut Data Privacy Act (CTDPA) (SB 6). Subject to the Governor’s approval, Connecticut will join California, Virginia, Colorado, and Utah as states having passed broad consumer privacy bills.
Husch Blackwell’s data privacy team will present a webinar on the CTDPA on May 5, 2022, at 1:00 p.m. eastern / 10:00 a.m. pacific. The webinar will provide a deep dive analysis into the CTDPA and how it compares with the laws in California, Colorado, Utah, and Virginia. To register click here.
Below are high level takeaways about the CTDPA along with context of how the CTDPA compares with other state laws.
A Prevailing Model Emerges but With Significant Variants
The CTDPA, like the Colorado Privacy Act (CPA), Virginia Consumer Data Protection Act (VCDPA), and Utah Consumer Privacy Act (UCPA) is based on the 2021 Washington Privacy Act (WPA) model. The WPA never became law, but it has strongly influenced the direction of state privacy law. In addition, lawmakers have also proposed WPA variants in other states, including Indiana, Iowa, Louisiana, Michigan, Tennessee, and Wisconsin. Therefore, at least as of now, the WPA model (or what some will call the VCDPA model) has emerged as the prevailing model for state consumer data privacy laws – although it could be argued that California, with a population of around 39 million, is still the prevailing model as compared to the approximately 21 million people covered by the other states’ laws.
With that being said, even though Colorado, Connecticut, Utah, and Virginia use the WPA model, there are significant variations between the laws. As we previously discussed, the Utah law is a pro-business variant whereas Colorado and Connecticut are significantly more consumer-oriented. Virginia is somewhere in between. As states continue to propose legislation, attention needs to be paid to what variant of the WPA model lawmakers are proposing. This is particularly true given recent reports that industry lobbying groups intend to push the Utah variant as the standard for state – and federal – privacy legislation.
Despite these differences, the fact that the same model underlies these laws helps with interoperability. This is akin to state data breach notification statutes, which are generally based on the California model but contain variations. The emergence of a prevailing model also arguably makes it less urgent that federal lawmakers pass a law – a theory we first discussed in August 2021 in our Legislating Data Privacy podcast.
The 3Cs of State Privacy Law
The CTDPA is most comparable to the Colorado Privacy Act although there are notable variations (a topic we will dig into more in our webinar). In many respects, the CPA and California Privacy Rights Act (CPRA) can be viewed as complimentary laws especially given that they are based on different models. In other words, there are parts of the CPRA that are stronger than the CPA and vice versa. We analyzed many of these differences in our ten-part series on the CPRA, CPA, and VCDPA.
Connecticut now joins California and Colorado in that debate – forming the 3Cs of state privacy law. As discussed below, there are parts of the Connecticut bill that are arguably stronger than the CPRA and CPA. Therefore, for organizations subject to all of the laws, the CTDPA could be viewed as moving the bar on state privacy laws slightly higher.
Strong Opt-Out Regime
Like Colorado and Virginia, Connecticut residents will have the right to opt out of sales, targeted advertising, and profiling. The CTDPA defines “sales” similar to California and Colorado (i.e., “monetary or other valuable consideration”) and, therefore, is broader than the definitions used in Virginia and Utah.
Beginning January 1, 2025, the CTDPA will require controllers to recognize opt-out preference signals for targeted advertising and sales. This is six months after such signals must be recognized in Colorado. The CPRA makes the recognition of such signals optional (although this could be addressed in rulemaking given the current requirement that businesses recognize the global opt out signal). We explored these issues further here.
The Connecticut Attorney General will not be required to issue regulations on opt-out signals; however, the CTDPA’s requirements for such signals largely (and deliberately) track the CPA’s requirements, thus aligning the two.
Notably, the CTDPA goes one step further than Colorado by not requiring that opt outs be authenticated. In so doing, the CTDPA aligns with the CPRA. The CTDPA also borrows from the CCPA regulations by allowing controllers to deny an opt-out request if they have a good faith, reasonable and documented belief that such request is fraudulent.
The fact that Connecticut joined Colorado in requiring controllers to recognize opt-out signals should not be overlooked. This is a hotly contested issue. For evidence, one need look no further than the privacy bills that were proposed this year and the scarcity of those that contained a similar provision.
Sunsetting of the Right to Cure Violations
The CTDPA provides a right to cure violations, but it will sunset on December 31, 2024. This is comparable to sunset provisions in California (January 1, 2023) and Colorado (January 1, 2025). Once the three rights to cure sunset, the three Cs will be positioned to engage in multistate enforcement actions in appropriate circumstances. In contrast, organizations will still be able to cure violations in Utah and Virginia, thus mitigating the compliance risk in those states.
The ability to engage in multistate enforcement actions helps address the criticism that state Attorney General offices do not have sufficient resources to enforce these laws by effectively allowing these states to pool their resources. This is a model routinely used by state Attorney General offices in other settings.
Additionally, not to be overlooked is the fact that the CTDPA embeds the concept of prosecutorial discretion in its enforcement provision. The Attorney General may, after the right to cure sunsets, take certain factors into account in determining whether to grant controllers and processors a right to cure. During the public hearing process, the Connecticut Attorney General’s office stated that it already routinely takes such factors into account; however, the addition of these discretionary factors into the law’s text is a compromise to address concerns raised by business interests.
Tweaks to Consent
Like Colorado and Virginia, the CTDPA requires that controllers obtain consent for the processing of sensitive data. However, unlike those two laws, the CTDPA states that controllers must “provide an effective mechanism for a consumer to revoke the consumer’s consent under this section that is at least as easy as the mechanism by which the consumer provided the consumer’s consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than fifteen days after the receipt of such request.” Privacy professionals will recognize this concept from the GDPR.
It could be argued that it is implied in Colorado and Virginia that consent can be revoked. However, Connecticut resolves any such ambiguity and specifically requires controllers to provide a mechanism for such revocation.
Like Colorado and California, the CTDPA also forbids the use of dark patterns to obtain consent. The CTDPA defines dark patterns using the same language along with referencing any practices that the Federal Trade Commission refers to as a dark pattern. We discussed dark patterns further here.
Noticeably absent from the CTDPA is authorization for the Attorney General to engage in rulemaking. This was discussed during work group meetings and the Connecticut Attorney General’s office took the position that rulemaking was not needed.
Some will argue that the absence of rulemaking will hamper the development of the CTDPA over time as changes will need to be made legislatively instead of through a rulemaking process. However, as discussed, certain concepts and definitions were linked to topics that will be subject to rulemaking in California and Colorado.
Further, it could be argued that Connecticut has paved the way for other states to enact more substantive privacy legislation (e.g., requiring controllers to recognize opt-out signals) without incurring the time and cost of rulemaking.
As with the CPA and VCDPA, the CTDPA requires that controllers obtain parental consent for the collection of personal data from a known child (i.e., children under 13 years of age). However, the CTDPA goes further than the CPA and VCDPA by stating that controllers shall not “process the personal data of a consumer for purposes of targeted advertising, or sell the consumer’s personal data without the consumer’s consent, under circumstances where a controller has actual knowledge, and willfully disregards, that the consumer is at least thirteen years of age but younger than sixteen years of age.”
In comparison, the CPRA provides that a “business shall not sell or share the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale or sharing of the consumer’s personal information. A business that willfully disregards the consumer’s age shall be deemed to have had actual knowledge of the consumer’s age.” We discussed these issues further here.
Children’s data has been a popular topic recently with President Biden even discussing it in his State of the Union address. The CTDPA is the first WPA variant to provide more protections for children’s data, which could set the bar higher on this issue for future state variants.
The CTDPA has a unique definition of biometric data as compared to the other state laws. We analyzed this issue at length here. The CTDPA defines biometric data similar to the VCDPA; however, the two differ when it comes to what does not constitute biometric data.
The VCDPA states that biometric data does not include “a physical or digital photograph, a video or audio recording or data generated therefrom, or information collected, used, or stored for health care treatment, payment, or operations under HIPAA.”
In comparison, the CTDPA states that biometric data does not include: “(A) a digital or physical photograph, (B) an audio or video recording, or (C) any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual.” Thus, the CTDPA makes it clear that if photographs, audio or video recordings are used to generate data that identifies a specific individual, that data will constitute biometric data.
This approach is generally consistent with GDPR Recital 51 and European Data Protection Board guidance as reflected in paragraphs 73-75 of Guidelines 3/2019 on processing of personal data through video devices (Version 2, adopted January 29, 2020).
The CPA does not contain a definition of biometric data. If the Colorado Attorney General’s office chooses to address this issue in CPA rulemaking it could look to the CTDPA’s definition.
The CTDPA contains many of the same exemptions common-place in these laws, including entity-level exemptions for GLBA-regulated entities, HIPAA covered entities and business associates. Colorado remains the lone state consumer privacy law to cover nonprofits.
In addition, the CTDPA contains the data broker exemption for the request to delete that recently was added to the VCDPA. Specifically, the CTDPA states that a “controller that has obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer’s request to delete such data . . . by (A) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remains deleted from the controller’s records and not using such retained data for any other purpose pursuant to the [the CTDPA], or (B) opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant to” the CTDPA.
More to Come: Privacy Task Force
The CTDPA establishes a privacy task force to study additional topics and provide a report to the Joint General Law Committee no later than January 1, 2023. The CTDPA identifies seven topics, including algorithmic decision-making, children-related issues, exemptions, and data colocation.
A Multi-Year Effort
During the Senate debate, numerous Senators – from both parties – remarked about the incredible multi-year effort Senator Maroney put into drafting the CTDPA. Over the last year alone, he organized a work group that met numerous times and heard from many different stakeholders. He spent countless hours finding solutions for complex problems and bringing as many varying interests to the table as possible. If the last few years of tracking proposed state privacy legislation have shown us anything, it is that it is incredibly more difficult to pass good legislation than it is to pass bad legislation. That was certainly the case in Connecticut.
No doubt some will argue that the bill should have gone further, while others will argue that it goes too far. However, compromise is (or at least should be) at the heart of the democratic process and the CTDPA is a product of that effort by Senator Maroney.
The above only scratches the surface of the CTDPA and how it compares with existing state privacy laws. We will dig into these issues during our webinar on May 5, 2022, at 1:00 p.m. eastern / 10:00 a.m. pacific.