2022 has been a busy year in terms of state data privacy laws. Read this update from attorney member Josh Stevens and register for ACA’s state law education Hot Topic later this month.
05/05/2022 11:00 A.M.
3.5 minute read
Key takeaways:
- The Connecticut Data Privacy Act is similar to laws in Virginia and Colorado.
- Privacy bills in 11 other states remain active as some legislative sessions are ending.
- ACA International will hold a Hot Topic webinar, part of a four-part series, on state-specific trends collectors need to know, May 19.
By Josh Stevens
As predicted, 2022 has been a busy year for the U.S. privacy world. Utah’s Consumer Privacy Act, the fourth state privacy law, was signed into law on March 24, 2022. Connecticut is now likely to be the fifth state to enact its own privacy law. The Connecticut Data Privacy Act (Senate Bill 6) passed both the House and Senate in the final weeks of April, and the bill will become law with the Connecticut governor’s signature or 15 days after the current legislative session ends on May 4.
Taking effect July 1, 2023, the Connecticut Data Privacy Act has familiar provisions to the other enacted state privacy laws, but mostly aligns with the Virginia Consumer Data Protection Act and the Colorado Privacy Act.
Key details of the Connecticut Data Privacy Act include:
- No private right of action; 60-day right to cure period ending on Dec. 31, 2024.
- Applies only to controllers that meet data volume threshold (75,000 consumers or more) or data volume and revenue threshold (process data of 25,000 consumers and derive 25% of revenue from selling personal data).
- Provides GLBA (entity and data-based), HIPAA (data-based), FCRA (data-based), and other relevant exemptions.
- Consumer rights largely align with other states and include appeal rights.
- Controller-processor contract requirements mirror other states.
- Must provide conspicuous notice of right to opt out of targeted advertising and sales.
- Must provide a clear and conspicuous link on the website to enable a consumer to opt out of the targeted advertising or sale of the consumer’s personal data.
- Must allow consumers to opt out of the targeted advertising or sale of the consumer’s personal data via a global opt-out mechanism by Jan. 1, 2025.
- Cannot collect sensitive personal data without first providing clear notice and obtaining the consumer’s consent (sensitive data concerning a known child must be processed in accordance with COPPA).
- Imposes reasonable data security requirements
- Requires data protection assessments which must be disclosed to the Connecticut attorney general upon request.
- Includes antidiscrimination provisions but exempts loyalty/rewards programs.
- The Connecticut General Assembly must convene a working group to study certain topics concerning data privacy and the working group must issue a report before Jan. 1, 2023.
Privacy bills in 11 other states remain active as some legislative sessions are ending. As previously reported, the California Privacy Protection Agency continues its regulation-making activity with regulations expected by late summer or early fall. The Colorado Attorney General’s Office is soliciting informal comments on 16 topics, including enforcement and controller and processor obligations, with stakeholder sessions and formal notice of proposed rulemaking likely coming later this year.
Businesses working to comply with adopted privacy laws in California, Colorado, Virginia and Utah should keep an eye on these and other privacy developments and consider ways to extend their current compliance efforts to cover emerging laws.
State Law Education
For more updates on state laws and trends to know, this quarterly series from ACA International, “State Specifics for Collectors,” will eliminate confusion and help trainers, compliance officers and collectors in the ARM industry gain a better understanding of the most important state “can and cannots ” to remain compliant on every call, no matter the consumer location. Stefanie Jackman, partner at Troutman Pepper, Abigail Pressler, general counsel at NCB Management Services Inc., and Nicholas Prola, general counsel at Professional Finance Company Inc., will lead this session.
This webinar is from 2 to 3 p.m. CDT, May 19. Visit the registration page here.
Josh Stevens is a partner at Mac Murray and Shuster LLP.
Editor’s note: This article is published with permission from Mac Murray and Shuster LLP Partner Josh Stevens. This article is provided for informational purposes and is not intended nor should it be taken as legal advice. The views and opinions expressed in this article are those of the author in his individual capacity and do not reflect the official policy or position of their partners, entities, or clients they represent.
If you have executive leadership updates or other member news to share with ACA, contact our communications department at [email protected]. View our publications page for more information and our news submission guidelines here