Connecticut is the fifth state to enact data privacy legislation while discussions on a federal bill are underway again in the U.S. House of Representatives.
06/15/2022 4:15 P.M.
3.5 minute read
Connecticut’s data privacy legislation was signed by Gov. Ned Lamont last month, adding it to the handful of states with their own data privacy measures while a federal act has just again started to see some discussion on Capitol Hill.
The Connecticut Data Privacy Act will take effect a little over a year from now, July 1, 2023, and has some similar provisions to other enacted state data privacy laws.
It mostly follows the pattern of the Virginia Consumer Data Protection Act and the Colorado Privacy Act.
Key components of the Connecticut Data Privacy Act, as previously reported by Josh Stevens, partner at Mac Murray and Shuster LLP in an article published by ACA International, include:
- No private right of action; 60-day right to cure period ending on Dec. 31, 2024.
- Applies only to controllers that meet data volume threshold (75,000 consumers or more) or data volume and revenue threshold (process data of 25,000 consumers and derive 25% of revenue from selling personal data).
- Provides GLBA (entity and data-based), HIPAA (data-based), FCRA (data-based), and other relevant exemptions.
- Consumer rights largely align with other states and include appeal rights.
- Controller-processor contract requirements mirror other states.
- Must provide conspicuous notice of right to opt out of targeted advertising and sales.
- Must provide a clear and conspicuous link on the website to enable a consumer to opt out of the targeted advertising or sale of the consumer’s personal data.
- Must allow consumers to opt out of the targeted advertising or sale of the consumer’s personal data via a global opt-out mechanism by Jan. 1, 2025.
- Cannot collect sensitive personal data without first providing clear notice and obtaining the consumer’s consent (sensitive data concerning a known child must be processed in accordance with COPPA).
- Imposes reasonable data security requirements.
- Requires data protection assessments which must be disclosed to the Connecticut attorney general upon request.
- Includes anti-discrimination provisions but exempts loyalty/rewards programs.
- The Connecticut General Assembly must convene a working group to study certain topics concerning data privacy and the working group must issue a report before Jan. 1, 2023.
Privacy bills in 11 other states remain active as some legislative sessions are ending. As previously reported, the California Privacy Protection Agency continues its regulation-making activity with regulations expected by late summer or early fall. The Colorado Attorney General’s Office is soliciting informal comments on 16 topics, including enforcement and controller and processor obligations, with stakeholder sessions and a formal notice of proposed rulemaking likely coming later this year, according to Stevens.
Businesses working to comply with adopted privacy laws in California, Colorado, Virginia and Utah should keep an eye on these and other privacy developments and consider ways to extend their current compliance efforts to cover emerging laws.
State Law Education
For more updates on state laws and trends to know, the quarterly series from ACA, “State Specifics for Collectors,” will next be held on Aug. 18. It is designed to eliminate confusion and help trainers, compliance officers and collectors in the ARM industry gain a better understanding of the most important state “can and cannots” to remain compliant on every call, no matter the consumer location. Stefanie Jackman, partner at Troutman Pepper, Abigail Pressler, general counsel at NCB Management Services Inc., and Nicholas Prola, general counsel at Professional Finance Company Inc., will lead this session.
Meanwhile, lawmakers on both sides of the aisle have released a draft bill focused on comprehensive data privacy and held a legislative hearing for discussion on the proposal June 14.
U.S. Reps. Frank Pallone Jr., D-N.J. and Cathy McMorris Rodgers, R-Wash., chairman and ranking member of the House Committee on Energy and Commerce, and U.S. Sen. Roger Wicker, R-Miss., ranking member of the Senate Committee on Commerce, Science, and Transportation, released the discussion draft of a comprehensive national data privacy and data security framework last week, ACA previously reported.
The draft legislation is the first comprehensive privacy proposal to gain bipartisan, bicameral support, according to a news release, and has been years in the making.
ACA ’s Federal Affairs Committee is reviewing the legislation and ACA will soon be providing more details on our thoughts on how it impacts the ARM industry.
If you have executive leadership updates or other member news to share with ACA, contact our communications department at [email protected]. View our publications page for more information and our news submission guidelines here.
ACA International members are welcome to submit news items for possible publication to [email protected].