State data privacy laws seem to be coming quicker now, as the Connecticut House of Representatives approved Senate Bill 6 yesterday, paving the way for the Connecticut data privacy law to be signed into law by Connecticut Governor Ned Lamont.
The Connecticut House approved the bill by a vote of 144 to 5, after the Senate unanimously approved it last week. The text of the proposed Connecticut data privacy law, which establishes a framework for controlling and processing personal data, is here and it would make Connecticut the fifth state to have a comprehensive data privacy law (Utah did so just last month). Among other things, it:
- sets responsibilities and privacy protection standards for data controllers (those that determine the purpose and means of processing personal data) and processors (those that process data for a controller);
- gives consumers the right to access, correct, delete, and obtain a copy of personal data and to opt out of the processing of personal data for certain purposes (e.g., targeted advertising);
- requires controllers to conduct data protection assessments;
- authorizes the attorney general to bring an action to enforce the bill’s requirements; and
- deems violations to be Connecticut Unfair Trade Practices Act (CUTPA) violations.
The proposed Connecticut data privacy law’s consumer data privacy requirements generally apply to individuals (1) conducting business in Connecticut or producing products or services targeted to Connecticut residents and (2) controlling or processing personal data above specified consumer thresholds.
The bill exempts from its requirements (1) various entities, including state and local governments, nonprofits, and higher education institutions, and (2) specified information and data, including certain health records, identifiable private information for human research, certain credit-related information, and certain information collected under specified federal laws.
The bill also establishes a task force to, among other things, study Health Insurance Portability and Accountability Act (HIPAA)-adjacent data and other topics on data privacy and make recommendations to the General Law Committee by January 1, 2023.
It also includes *Senate Amendment “A”, which (among other things) increases an applicability threshold from 75,000 to 100,000 consumers, modifies exemptions to include health plans, health care clearinghouses, health care providers, and other associates rather than hospitals, exempts a controller from confirming a consumer’s personal data is being processed if it requires revealing a trade secret, and lowers the prohibited age, from 18 to 16, for targeted advertising or personal data sales without the consumer’s consent.
The effective date of the new law would be July 1, 2023, except the task force provision is effective upon passage.
Obviously, it’s never over until it’s over, but it appears likely that the governor will either sign the bill, or the Connecticut legislature will override a veto, should one occur. Of course, every state data privacy law is a little different from the others, making compliance more challenging than ever.
So, what do you think? Do you think the proposed Connecticut data privacy law goes far enough to protect individual data privacy rights? Please share any comments you might have or if you’d like to know more about a particular topic.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.