Connecticut Becomes 5th US State to Get Data Privacy LawConcern for Privacy Welcomed, But Federal Rules Preferable, Experts Say
Update - May 11, 2022: This story has been updated to include comments from Taylor Kay Lively.
See Also: Why Metadata Isn't Enough
Update - May 6, 2022: This story has been updated to include comments from Lisa Sotto and Christina Gagnier.
Connecticut has just become the fifth U.S. state to get a comprehensive data privacy and online monitoring law, as Senate Bill No. 6 passed into law on Wednesday. The law will go into effect on July 1, 2023, which means that organizations in the state have just 14 months to prepare for compliance.
Responding to the development, Lisa Sotto, partner and chair of the global privacy and cybersecurity practice at Hunton Andrews Kurth, tells Information Security Media Group that there's "no better time" for the federal government to step in and pass an overarching pre-emptive privacy law. "Because data does not respect state boundaries and businesses often need to process personal data of residents in multiple states, it is inefficient and ultimately less protective of privacy to have varying privacy laws in the U.S.," she says.
The International Association of Privacy Professionals, or IAPP, says the new law includes "many of the same rights, obligations and exceptions" as the consumer privacy laws that exist in California, Colorado, Utah and Virginia.
"It draws heavily from the CPA and the Virginia Consumer Data Protection Act - with many of the law's provisions either mirroring or falling somewhere between the Colorado and Virginia laws - but contains a few notable distinctions that should be factored into an entity's compliance efforts," it says.
Taylor Kay Lively, IAPP Westin Fellow, tells Information Security Media Group that "for the most part," there is interoperability between the new law and its predecessors. Apart from where it intentionally goes further than its counterparts, most of the law's provisions closely track the CPA, and even the VCDPA, Lively says.
She adds, "It looks to be a hybrid between the two in certain regards, arguably having the most in common with the CPA, but there are some provisions where the law goes further than both the CPA and VCDPA."
According to the Connecticut General Assembly or CGA, the act concerning personal data privacy and online monitoring was formed to:
- Establish a framework for controlling and processing personal data;
- Establish responsibilities and privacy protection standards for data controllers and processors;
- Grant consumers the right to access, correct, delete and obtain a copy of personal data;
- Grant consumers the right to opt out of the processing of personal data for the purposes of targeted advertising, certain sales of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning consumers.
Commenting on consumers' opt-out rights, Lively says the bill will require controllers to recognize universal opt-out signals starting Jan. 1, 2025, which is six months after the CPA mandates such recognition. "How this obligation will play out in practice is yet to be seen, but unlike the CPA, the new Connecticut law will not require a controller to authenticate opt-out requests, which may offset some of the other compliance obligations," she says.
The Connecticut bill resembles the privacy laws passed in Colorado, Virginia and Utah in that it allows residents to opt out of sales, targeted advertising and profiling.
The IAPP says the scope of the law is "slightly broader than Virginia’s and slightly narrower than the CPA, with its threshold for revenue derived from data sales falling between the Virginia law (50% of gross revenues) and the CPA (any revenue or discount)."
Commenting on the scope, Lively says, "Although it adopts the same basic framework as the CPA and VCPDA, the bill provides a more robust, CPRA-like approach to the treatment of children's data by requiring consent to process personal data for targeted advertising or to sell the personal data of consumers between 13 and 16 years old."
The IAPP says the law explicitly excludes personal data processed solely for payment transactions. Thus, entities that process debit or credit cards only to the extent necessary to complete a sale will not be subject to the law's requirements.
"It provides a novel carve-out for payment transaction data that will exclude businesses that are processing such data only to complete a sale," Lively says.
The Connecticut law does not mention imposing annual revenue threshold obligations. In practice, this means that unlike the California Consumer Privacy Act, an entity will not become subject to the law merely due to its annual revenues; and unlike the Utah Consumer Privacy Act, entities need not exceed a certain annual revenue requirement to fall within the law's scope.
The law also defines the "sale of personal data" as "the exchange of personal data for monetary or other valuable consideration by the controller to a third party."
The law exempts the following types of entities and data from adhering to its requirements:
- State and local governments;
- National securities associations registered under the Securities Exchange Act of 1934;
- Financial institutions and data subject to the Gramm-Leach-Bliley Act;
- Covered entities and business associates as defined by the Health Insurance Portability and Accountability Act.
The law contains 16 categories of exempted data, including specific information regulated by the Health Insurance Portability and Accountability Act of 1996 - or HIPAA, the Fair Credit Reporting Act, the Driver's Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act and the Airline Deregulation Act. Specific employee and job applicant data are also exempt.
With each U.S. state formulating its own data privacy law, businesses in North America that transact across states may struggle to comply with a potpourri of laws and acts.
"We are on a collision course for businesses in the U.S., who are trying desperately to keep up with the myriad state privacy laws that are now on the books. With California, Virginia, Colorado, Utah and now Connecticut having comprehensive privacy laws in place, companies will continue to struggle to comply with each law’s distinct provisions," Sotto says.
There is no highest common denominator - each of the laws is different, making compliance with all of them together a complex and inefficient exercise. Ultimately, this will lead to a disparity in privacy protections for U.S. residents, with some residents benefiting from stronger protections in one area of the law and weaker protections in another," Sotto adds.
Perhaps there is a need for a unified law governing all states and protecting U.S. consumers and all types of businesses, on the lines of the EU's GDPR, she suggests.
"The EU ultimately understood that it was untenable to have different privacy laws in each member state. That's one lesson we can learn from the EU - it's time to have a single comprehensive privacy law governing the processing by businesses in the U.S. of personal information of all U.S. residents, regardless of the state in which they reside," Sotto says.
Christina Gagnier, a shareholder at Carlton Fields who focuses on cybersecurity and privacy and international regulatory affairs, acknowledges the similarities between the current privacy laws. "It is important to create a compliance program that synthesizes the overlap to make actions, like responding to consumer requests, more streamlined," she says.
Gagnier, whose firm has been monitoring the legislative trajectory of the act and similar laws in other states, says she anticipates that more states will adopt similar regulations in this legislative session. "This is part of a nationwide trend that will continue to expand. The European Union-like, consumer-focused approach has started to take hold at the state level in the United States," she says.
Lively says that businesses preparing for CPA and VCDPA compliance will be able to apply some of their compliance efforts to the new Connecticut law. "But there are a few important nuances that need to be considered. For instance, like the CPA and VCDPA, Connecticut's new law will require controllers to establish an appeals process for consumers to utilize when requests to exercise their rights are denied or not acted on in a timely manner," she says.
The laws, some experts say, are directed at larger businesses, and exclude small and medium-sized enterprises, or SMEs. The latter, in fact, are the backbone of the U.S. economy and key contributors to other Trans-Pacific Partnership, or TPP, economies as well. The Office of the United States Trade Representative shows that 28 million American SMEs account for nearly two-thirds of net new private sector jobs in the recent decades.
"These laws are not designed necessarily thinking about small to medium-sized businesses. These laws are generally inspired by the data practices of much larger companies with the compliance teams and budget to comply. Small businesses need to find solutions through law firms who are focused on compliance for their end of the sector to avoid friction and unnecessary costs," Gagnier says.