Connecticut, just like Colorado, California, Utah, and Virginia, has passed a comprehensive new data privacy legislation that establishes obligations for companies that gather and process the personal information of state locals and gives individuals new rights. The Connecticut Data Privacy Act (Senate Bill 6) had been passed in the Senate 35-0 and in the House of Representatives 144-5 and is now with the state Governor Ned Lamont for signature. The new privacy rule will become effective on July 1, 2023.
The new rule makes a platform for managing and processing the personal records of state citizens, sets privacy protection requirements for data controllers and data processors, and provides state residents rights regarding the collection and use of their personal information. Consumers will be provided the right to access their personal records held by a business, get a copy of that information, and correct any errors. Consumers will furthermore possess the right to be forgotten and to have their personal information removed. Consumers may additionally choose to opt-out of the processing of their personal data for targeted marketing, selected sales of personal records, and profiling in the development of decisions that generate legal or equivalent significant effects concerning consumers.
The new law looks like the Colorado Privacy Act (CPA) as well as the Virginia Consumer Data Protection Act (CDPA), with the scope of the law falling somewhere between the two. The legislation will apply to organizations that keep the information of over 100,000 consumers or those people that get 25% and up of their annual income from the sale of data of greater than 25,000 customers, with the protections stronger compared to those of Utah and Virginia, however falling short of the privacy rule in Colorado.
The new legislation will end the right to cure on December 31, 2024. So from July 1, 2023 to December 31, 2024, organizations known to violate the Connecticut Data Privacy Act will have the chance to take corrective steps to deal with the zones of non-compliance and avert a financial penalty or perhaps other sanctions. The elimination of the right to cure ought to encourage companies to follow the new law.
Selected entities will be exempted from complying with the Connecticut Data Privacy Act: state and local governments, nonprofits, national securities organizations registered under the Securities Exchange Act of 1934, financial companies governed by the Gramm-Leach-Bliley Act, as well as covered entities and business associates subject to the Health Insurance Portability and Accountability Act. There are additionally exceptions for specific data types, for example, data governed by FERPA, HIPAA, Fair Credit Reporting Act, the Airline Deregulation Act, Farm Credit Act, and the Driver’s Privacy Protection Act.
Adherence to the Connecticut Data Privacy Act will be put into effect by the Connecticut Attorney General. A standing working committee will be created to evaluate emerging matters that the legislation can be corrected to address.