Connecticut is the latest state to approve a statewide data privacy law, following in the recent footsteps of Colorado and Utah. On May 10, 2022, Connecticut governor Ned Lamont signed into law the Connecticut Personal Data Privacy and Online Monitoring Act (CPD POMA, act), which takes effect July 31, 2023. The new law applies to residents and any company collecting, processing and storing the data of residents of Connecticut.
What Are the Specific Criteria and Consumer Rights Included in the Law?
Doing business in Connecticut and collecting personal data of Connecticut residents requires companies to understand the state’s new data privacy requirements, definitions, and applicable criteria; and consider taking actions that meet the criteria of both Connecticut and other state privacy laws.
The criteria specific to the act does NOT:
- Cover certain categories of data that are already regulated by other laws, such as the Gramm-Leach-Bliley Act (GLBA); and
- Allow for any private right of action, instead all enforcement actions must come directly from the Office of the Attorney General, which includes private litigation and personal data used for advertising, sale, and profiling.
The Connecticut consumers have the right to:
- Submit a request to the controller, specifying the right the consumer is intending to exercise.
- Complete access to any of their personal data stored by an organization and its processing purpose.
- Have their data deleted or erased from company records entirely.
- Take their data from one company to another without obstruction, or data portability. This must be technically feasible, practicable and reasonable for the controller to provide.
- Restrictions regarding how the consumer data can be processed.
Which Organizations Will Be Subject to the New Law?
The act applies to any persons or organizations, domiciled in Connecticut or not, that conducts business within the state or produces a product or service targeting residents of the state, and that during the preceding calendar year:
- Controls or processes personal data of 100,000 or more consumers (excluding for the purpose of completing a payment transaction); or
- Derives over 25% of its gross revenue from the sale of personal data while also processing or controlling the personal data of 25,000 or more consumers.
What Are the Requirements of My Organization?
In order for an organization to be in compliance with the act, certain requirement thresholds must be met by the controller of the organization. These requirements specify that:
- An organization must implement a process to allow for consumers to access, correct, delete, obtain copies of, and opt-out of processing their data.
- A privacy notice must be in place and publicly accessible. This notice should include: (1) the categories of data collected, (2) the purpose of the collection, (3) how consumers may exercise their rights, (4) what data is shared with third-parties, (5) specific categories of third-parties, and (6) contact information of the organization’s data controller.
- A data controller must respond to consumer requests within a 45-day threshold. This response must either include the answer to the customer’s request, or appropriate notice of a 45-day extension to fulfill the request.
- A platform should be available to allow for consumers to exercise their rights under this legislation.
- A dynamic record, with purpose specification, must be maintained to document the reason for deleting consumer information, without documenting what information was deleted.
- Technical safeguards and privacy principles must be implemented at the organization to help ensure data collection, limitation, encryption, retention and access controls are in place over consumer data.
- A data protection assessment must be performed for each of the controller’s processing activities that present a heightened risk of harm to consumers, which include (1) processing of personal data related to targeted advertising, (2) sales of personal data, (3) processing of sensitive data, (4) and the processing of personal data for the purposes of profiling. This assessment must also be made available to the attorney general upon request and must be performed for all activities enacted after July 1, 2023.
How Should You Prepare for Compliance?
Organizations that are proactive in their approach to privacy should find that their resources and business procedures won’t be hindered when consumer requests begin coming in.
The first step in complying with the new regulation is to designate a new or existing employee as the company’s data controller to be responsible for ensuring the safety of collected consumer data and handle data requests from consumers.
Just like other states that have passed statewide privacy legislation, implementing compliance activities for a new regulation can sometimes be a headache. Using tools, such as NIST 800-53 revision 5, can help an organization establish appropriate privacy control to provide adequate coverage. Some questions to consider when using the framework to build out the control framework include:
- Has our organization developed policies and procedures around its collection, purpose and processing of consumer data? Do we have a data controller in charge of this initiative?
- Does our organization have a platform, or alternative mechanism, that allows consumers to submit requests and exercise their rights over their data?
- Do our organization’s current technical safeguards and controls provide sufficient coverage over the consumer data we’re collecting? Do we need to adopt an alternative framework to receive sufficient coverage?
- Is our organization capable of conducting a data protection assessment over data processing and collection activities we plan to implement after the legislation’s effective date?
- Does our organization have adequate procedures in place to allow consumers insight into how and when their data is disclosed to third-party service providers?
What Are Some Key Terms That Should Be Understood?
Some key words could have a material impact on the interpretation of certain areas of the regulation. These key words and their definitions, summarized from the act, are:
- Biometric Data: Data generated by automatic measurements of an individual’s biological characteristics, such as fingerprint, eye retinas, or other unique biological characteristic.
- Consent: Clear, affirmative action signifying a consumer’s freely given, specific, informed and unambiguous agreement to allow the processing of personal data relating to a consumer.
- Consumer: An individual who is a resident of the state of Connecticut.
- Controller: An individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.
- Dark Pattern: A user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.
- De-identified Data: Data that cannot be reasonably used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such individual.
- Identified or Identifiable Individual: An individual who can be readily identified, directly or indirectly.
- Personal Data: Any information that is linked or reasonably linkable to an identifiable or identifiable individual
- Processor: An individual who, or legal entity that, processes personal data on behalf of a controller.
- Sale of Personal Data: The exchange of personal data for monetary or other valuable consideration by the controller to a third party.
- Sensitive Data: Personal data that includes racial, ethnic, religious, mental, sexual orientation, citizenship status, or physical health characteristics of an individual. This also includes biometric data, personal data of a child and precise geolocation data.
- Targeted Advertising: Displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from that consumer’s activities over time and across nonaffiliated internet web sites or online applications to predict such consumer’s preferences or interests.
- Third Party: An individual or legal entity, such as a public authority, agency, or body, other than the consumer, controller, processor, or an affiliate of the processor or controller.
If you’re doing this for the first time, selecting and implementing a privacy control framework can be difficult and time consuming. Weaver has IT Advisory professionals with the experience to help guide a privacy control framework to address the various requirement in the regulation and also address common pitfalls over access appropriateness, incident management, retention, destruction and other privacy related areas.
For more information about the act and how it may apply to your business, contact us. Weaver is here to help.
Authored by Hunter Sundbeck, CDPSE.
Executive Resource Center
As federal lawmakers struggle to pass a nationwide data privacy law, states are beginning to enact their own legislation.…
Utah is the latest state to approve a statewide data privacy law. On March 24, 2022, Utah governor Spencer Cox signed into law…