Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

June 2, 2022 Expert's Corner

CT passes new privacy law: What your business needs to know

PHOTO | CONTRIBUTED Russell F. Anderson
By Russell F. Anderson

Joining a national trend, Connecticut became the fifth state to enact a broad-based privacy law in May.

Many familiar privacy laws are limited in the scope of the information they cover. For example, HIPAA applies only in the context of healthcare providers and insurers. Our new law, Public Act 22-15, will give Connecticut residents broad rights to their personal data and impose many new obligations, especially for consumer-facing, medium-sized and larger businesses.

PA 22-15 covers for-profit businesses that hold the data of at least 100,000 Connecticut residents, or 25,000 when the business derives at least 25% of its revenue from selling consumer data. As a result, the law does not apply to nonprofit organizations and is unlikely to impact most small businesses.

For businesses that are impacted, the obligations will be substantial. PA 22-15 will apply to essentially all information held by a business that is linkable to an identifiable individual. This will include not only traditional contact data (name, address and email), but also information such as purchase history and page visits.

The new law obligates businesses to limit the data collected to what is reasonably needed for the intended purpose, and then to limit use of that data for those purposes.

Prior consent of the Connecticut resident is necessary to collect sensitive data, such as racial or ethnic origin, health information or precise geolocation. Businesses will also need to implement data security practices to protect collected data; however, the statute does not define what those safeguards should be other than they must be reasonable.

Businesses that are subject to PA 22-15 will be required to provide numerous rights to Connecticut residents. These rights include: 1) the ability to learn what data the business possesses; 2) to receive a portable copy of that data; 3) to correct inaccuracies; and 4) to require deletion of the data.

Responses to these requests must generally be provided within 45 days and without charge. An appeals process must be provided if the right is denied. Where a business uses personal data for targeted advertising or profiling or sells personal data, Connecticut residents will have the option to opt-out of those activities.

The processes for exercising all of these rights will need to be disclosed in a thorough privacy notice that is publicly available on your business’ website.

PA 22-15 first takes effect in roughly a year, July 1, 2023.

The Connecticut General Assembly seemingly considered the concerns of business when shaping the law to allow for compliance without being overly punitive.

Violations of the law will constitute an unfair trade practice punishable through fines of up to $25,000 per violation. As the law will be enforced only by the Connecticut Attorney General’s Office, private and class action lawsuits will not be a concern.

Until Dec. 31, 2024, businesses will also be provided a 60-day period to address any deficiencies identified.

While many national firms will be familiar with the obligations imposed by PA 22-15 due to other state privacy laws, regional companies may be required to implement a privacy program for the first time.

Russell F. Anderson is an attorney with law firm Pullman & Comley LLC.

Sign up for Enews

Most Recent

Most Recent

0 Comments

Order a PDF