Senate Bill 6: Everything you need to know about Connecticut’s New Privacy Law

Iain Roberts by Published On - 05.18.2022   Compliance

Senate Bill 6

On April 28, 2022, the Connecticut General Assembly passed a new data privacy law called Senate Bill 6 (SB 6), which should come into effect on July 1, 2023. The new law is said to share similarities with the Colorado Privacy Act (CPA), Virginia Consumer Data Protection Act (CDPA), and Utah Consumer Privacy Act (UCPA).

Who Does SB 6 Apply to

SB 6 applies to all individuals and organizations in Connecticut, as well as those from outside who interact with Connecticut residents for business purposes. This includes individuals and organizations who have controlled or processed the personal data of at least 100,000 Connecticut residents in the preceding year, with the exception of completing payment transactions.

It also applies to individuals and organizations who derive more than 25% of their annual gross revenue from selling the personal data of 25,000+ Connecticut residents.

Who Does SB 6 Not Apply to

SB 6 does not apply to:

  • Government entities (both state and local);
  • Non-profit organizations;
  • Higher education institutions;
  • Financial institutions subject to the Gramm-Leach-Bliley Act;
  • Entities covered by the Health Insurance Portability and Accountability Act (HIPAA);
  • Entities covered by the Family Educational Rights and Privacy Act (FERPA);
  • Entities covered by the Fair Credit Reporting Act (FCRA).

Consumer Rights Under SB 6

SB 6 is designed to protect consumers who are not acting on behalf of a business, government agency, or non-profit organization. The proposed bill grants consumers the right to:

  1. Know whether a controller is processing their personal data;
  2. Access, edit and delete their personal data;
  3. Obtain a copy of their personal data in a portable and usable format;
  4. Opt-out of the processing of their personal data for marketing or profiling purposes.

If the data subject is a child, then a parent or legal guardian may exercise consumer rights on their behalf. The controller is required to respond to consumer rights requests without undue delay, subject to adequately verifying the identity of the subject or their designated guardian. The controller must respond to consumer rights requests free of charge, once per 12-month period.

If the data subject chooses to opt out of the processing of their personal data for marketing or profiling purposes, the controller must comply with the request, unless it conflicts with an existing agreement between the two parties. In which case the controller (or processor) will need to inform the data subject.

Controller Obligations Under SB 6

Under SB 6, consumers are obligated to:

  1. Minimize the amount of data they store;
  2. Avoid collecting data unless it is absolutely necessary and consent has been given;
  3. Have administrative, technical, and physical safeguards in place to protect consumers’ personal data;
  4. Provide a clear and concise privacy notice, with an option to explicitly opt-in and opt-out at any time.
  5. Carry out an assessment to identify areas where a consumer’s data might be at risk.

These obligations do not restrict a controller’s ability to process personal data for internal purposes, such as research and development, managing technical errors, and other activities that might help to improve their service without sacrificing the data subject’s privacy.

Dark Patterns

SB 6 prohibits the use of dark patterns. A “dark pattern” is where the user interface has been purposely designed to deceive the customers in some way. This might include adding extra charges to a user’s shopping cart without explicitly informing them, disguising advertisements so that they merge with the page content, or tricking user’s into making recurring payments.

Enforcement

Under SB 6, there is no private right of action. In other words, SB 6 can only be enforced by the Connecticut Attorney General (AG), even if the actions performed were in violation of the Connecticut Unfair Trade Practices Act (CUTPA). The AG must provide entities with a grace period, which includes a notice of violation, and an opportunity to address the violations within 60 days of receiving the notice.

If you’d like to see how the Lepide Data Security Platform can help get ready for SB 6, schedule a demo with one of our engineers or start your free trial today.