On April 28, 2022, the Connecticut General Assembly passed a new data privacy law called Senate Bill 6 (SB 6), which should come into effect on July 1, 2023. The new law is said to share similarities with the Colorado Privacy Act (CPA), Virginia Consumer Data Protection Act (CDPA), and Utah Consumer Privacy Act (UCPA).
Who Does SB 6 Apply to
SB 6 applies to all individuals and organizations in Connecticut, as well as those from outside who interact with Connecticut residents for business purposes. This includes individuals and organizations who have controlled or processed the personal data of at least 100,000 Connecticut residents in the preceding year, with the exception of completing payment transactions.
It also applies to individuals and organizations who derive more than 25% of their annual gross revenue from selling the personal data of 25,000+ Connecticut residents.
Who Does SB 6 Not Apply to
SB 6 does not apply to:
- Government entities (both state and local);
- Non-profit organizations;
- Higher education institutions;
- Financial institutions subject to the Gramm-Leach-Bliley Act;
- Entities covered by the Health Insurance Portability and Accountability Act (HIPAA);
- Entities covered by the Family Educational Rights and Privacy Act (FERPA);
- Entities covered by the Fair Credit Reporting Act (FCRA).
Consumer Rights Under SB 6
SB 6 is designed to protect consumers who are not acting on behalf of a business, government agency, or non-profit organization. The proposed bill grants consumers the right to:
- Know whether a controller is processing their personal data;
- Access, edit and delete their personal data;
- Obtain a copy of their personal data in a portable and usable format;
- Opt-out of the processing of their personal data for marketing or profiling purposes.
If the data subject is a child, then a parent or legal guardian may exercise consumer rights on their behalf. The controller is required to respond to consumer rights requests without undue delay, subject to adequately verifying the identity of the subject or their designated guardian. The controller must respond to consumer rights requests free of charge, once per 12-month period.
If the data subject chooses to opt out of the processing of their personal data for marketing or profiling purposes, the controller must comply with the request, unless it conflicts with an existing agreement between the two parties. In which case the controller (or processor) will need to inform the data subject.
Controller Obligations Under SB 6
Under SB 6, consumers are obligated to:
- Minimize the amount of data they store;
- Avoid collecting data unless it is absolutely necessary and consent has been given;
- Have administrative, technical, and physical safeguards in place to protect consumers’ personal data;
- Provide a clear and concise privacy notice, with an option to explicitly opt-in and opt-out at any time.
- Carry out an assessment to identify areas where a consumer’s data might be at risk.
These obligations do not restrict a controller’s ability to process personal data for internal purposes, such as research and development, managing technical errors, and other activities that might help to improve their service without sacrificing the data subject’s privacy.
SB 6 prohibits the use of dark patterns. A “dark pattern” is where the user interface has been purposely designed to deceive the customers in some way. This might include adding extra charges to a user’s shopping cart without explicitly informing them, disguising advertisements so that they merge with the page content, or tricking user’s into making recurring payments.
Under SB 6, there is no private right of action. In other words, SB 6 can only be enforced by the Connecticut Attorney General (AG), even if the actions performed were in violation of the Connecticut Unfair Trade Practices Act (CUTPA). The AG must provide entities with a grace period, which includes a notice of violation, and an opportunity to address the violations within 60 days of receiving the notice.