Connecticut is best known for its Autumn leaves, College Basketball (Huskies), and the invention of the Hamburger (Louis’ Lunch; 1900). As of yesterday, Connecticut can also be known for becoming the first state in the New England region to pass privacy legislation. If signed into law by the Governor, Connecticut will be the fifth U.S. state to implement a comprehensive privacy law.

Once signed into law, SB 6 will require businesses to:

  • Establish a framework for controlling and processing personal data;
  • Set forth responsibilities and privacy protection standards for data controllers and processors;
  • Grant consumers the right to access, correct, delete, or obtain copies of personal data;
  • Create a task force to study HIPAA-related data and other topics on data privacy;
  • Opt-out of the processing of personal data for the purposes of targeted advertising, certain sales of personal data, or profiling
  • Implement global privacy controls for internet carriers and data managers no later than January 1, 2025.

What’s in the Connecticut Privacy Bill?

SB 6 was initially thought to be modeled on a Virginia CDPA-style framework, with some elements of the CCPA. The amended version of the bill, however, reads closer to the CO CPA with two main differences.

  • First, it would expand on existing data privacy rights for children by requiring parental consent for minors (i.e., below the age of 13), and allow teenagers between the ages of 13 to 15 to provide opt-in consent for certain data processing activities.
  • Second, unlike Colorado’s CPA and the California privacy laws (CCPA/CPRA), SB 6 does not grant rulemaking authority to the Connecticut Attorney General. This element is similar to the VCDPA.

Who Does SB 6 Apply To?

SB 6 would apply to individuals or entities that:

  • Conduct business in Connecticut or provide products and services that target Connecticut residents, and
  • Controlled or processed personal data during the preceding year of at least either:
    • 100,000 consumers, excluding personal data controlled or processed solely for completing a payment transaction, or
    • 25,000 consumers and derived more than 25% of their gross revenue from selling personal data.

What are the Data Rights in the Connecticut Privacy Regulation?

SB 6 would allow consumers to exercise the following rights over their data:

  • Access to and knowledge, unless it would reveal a trade secret;
  • Correct inaccuracies;
  • Delete certain types of data;
  • Obtain a copy of their data that is both portable and in a readily usable format; and
  • Opt out of processing if it involves:
    • Targeted advertising;
    • The sale of personal data (with an exception to club programs); or
    • Profiling based on automated decisions that produce legal or similarly significant effects concerning the consumer (e.g., controller-made decisions that would impact the results of securing housing, education, employment, insurance, etc.).
    • For opting out of processing – the opt-out preference must be sent by a platform, technology, or mechanism to the controller indicating the consumer’s intent to opt out of the processing or sale.

Data Protection Assessments (DPAs):

SB 6 requires controller to conduct and document DPAs for each processing activity that presents a heightened risk of harm to a consumer, which may include:

  • Processing personal data for the purposes of targeted advertising;
  • Selling personal data;
  • Processing sensitive data; and
  • Profiling.

Penalties & Enforcement of SB 6:

SB 6 grants exclusive enforcement powers to the Connecticut Attorney General. While it doesn’t include a private right of action, any violations of the requirements under SB 6 will constitute a violation of the Connecticut Unfair Trade Practices Act (“CUPTA”), enforceable solely by the AG.

Unique Provision: The Right to Cure

The bill establishes a grace period through December 31, 2024, during which the CT AG must give violators an opportunity to cure any violations. The controller will be given 60 days to cure the violation. If the controller fails to cure the violation within 60 days, then the AG can bring an enforcement action.

Beginning January 1, 2025, however, the bill grants the CT AG complete discretion on whether to provide notice to a controller and give them the opportunity to correct an alleged violation. SB 6 sets out several conditions that the AG may consider when making this decision.

How can BigID Help

If CT SB 6 is signed into law by the state Governor, organizations will be required to adapt their data strategy to the new law. With BigID, businesses can discover all data across the organization to then classify and catalog data (personal/sensitive), assess privacy risk with PIA’s, and manage data rights request at scale. Find out how BigID can help your company meet the requirement of SB 6.