Conn. companies must prepare for data law
Last month, Connecticut became only the fifth state in the nation to adopt a sweeping consumer data privacy bill. This bill will have far-reaching effects on Connecticut-resident consumers and many businesses located in Connecticut, as well as businesses in other states that sell goods or services in Connecticut. This new law, which takes effect on July 1, 2023, places Connecticut at the national forefront of data privacy regulation and enforcement, and it is one with which businesses will want to become highly familiar before it takes effect a year from now.
From concerns about data collection to the sale of personal data to data breaches, consumer data privacy has been making headlines for several years. Consumers, businesses, consumer advocates and government regulators have struggled with how to balance consumer expectations, information security and the recognition that personal data fuels so much of modern-day commerce in a manner that empowers consumers while also being manageable from a business perspective. This new law is Connecticut’s attempt at doing all of that, and while only after the passage of time can we be certain, the state seems to have struck a good balance on many key issues that should both make consumers happy and allow businesses to breathe a sigh of relief.
At its core, the law is a consumer rights law and puts in place a slew of requirements regarding the collection and use of personal data by businesses and grants Connecticut residents new rights with respect to their personal data. While this may sound burdensome to business, the state did a nice job at modeling the law closely after similar, recently passed laws in Virginia and Colorado. This will be a welcome relief to businesses that operate nationally and (rightly so) fear an ever-growing patchwork of different, inconsistent privacy laws.
The similarity to the laws of Virginia and Colorado also brings a benefit to consumers by (hopefully) building consensus toward a national standard for consumer data privacy rights that apply more or less the same regardless of whether the consumer lives in Stamford, Richmond or Boulder. My expectation is that other states that are currently looking at adopting their own consumer data privacy laws will view Connecticut’s embrace of the Virginia and Colorado models as a signal to fall in line behind this developing standard. And perhaps Congress will follow suit, should the federal government someday pass a federal consumer privacy act.
Connecticut consumers can look forward to numerous new rights relating to their personal data, at least when doing business with entities subject to the new law (the law makes exceptions for many types of organizations and types of data). Such rights include knowing whether a business is processing a consumer’s personal data, allowing consumer access to personal data maintained by the business, requiring the correction of inaccuracies in such personal data, requiring deletion of such personal data where necessary and allowing for a consumer to opt out of the processing of such personal data for the purposes of sale, targeted advertising or profiling.
Most significantly, Connecticut’s new data privacy law requires businesses to provide a mechanism for consumers to revoke consent for using their data, which must be at least as easy as the mechanism by which consumers provide consent. These are meaningful changes to the business/consumer relationship that will particularly impact consumer-facing businesses in the state.
The bill also restricts businesses from processing personal data for unnecessary purposes, such as ones that are incompatible with the purposes to which the consumer consented. It also requires reasonable administrative, technical and physical data security practices to safeguard personal data as well as provide consumers with an accessible, clear and meaningful privacy notice.
Businesses will be required to conduct and document a data protection assessment for processing activities that present a heightened risk of harm to a consumer — by way of example, this could involve the processing of personal data for targeted advertising, sale and/or profiling. Some businesses already do this and will have a leg up on compliance. But for those that do not, there will be an ample amount of work in building up the new framework that allows for such assessments to be done.
This is not necessarily a bad thing, as the long-term good of data protection for both businesses and consumers will generally exceed the shortterm cost of implementing these assessments. But it is something that will take effort and care to put in place and ensure is running effectively by next year — after all, violation of the data privacy law’s requirements could subject a business to be sanctioned under the Connecticut Unfair Trade Practices Act, something no business wants to face.
As mentioned, the new law does a fair job of balancing data privacy and the burden to business, and many businesses that operate nationally will already be familiar with many of these requirements. It will, however, still require work to become fully compliant by the day the law takes effect, and the key for Connecticut businesses is to begin that work now, while there is still plenty of time.
The state seems to have struck a good balance on many key issues that should both make consumers happy and allow businesses to breathe a sigh of relief.