Overview of the Connecticut Senate Bill

1. Introduction

Connecticut will be the latest addition to the growing list of US states that have recently successfully enacted legislation around consumer data privacy and protection. Recently, the state Connecticut Senate voted (35-0, with 1 Abstention) on Senate Bill 6: ‘An Act Concerning Personal Data Privacy and Online Monitoring’ and it was sent to the House of Representatives, where it was passed as well.

The Connecticut Senate Bill 6 (SB6) is broadly modeled on the recently enacted Colorado Privacy Act (CPA), However, there are a certain few differences that set SB6 apart, such as greater privacy rights for children. Similar to most other privacy legislations, the SB6 will enable consumers to have greater control over the transparency and processing of their personal data, including better visibility into who processes and shares their data.

The act was signed into law by Gov. Ned Lamont, D-Conn. On 10th May 2022. The act will go into effect on 1 July 2023. Let’s take a look at the quick analysis of all the significant provisions stated under the Connecticut Senate Bill 6.

2. Who Needs to Comply With Connecticut Senate Bill 6

Like most other laws, the SB6 also establishes guidelines for the types of personal data allowed or exempted from processing by organizations (controllers), as well as the eligibility requirements for businesses.

2.1 Material Scope

SB6 will apply to all personal data that can be identified or linked to an identifiable individual, with the exception of de-identified data or publicly available information.

However, SB6 outlines certain types of data to which the law doesn’t apply, including but not limited to:

• Medical data: Protected health information regulated under HIPAA, including personal information that can be used to identify patients as well as identifiable personal information for purposes of the federal policy for the protection of human subjects. Personal data that is used or shared in research and information used for public health services is also exempted.
• Data covered under the Gramm-Leach-Bliley Act (GLBA): Personal Information maintained by a covered entity or business associate; or
• Fair Credit Reporting Act (FCRA) covered data: Personal information collected, maintained, disclosed, sold, or used by a consumer reporting agency only to the extent of such activity being regulated by and authorized under the Fair Credit Reporting Act.
• Driver data: Personal information that is subject to compliance with the Driver’s Privacy Protection Act.
• Family Educational Rights and Privacy Act (FERPA) data: Personal data regulated by the Family Educational Rights and Privacy Act.
• Employment data: Personal information pertaining to employment or emergency contact information.
• Airline data: Personal data collected, processed, sold, or disclosed as per the Airline Deregulation Act by air carriers.

2.2 Territorial Scope

SB6 will apply to businesses that are operating in the state of Connecticut or offering goods and services targeted to Connecticut residents that during the preceding year:

• controlled or processed the personal data of no less than 100,000 consumers, excluding the personal data controlled or processed solely for the purpose of completing  a payment transaction or,
• controlled or processed the personal data of 25,000 consumers, deriving 25% or more of their gross revenue from selling that data.

2.3 Exceptions

The provisions of the law do not apply to:

1. Government or federal agencies;
2. Higher educational institutions;
3. Non-profit organizations, hospitals;
4. National security associations registered under the Securities Exchange Act;
5. Covered entities or business associates and financial institutions that are subject to the Gramm-Leach-Bliley Act (GLBA);
6. Covered entities and business associates as defined by the Health Insurance Portability and Accountability Act (HIPAA).

3. Definition of Key Terms

3.1 Consumer

Consumer means any resident of the state of Connecticut whose personal data or sensitive personal data is collected or processed.

3.2 Controller

It includes any individual or legal entity that determines the purpose and means of processing a consumer’s personal or sensitive personal data.

3.3 Processor

It is an individual or entity that processes personal or sensitive personal data on a controller’s behalf.

3.4 Third Party

It could include any individual or entity other than the consumer, controller, or processor.

3.5 Personal Data

It includes any data that is reasonably linked to any identified or identifiable natural person. It doesn’t include any de-identified data or publicly available information.

3.6 Sensitive Data

It includes personal data such that:

• data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status;
• the processing of genetic or biometric data for the purpose of uniquely identifying any individual; personal data collected from a known child; or
• precise geolocation data.

3.7 Dark Pattern

Dark pattern refers to:

1. user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, and
2. includes, but is not limited to, any practice the Federal Trade Commission refers to as a "dark pattern".

4. Obligations for Organizations Under the SB6

The SB6 establishes a list of several obligations that controllers and processors must duly comply with. Here’s a quick look at some of the key obligations under SB6:

4.1 General Principles of Processing

Under SB6, organizations or data controllers must make sure that the personal data or sensitive personal data of a consumer is processed while complying with the following guidelines:

• Organizations must practice data minimization and limit the collection of personal data to what is reasonably necessary and adequate for the purpose it was intended;
• Personal data shouldn’t be processed for purposes that are not reasonably necessary unless the consumer has provided their explicit consent;
• Organizations must ensure adequate technical and physical security measures are in place for the protection of consumers’ personal data;
• Organizations must not process the sensitive personal data of consumers without consent;
• Organizations are prohibited from treating a consumer unfairly if the consumer exercises any of his or her rights under the bill;
• Where an organization has actual knowledge and wilfully disregards, that the consumer is at least thirteen years of age but younger than sixteen years of age, it cannot process the personal data of the consumer for purposes of targeted advertising, or sell the consumer's personal data without his/her consent;
• Similarly, to process the personal data of minors, consent of their parents or guardians is to be obtained as outlined by the Children's Online Privacy Protection Rule;
• Organizations should not process personal data in violation of the state or federal laws that prohibit unlawful discrimination against consumers.

4.2 Non-Discrimination

The Act states that controllers should also not discriminate against a consumer for exercising any of their rights contained in the act by denying them goods or services, charging them different prices, or providing a different level of quality of goods and services.

However, this does not prohibit a controller from offering a distinct rate (including discounts or product/service at no fee), quality, or selection of a product or service to the consumer, if the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts or club card program.

4.3 Consent Requirements

The Connecticut SB6 provides a comprehensive definition of consent that must be affirmative, freely given, clear, informed, and unambiguous. Also, data controllers are to provide an effective mechanism for a consumer to revoke the consent under the act that is as easy as the mechanism through which the consumer provided consent. Upon revocation of the consent, the controller should cease to process the data as soon as practicable, but no later than fifteen days after the receipt of such request.

Moreover, SB6 prohibits organizations from using any dark patterns for consent. It defines dark patterns as user interfaces designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.

Consent will not be deemed valid if it is acceptance of general or broad terms of use. Lastly, hovering, muting, pausing, or closing a given piece of content will also not be considered consent.

4.4 Privacy Notice Requirements

As per the Connecticut consumer privacy act, it is the responsibility of a controller to present a clear and accessible privacy notice on their website or application informing consumers about

1. the categories of personal data collected on them;
2. the purpose for processing their personal data;
3. the categories of personal data shared with any third party;
4. the process through which the consumers can exercise their rights, including the appeal process regarding the refusal of a consumer request;
5. An active electronic mail address through which the consumer can contact the controller.

4.5 Processor/Service Provider Agreements

SB6 mandates that there should be an agreement between a controller and a processor governing the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature, and purpose of processing, the type of data subject to processing, the duration of the processing, and the rights and obligations of both parties.

Also, the contract shall also require that the processor:

1. ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
2. at the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
3. upon the reasonable request of the controller, make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations in the act;
4. after providing the controller an opportunity to object, engage any subcontractor in line with a written contract to meet the obligations of the processor with respect to the personal data; and
5. allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor using an appropriate and accepted control standard or framework and assessment procedure for such assessments and subsequently provide a report of such assessment to the controller upon request.

4.6 Data Protection Impact Assessment

Moreover, SB6 contains provisions for data protection assessments that enables controllers to assess and determine any “heightened risk” of harm to any consumer. The provision further defines what it means by “heightened risk”, such as:

• the processing of personal data for targeted advertising;
• the sale of personal data;
• the processing of personal data for the purposes of profiling presents a reasonably foreseeable risk, such as unfair or deceptive treatment, intrusion in the private affairs of the consumer which would be considered offensive to a reasonable person, or a financial, physical, or reputational injury to a consumer;
• the processing of sensitive data.

The data protection assessment may take into account any reasonable expectation of the consumer, use of any de-identified data, or the context of processing and relationship between the controller and the consumer whose personal data is to be processed.

SB6 further requires data controllers to maintain a record of data protection impact assessment for auditing purposes by the Attorney General. However, such assessment must remain confidential and exempt from any disclosure under the Freedom of Information Act. In the case where any information contained in a data protection assessment that is disclosed to the Attorney General includes information subject to the attorney-client privilege or work product protection, such disclosure would not constitute a waiver of such privilege or protection.

Data protection impact assessments are to be carried out on any processing activities made after July 1, 2023.

5. Data Subject Rights Under Connecticut Senate Bill 6

Data subject rights are one of the most important components of every privacy law, including the Connecticut SB6. Senate Bill 6 proposes five data subject rights that are commonly available in most other privacy laws, such as:

5.1 Right to Confirm Processing and Access

The data subject (consumer) has the right to confirm whether or not a controller is processing the consumer's personal data and accessing such personal data unless such confirmation or access would require the controller to reveal a trade secret.

5.2 Right to Correct

The right to correct enables data subjects to request the business to fix any inaccuracies in the personal data they have collected on the consumer. However, this right is subject to the nature of the personal data which is collected and the purpose of its processing.

5.3 Right to Delete

The data subject can ask the business to delete their personal data, which is provided by or obtained about the consumer.

5.4 Right to Obtain a Copy of Personal Data

The data subject has the right to obtain a copy of their personal data from the business in a portable and readily usable format, and in a manner that makes it feasible for the consumer to forward the data to any other controller or business without any hindrances.

5.5 Right to Opt-Out

The consumer has the right to opt-out from the processing of their personal data if the processing is made for the purpose of:

• Targeted advertising,
• Sale of personal data,
• Automated profiling.

Means to Submit DSR Request: The consumer has the right to designate an authorized agent to exercise their right to opt-out from the processing of the personal data on their behalf. More importantly, the opt-out mechanism should be clear, direct, and consumer friendly.

The Act also states that the controller should recognize and honor a global opt-out preference signal received from a platform, technology, or mechanism with the consumer's consent. It is to be noted, however, that these platforms should:

• Not unfairly disadvantage another controller and be consumer-friendly and easy to use by an average consumer; or
• Not use any default setting but rather require an affirmative, freely given, and unambiguous choice to opt-out of any processing of such consumer’s personal data;
• Be consistent with any other similar platform required by any federal or state law;
• Allow the consumer to easily determine the residency of the consumer and whether the consumer has made a legitimate request to opt-out of the sale of their personal data or targeted advertising.

Time Period to Fulfill DSR Request: SB6 further outlines a set of responsibilities on the end of the controller that they must comply with regard to data requests by consumers, such as:

• The controller should provide in their privacy policy clear instructions on how consumers can exercise their rights and what methods they can use to do so.
• The controller should respond to the client regarding the fulfillment or rejection of their rights without undue delay and no less than 45 days.
• The data controller may extend their response to an additional 45 days in cases of complexity and an excessive number of requests; however, the consumer should need to be notified of the extension along with the justification for any such extension within the initial 45-day response period.

Charges: Information provided in response to a consumer request shall be provided by a controller, free of charge, once per consumer during any 12-month period. If the consumer requests are manifestly unfounded, excessive, or repetitive, then the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request.

• If a controller is unable to authenticate a request to exercise any of the rights listed in this act, by using commercially reasonable efforts, the controller is not obligated to comply with a request and should provide notice to the consumer of such a situation.
• A controller can deny an opt-out request if the controller has a good faith, reasonable, and documented belief that such a request is fraudulent. In this case, the controller should send a notice to the consumer who submitted such a request.

Appeal Against Refusal: A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision.

6. Regulatory Authority

Under the Act, the Attorney General (AG) is the exclusive regulatory authority that will be responsible for the act and the violations. Senate Bill 6 further details how the Attorney General will enforce data subject rights in the event of violation in various phases.

Between July 1, 2023, and December 31, 2024: the Attorney General must send a notice of violation to the controller if the AG believes that a cure is possible, before taking any action pursuant to the provisions of SB6. If the controller fails to cure the violation within a 60-day period, the Attorney General will have the right to take necessary action against the violation.

Moreover, after February 1, 2024: The AG shall submit a report to the General Assembly detailing the number of notices of violation the AG has sent, the nature of the violation, and the number of cured violations during the 60 day cure period.

7. Any Important Exemptions

The Act includes some substantive exemptions, where no provisions in the act can be used to restrict a controller's or processor's ability to:

• Comply with federal, state, or municipal ordinances or regulations;
• Cooperate with law enforcement agencies concerning conduct or activity;
• Investigate, establish, exercise, prepare for or defend legal claims;
• Provide a product or service specifically requested by a consumer;
• Perform contractual obligations with a consumer, including fulfilling the terms of a written warranty;
• Protect an interest that is essential for the life or physical safety of the consumer or another individual;
• Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, and malicious activities;
• Engage in public or peer-reviewed scientific or statistical research in the public interest that, provides substantial benefits that do not exclusively accrue to the controller, or has expected benefits that outweigh privacy risks, and whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification;
• Assist another controller, processor, or third party with the fulfillment of any of the obligations under this act;
• Process personal data for reasons of public interest in the area of public health, community health, or population health;
• Collect, use or retain data for internal use to improve or repair products, services, or technology, effectuate a product recall, or identify and repair technical errors that impair existing or intended functionality.

Moreover, the obligations imposed on controllers or processors under SB6 shall not apply where compliance by the controller or processor with the provisions of this act would violate an evidentiary privilege under the laws of the State of Connecticut.

8. Penalties For Non-Compliance

Currently, the Connecticut Senate Bill 6 outlines that any violation of the law considered an unfair trade practice under the Connecticut Unfair Trade Practices Act (CUTPA) may face civil penalties of up to $5,000 per willful violation.

In this case, the attorney general may also seek to impose equitable remedies pursuant to the CUTPA, including restitution, disgorgement, and injunctive relief.

9. How an Organization Can Operationalize the Law

Complying with SB 6 may impose certain challenges for organizations with respect to compliance. Following are some of the important steps that businesses should take to bolster the foundation for compliance:

• Streamline and automate your DSR fulfillment framework to speed up consumer verification, personal data linking to its owner, and timely fulfillment processes.
• Conduct a regular data protection impact assessment to avoid any significant harm to the consumers via the processing of their personal data.
• Have pre-built privacy notice templates ready, built on the relevant jurisdictional laws that are applicable to the business.
• Provide clear opt-out signals on the official website for consumers who wish to exercise their right to opt-out of sharing or disclosing their personal information.

10. How Securiti Can Help

Securiti is a global leader in privacy management, enabling organizations to streamline their compliance practices, optimize data security, and strengthen governance. With its AI-driven robotic automation, Securiti helps you automate your data protection impact assessments, real-time data mapping, DSR fulfillment, privacy notice management, breach notification management, and universal consent management.

Request a demo to see Securiti in action and learn more about how the solution can assist you in meeting compliance.