Securiti announces a $75M Series C Funding RoundView
Connecticut will be the latest addition to the growing list of US states that have recently successfully enacted legislation around consumer data privacy and protection. Recently, the state Connecticut Senate voted (35-0, with 1 Abstention) on Senate Bill 6: ‘An Act Concerning Personal Data Privacy and Online Monitoring’ and it was sent to the House of Representatives, where it was passed as well.
The Connecticut Senate Bill 6 (SB6) is broadly modeled on the recently enacted Colorado Privacy Act (CPA), However, there are a certain few differences that set SB6 apart, such as greater privacy rights for children. Similar to most other privacy legislations, the SB6 will enable consumers to have greater control over the transparency and processing of their personal data, including better visibility into who processes and shares their data.
The act was signed into law by Gov. Ned Lamont, D-Conn. On 10th May 2022. The act will go into effect on 1 July 2023. Let’s take a look at the quick analysis of all the significant provisions stated under the Connecticut Senate Bill 6.
Like most other laws, the SB6 also establishes guidelines for the types of personal data allowed or exempted from processing by organizations (controllers), as well as the eligibility requirements for businesses.
SB6 will apply to all personal data that can be identified or linked to an identifiable individual, with the exception of de-identified data or publicly available information.
However, SB6 outlines certain types of data to which the law doesn’t apply, including but not limited to:
SB6 will apply to businesses that are operating in the state of Connecticut or offering goods and services targeted to Connecticut residents that during the preceding year:
The provisions of the law do not apply to:
Consumer means any resident of the state of Connecticut whose personal data or sensitive personal data is collected or processed.
It includes any individual or legal entity that determines the purpose and means of processing a consumer’s personal or sensitive personal data.
It is an individual or entity that processes personal or sensitive personal data on a controller’s behalf.
It could include any individual or entity other than the consumer, controller, or processor.
It includes any data that is reasonably linked to any identified or identifiable natural person. It doesn’t include any de-identified data or publicly available information.
It includes personal data such that:
Dark pattern refers to:
The SB6 establishes a list of several obligations that controllers and processors must duly comply with. Here’s a quick look at some of the key obligations under SB6:
Under SB6, organizations or data controllers must make sure that the personal data or sensitive personal data of a consumer is processed while complying with the following guidelines:
The Act states that controllers should also not discriminate against a consumer for exercising any of their rights contained in the act by denying them goods or services, charging them different prices, or providing a different level of quality of goods and services.
However, this does not prohibit a controller from offering a distinct rate (including discounts or product/service at no fee), quality, or selection of a product or service to the consumer, if the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts or club card program.
The Connecticut SB6 provides a comprehensive definition of consent that must be affirmative, freely given, clear, informed, and unambiguous. Also, data controllers are to provide an effective mechanism for a consumer to revoke the consent under the act that is as easy as the mechanism through which the consumer provided consent. Upon revocation of the consent, the controller should cease to process the data as soon as practicable, but no later than fifteen days after the receipt of such request.
Moreover, SB6 prohibits organizations from using any dark patterns for consent. It defines dark patterns as user interfaces designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.
As per the Connecticut consumer privacy act, it is the responsibility of a controller to present a clear and accessible privacy notice on their website or application informing consumers about
SB6 mandates that there should be an agreement between a controller and a processor governing the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract shall be binding and clearly set forth instructions for processing data, the nature, and purpose of processing, the type of data subject to processing, the duration of the processing, and the rights and obligations of both parties.
Also, the contract shall also require that the processor:
Moreover, SB6 contains provisions for data protection assessments that enables controllers to assess and determine any “heightened risk” of harm to any consumer. The provision further defines what it means by “heightened risk”, such as:
The data protection assessment may take into account any reasonable expectation of the consumer, use of any de-identified data, or the context of processing and relationship between the controller and the consumer whose personal data is to be processed.
SB6 further requires data controllers to maintain a record of data protection impact assessment for auditing purposes by the Attorney General. However, such assessment must remain confidential and exempt from any disclosure under the Freedom of Information Act. In the case where any information contained in a data protection assessment that is disclosed to the Attorney General includes information subject to the attorney-client privilege or work product protection, such disclosure would not constitute a waiver of such privilege or protection.
Data protection impact assessments are to be carried out on any processing activities made after July 1, 2023.
Data subject rights are one of the most important components of every privacy law, including the Connecticut SB6. Senate Bill 6 proposes five data subject rights that are commonly available in most other privacy laws, such as:
The data subject (consumer) has the right to confirm whether or not a controller is processing the consumer's personal data and accessing such personal data unless such confirmation or access would require the controller to reveal a trade secret.
The right to correct enables data subjects to request the business to fix any inaccuracies in the personal data they have collected on the consumer. However, this right is subject to the nature of the personal data which is collected and the purpose of its processing.
The data subject can ask the business to delete their personal data, which is provided by or obtained about the consumer.
The data subject has the right to obtain a copy of their personal data from the business in a portable and readily usable format, and in a manner that makes it feasible for the consumer to forward the data to any other controller or business without any hindrances.
The consumer has the right to opt-out from the processing of their personal data if the processing is made for the purpose of:
Means to Submit DSR Request: The consumer has the right to designate an authorized agent to exercise their right to opt-out from the processing of the personal data on their behalf. More importantly, the opt-out mechanism should be clear, direct, and consumer friendly.
The Act also states that the controller should recognize and honor a global opt-out preference signal received from a platform, technology, or mechanism with the consumer's consent. It is to be noted, however, that these platforms should:
Time Period to Fulfill DSR Request: SB6 further outlines a set of responsibilities on the end of the controller that they must comply with regard to data requests by consumers, such as:
Charges: Information provided in response to a consumer request shall be provided by a controller, free of charge, once per consumer during any 12-month period. If the consumer requests are manifestly unfounded, excessive, or repetitive, then the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request.
Appeal Against Refusal: A controller shall establish a process for a consumer to appeal the controller's refusal to take action on a request within a reasonable period of time after the consumer's receipt of the decision.
Under the Act, the Attorney General (AG) is the exclusive regulatory authority that will be responsible for the act and the violations. Senate Bill 6 further details how the Attorney General will enforce data subject rights in the event of violation in various phases.
Between July 1, 2023, and December 31, 2024: the Attorney General must send a notice of violation to the controller if the AG believes that a cure is possible, before taking any action pursuant to the provisions of SB6. If the controller fails to cure the violation within a 60-day period, the Attorney General will have the right to take necessary action against the violation.
Moreover, after February 1, 2024: The AG shall submit a report to the General Assembly detailing the number of notices of violation the AG has sent, the nature of the violation, and the number of cured violations during the 60 day cure period.
The Act includes some substantive exemptions, where no provisions in the act can be used to restrict a controller's or processor's ability to:
Moreover, the obligations imposed on controllers or processors under SB6 shall not apply where compliance by the controller or processor with the provisions of this act would violate an evidentiary privilege under the laws of the State of Connecticut.
Currently, the Connecticut Senate Bill 6 outlines that any violation of the law considered an unfair trade practice under the Connecticut Unfair Trade Practices Act (CUTPA) may face civil penalties of up to $5,000 per willful violation.
In this case, the attorney general may also seek to impose equitable remedies pursuant to the CUTPA, including restitution, disgorgement, and injunctive relief.
Complying with SB 6 may impose certain challenges for organizations with respect to compliance. Following are some of the important steps that businesses should take to bolster the foundation for compliance:
Securiti is a global leader in privacy management, enabling organizations to streamline their compliance practices, optimize data security, and strengthen governance. With its AI-driven robotic automation, Securiti helps you automate your data protection impact assessments, real-time data mapping, DSR fulfillment, privacy notice management, breach notification management, and universal consent management.
Request a demo to see Securiti in action and learn more about how the solution can assist you in meeting compliance.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
3031 Tisch Way Suite 110 Plaza West, San Jose,