Connecticut’s newly enacted consumer privacy law will mean a new headache for companies tasked with complying with similar, but not identical, compliance requirements across multiple states, attorneys say.
The law, signed by Gov. Ned Lamont (D) on May 10, gives Connecticut residents the right to opt out of the processing and sale of their personal data and the right to ask that it be deleted. It also requires companies to limit the collection of personal data to that which is “adequate, relevant, and reasonably necessary.”
The bulk of the law will take effect July 1, 2023.
California, Virginia, Colorado, Utah, and Connecticut are so far the only US states to have passed comprehensive consumer privacy legislation. This growing national patchwork complicates business compliance and leaves companies open to a strong possibility of multi-state investigations and enforcement down the line, attorneys say.
Though not as expansive as California’s consumer privacy legislation, Connecticut’s measure extends strong privacy protections to minors and state residents, they say.
It continues a trend of states stepping up in the absence of federal action, said David Saunders, a partner at McDermott Will & Emery in Chicago.
“The thing that continues to frustrate clients is that each of these state laws are at least a little bit different,” Saunders said. “These laws aren’t three pages long—they’re 20, 30 pages—and the real rub is finding the differences between them to make sure you’re meeting all the requirements.”
Consumer privacy laws in the US contain carve-outs for certain institutions, such as universities and nonprofits, or for certain types of data, such as health or financial information. But the wording of each exemption varies by state, as do thresholds governing each law’s reach, making it difficult for some businesses to find out whether they’re actually impacted by privacy legislation, Saunders said.
Putting the laws into practice—making consumers’ rights easily accessible, for example—is another major problem stemming from the country’s patchwork system, said Daniel Goldberg, a partner at Frankfurt Kurnit Klein & Selz PC in Los Angeles.
California, Colorado, and Connecticut consider a “sale” of personal data to be an exchange with monetary or “other valuable” consideration. Those states also will require businesses to honor universal opt-out signals, which allow consumers to express privacy preferences to all websites, instead of having to submit them site by site.
Utah and Virginia, on the other hand, only consider a sale to include exchanges for monetary consideration and businesses there are not required to honor universal opt-outs.
Adding functionality for that type of tool to websites can be a challenge, Goldberg said, especially with such differences.
“This is one area where I’m hopeful California will clarify specifics with regulations, and there’s a good chance other states could follow suit,” Goldberg said.
The Connecticut privacy law includes stronger consumer protections than were included in last year’s draft bill, but they were balanced with input from the business sector to make sure they’re able to comply, said Connecticut state Sen.
Maroney said his team met regularly with companies, lawmakers from Colorado and other states, as well as with the Connecticut Attorney General’s office and privacy advocacy groups.
“Strong privacy protections are in businesses’ best interest,” he said. “When people are more comfortable with their data and know what’s going on, they’re more likely to share.”
The Connecticut law requires opt-in consent for the processing of children’s sensitive data and requires that the processing be done in accordance with the federal Children’s Online Privacy Protection Act, which applies to those under 13. It goes further by prohibiting companies from processing the data of minors known to be ages 13 to 16 for purposes of targeted advertising and from selling it without consent.
“You’re seeing a lot more interest and energy going into reviewing bills and legislation that affects children’s privacy,” said Robyn Mohr, senior counsel at Loeb & Loeb LLP in Washington, D.C. “Connecticut is raising the bar in a meaningful way here.”
The new law defines “biometric data” in a similar fashion to Virginia and Utah, which isn’t as comprehensive as the definition in California’s statute, said Maria Nava, an associate at Frankfurt Kurnit Klein & Selz P.C. in Los Angeles.
“There are exceptions in the law that weren’t originally in the bill, like photographs and audio recordings,” Nava said.
The Connecticut law states that consent doesn’t include agreement obtained through the use of “dark patterns,” which it defines as user interfaces designed or manipulated with the effect of subverting or impairing user autonomy, decision-making, or choice. Its definition includes practices the Federal Trade Commission considers dark patterns.
“This is unique and important—dark patterns have been a source of concern,” said Michelle Reed, a partner at Akin Gump Strauss Hauer & Feld LLP in Dallas. “This is going to be an area where we’ll see some real enforcement down the line.”
The new measure doesn’t include a private right of action, instead leaving enforcement to the Connecticut Office of the Attorney General.
The passage of a fifth state with comprehensive consumer privacy legislation may lend itself to collaboration and enforcement actions coordinated among state attorneys general, said Natasha Kohne, a partner at Akin Gump in San Francisco.
The AG office’s data privacy unit is “well known and engaged,” and is likely to hit the ground running once enforcement commences, Kohne said. But Connecticut has a cure period—allowing businesses to remedy potential violations before the attorney general can bring an enforcement action—that doesn’t “sunset,” or expire, until Dec. 31, 2024.
Cure periods in the California and Colorado laws are also set to sunset, though California will retain one with respect to the law’s private right of action. Cure periods in the Virginia and Utah laws do not have sunset dates.
State attorneys general are unlikely to launch multi-state investigations until the cure periods expire, Kohne said.
“Once the cure period falls away, companies may not have an opportunity to come into compliance,” she added. “We may then very well see an uptick in enforcement actions and collaborations across states.”
Unlike the California Privacy Rights Act, which created a standalone privacy agency tasked with rulemaking, the Connecticut measure doesn’t establish a regulator or call for rules. The Connecticut attorney general isn’t tasked with rulemaking either, as is the case in Colorado.
But it does convene a task force in the General Assembly, Goldberg said. The topics for exploration range from algorithmic decision-making to children’s privacy.
“The findings could be considered for future tweaks or future laws,” he said.
The new law’s enactment is a reminder that companies need to wrap their arms around the data they collect so they’re in a position to comply with upcoming regulations within the privacy sphere and beyond, Mohr said.
“You need a team—with folks from the business side, technical side, in-house—that really understands the data flows of an organization,” Mohr said.