Connecticut Governor Lamont signed S.B No. 6, An Act Concerning Personal Data Privacy and Online Monitoring, into law this second week of May 2022, making it the fifth state in the U.S. to enact such type of law. Before we go any further, this is our obligatory disclaimer that we are not lawyers and what we present in this article does not equate to legal advice or a legal opinion. If you’re an organization or consumer who has questions about this law, we strongly recommend that you contact an attorney who is knowledgeable about data privacy laws. Here is the FULL TEXT OF THE LAW.
Now that that’s out of the way, let’s take a very cursory look at this law.
Effective Date: July 1st, 2023
Who this affects
There are two thresholds.
1. Businesses that controlled or processed 100,000 or more of Connecticut residents’ personal data excluding data needed to process payment transactions.
2. Businesses that controlled or processed 25,000 or more Connecticut residents’ personal data “… and derived more than twenty-five per cent of their gross revenue from the sale of personal data.”
How personal data is defined
“”Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual. “Personal data” does not include de-identified data or publicly available information.”
As far as entities this law doesn’t affect, we suggest reading the act in full for better understanding. From what we can glean, a few entities such as those that need to abide by HIPAA, COPPA, and financial institutions subject to the Gramm-Leach-Bliley Act. Again, please read the full text of the act for more detail.
Your rights as a consumer
- Confirm if an organization is processing your data and has access to it. The controlling organization won’t have to honor the request if it reveals a trade secret of theirs.
- Correct inaccuracies of your data.
- Delete your personal data.
- Obtain a copy of your data.
- Those that control the data have 45 days to respond after they receive your request. If the controller of the data needs to extend the response period, they must do it within the initial 45 response period and include the reason for the extension.
- If the controller of the data declines your request, they must do it no later than 45 days, provide their justification, and include instructions on how to appeal.
- As a consumer you may make one request per 12 months. More than that, the data controller can charge a “reasonable fee”
Section 6 of the act outlines what the data controller must do and provide for the consumer. What follows is only partial information here, so please read the text of the law in full.
Regarding data controllers
If your organization is one that needs to comply with this law, some of the things you must do and provide are:
- Limit the amount of personal data you collect that still allows you to carry out business functions.
- Ensure that proper security controls are in place to protect the data you’re responsible for. This includes administrative, technical, and physical controls. More on this later.
- Don’t process sensitive data without the consumer’s consent, or if a minor, this data must be processed in accordance with COPPA.
- Processing of personal data must not discriminate against CT residents.
- You must provide an easy way for a consumer to revoke consent. You have no more than 15 days to stop processing someone’s personal data upon receipt of their request.
- You must not process personal data for the purpose of targeted advertising or sell their personal data without their consent.
- On January 1st, 2025 you must provide a way for a consumer to opt-out of any processing or sale of their personal data
Some highlights of other sections in the law
- Section 7 of the law pertains to an entity that processes data for a data controller and the obligations they must meet.
- Section 8 states that the data controller must conduct a data protection assessment of their processing activities and have it documented.
- Section 11 discusses enforcement of this by the Connecticut Attorney General. Of note, if the Attorney General deems a data controller has violated the law, a notice of violations will be issued. The data controller that is in violation has 60 days to make proper fixes. If the data controller fails do to so within 60 days, the Attorney General may bring legal action.
There are 12 sections in total of this law. What’s provided in this article is a brain dump of points we see as important or interesting. As we’ve said through out this article, please read through the entirety of this law and talk to an attorney if you have any questions about it.
We mentioned above that this law requires that if you are a data controller that you have proper security controls in place to protect the data that you’re processing. Connecticut’s cybersecurity law, Public Act 21-119 An Act Incentivizing the Adoption of Cybersecurity Standards For Businesses dovetails nicely into this new law. We wrote about it here in July of 2021 and since it deals with cybesecurity frameworks, we also wrote an article about that which you can read here.
For those that are required to follow this data privacy law here are the ways we help:
- External risk/threat assessments. Some of the things we look for are security holes in your publicly facing digital assets, data leaks, and data breaches. You’ll receive reporting of any findings and ways get any issues under control.
- With regard to cybersecurity frameworks, we help guide you through the adoption of them and take on the role of advisor, if that is the help you seek.
We hope this was informative for you and would love to hear your thoughts on this law or any corrections needed. Let us know in the contact form below and the same goes if you’re looking for help.
Lastly, sign up for our free cybersecurity and intelligence newsletter to get news, tips, tricks, tools, upcoming events, and some fun OSINT challenges. Here is the URL for that https://bsquaredintel.com/newsletter-signup/