How does the new Connecticut Data Privacy Act compare to other state laws?
Both the Connecticut House of Representatives and Senate have approved the new Connecticut Data Privacy Act (CTDPA) as of April 28. From a thorough review, the bill seems to be stronger than some other recent state privacy laws. I took the time to compare its requirements with those of the other passed state privacy laws.
Despite its strengths, there are still a few places where the Connecticut law falls behind or matches the laws of California, Colorado, Utah, and Virginia.
The scope, or applicability, for the new Connecticut privacy law includes businesses operating in the state and either maintaining 100,000 consumers’ personal information per year or 25,000 consumers’ information with 25% of gross revenue from the sale of personal information. Laws with more broadly applying scopes would be the Colorado Consumer Protection Act (ColoPA), which doesn’t specify a percentage of gross revenue from sale, and the California Privacy Rights Act (CPRA), which has an overall gross revenue as another way that businesses could become subject.
Data Protection Impact Assessments (DPIAs)
California, Colorado, and Virginia have requirements that Data Protection Impact Assessments (DPIAs) be performed when processing minors’ data and/or processing for the purpose of profiling, neither of which can be found in the Connecticut law. A DPIA is a process by which companies systematically evaluate and determine the privacy and data protection impacts of the products and services offered and find appropriate actions to mitigate the risk of those impacts. This is probably an effort on these lawmakers’ parts to reflect the EU General Data Protection Regulation, which requires DPIAs where a new product or service may result in a high risk to the rights and freedoms of individuals.
Another area where the CTDPA falls short is in breach notification requirements. The laws for Virginia, Utah, and Colorado include a stipulation for the business to provide notification to data subjects once a breach has occurred, while the Connecticut law doesn’t include breach notifications. This doesn’t mean that Connecticut has no breach law, however—in fact, the Connecticut General Statute regarding data privacy breaches was updated late last year with a time period of 60 days for notification. Colorado, in comparison, only allows 30 days for data subject notification.
The CTDPA is being viewed as a strong privacy law by experts. International Association of Privacy Professionals Staff Contributor Joseph Duball suggested in a recent article that the law falls “somewhere between frameworks in Colorado and Virginia,” also quoting Husch Blackwell Partner Dave Stauss, CIPP/E, CIPP/US, CIPT, FIP, PLS saying that the law is stronger than Virginia’s and Utah’s laws. Connecticut’s new privacy law does stand out in terms of the rights to request data deletion data and consent withdrawal.
One new idea for US state laws introduced by the CTDPA is the data subject’s explicit right to request that data collected about them, and not from them, be deleted. Data collected about a data subject could be scraped from their internet profiles or purchased from another party. This data subject right is not provided by any of the other state privacy laws. Most only require that a business make it possible to delete the data they collected from the data subject.
The Connecticut law expands the right to withdraw consent, as seen also in CPRA and ColoPA, which specify that a data subject be able to withdraw or revoke their consent for certain types of processing. CTDPA, however, doesn’t limit withdrawing consent to any specific processing, so the data subjects are to be given the right to withdraw consent for whatever processing purposes for which consent is originally provided.
It remains to be seen if upcoming new laws choose to take these new ideas or even build on top of them.
If you need help getting caught up with US law compliance in general or related to the passing of this law, check out our consulting services.