Connecticut moves closer to becoming fifth state with data privacy law
Connecticut moved closer to becoming the fifth U.S. state to pass privacy law after the Connecticut General Assembly on Thursday introduced a bill that would provide residents with basic privacy rights.
SB 6 – dubbed “An Act Respecting Personal Data Privacy and Online Surveillance” – is now heading to Governor Ned Lamont’s office. A spokesperson for Lamont told The Record that he “appreciates the intentions behind the bill.”
“We are not immediately aware of any concerns, but as always, the governor and his staff will need to carefully review the bill once it is forwarded to our office,” the governor’s spokesperson said.
If signed, Connecticut would follow California, Virginia, Colorado and Utah as states to create their own privacy law instead of federal action on the issue.
Connecticut’s bill — which would take effect July 1, 2023 — resembles privacy laws passed in Colorado, Virginia and Utah in that it allows residents to opt out of sales, targeted advertising and profiling. By 2025, companies will be required by law to recognize opt-out preference signals for targeted advertising and sales.
Websites and businesses must now obtain consent to process sensitive data and must offer Connecticut residents ways to revoke that consent. Organizations will have no more than 15 days to stop data processing as soon as consent is revoked, as required by law.
Parental consent is required for any website to collect personal data from children under the age of 13, but companies are prohibited from collecting personal data and using advertising targeted at children between the ages of 13 and 16. .
The bill requires companies to honor browser privacy signals, like Global Privacy Control, so consumers can opt out of data sales across all companies in one step.
Keir Lamont, senior counsel for the Future of Privacy Forum, added that Connecticut’s proposed privacy law goes beyond existing state privacy laws by “directly limiting the use of facial recognition technology, establishing default protections for teen data and enhancing consumer choice, including requiring recognition.” many global opt-out signals.
“Nevertheless, federal privacy law remains necessary to ensure that all Americans have strong basic protections for the handling of their personal information,” Lamont said.
The law also joins California and Colorado in adding sunset clauses to the “right to heal” – a term used to describe a process in which companies have a set period of time to repair violations before action is taken. enforcement may be taken or legal proceedings may be instituted.
The “right to heal” provisions are a hotly debated topic and have been one of the cornerstones on which several privacy bills have failed in state legislatures across the country. .
Consumer Reports, which worked with Connecticut lawmakers on their bill, called the “right to heal” provisions of most card privacy laws a “free jail break” for consumers. companies that violate consumer privacy.
Connecticut’s right to remedy the provision expires on December 31, 2024. Colorado’s provision expires on January 1, 2025 while California’s expires on January 1, 2023. Once these provisions expire, states will be able to take enforcement action against organizations that violate the law.
“Through joint enforcement, the 3Cs of state privacy law will be in a unique position to dictate the future of US privacy law (assuming the continued absence of federal law). That won’t be the case with VA and UT where monitors will always be able to remedy breaches,” said attorney David Stauss, who is chair of the privacy and cybersecurity practice group at law firm HuschBlackwell.
“There is more to do. SB6 is establishing a privacy working group that will analyze a number of issues and provide a report by September 1, 2022.”
Several states have spent years trying to pass their own privacy laws due to the lack of any movement on privacy legislation at the federal level. Calls for a federal privacy law have grown since the European Union’s General Data Protection Regulation took effect in 2018, which served as a model for similar laws. in Japan, Brazil, South Korea and elsewhere.
New York, Texas, Washington and dozens of other states have run into trouble passing their own privacy laws due to backlash from companies who complain the bills will create a significant amount of extra work for any business with a website.