On May 10, 2022, Connecticut made history as it became the 5th state in the US to enact comprehensive consumer privacy legislation. This was made possible through the signing of Senate Bill 6, referred to as the “Act Concerning Personal Data Privacy and Online Monitoring” by the Governor Ned Lamont. The provisions of this law will take effect on July 1, 2023, giving organizations just over a year to become compliant.

Connecticut Privacy Law Highlights

This legislation includes a range of rights, obligations and exceptions that are similar to the existing consumer privacy laws of California, Colorado, Utah, and Virginia. The law borrows heavily from the laws of Colorado and Virginia, with several provisions mimicking or falling between these two laws. However, there are a few unique aspects that organizations should consider when working towards compliance.

The scope of the Connecticut law is similar to the frameworks of Virginia and Colorado, with some important differences. It applies to entities that conduct business or provide products or services targeted towards residents of Connecticut. These entities must have either controlled or processed the personal data of at least 100,000 consumers in the previous calendar year, excluding data processed for payment transactions, or controlled or processed the personal data of at least 25,000 consumers and generated over 25% of their gross revenue from the sale of personal data. The threshold for revenue generated from data sales falls between the Virginia and Colorado laws, making it slightly narrower than Colorado but broader than Virginia.

It is important to note that the Connecticut privacy law does not include an annual revenue threshold, meaning that an entity’s compliance with the law is not dependent on its annual revenues. This differs from the California Consumer Privacy Act and Utah Consumer Privacy Act, which include such thresholds.

When evaluating the scope of this law, organizations should be aware of key definitions. The law defines a “consumer” as a resident of Connecticut and explicitly excludes individuals who act in a commercial or employment context. The definition of “sale of personal data” includes the exchange of personal data for monetary or other valuable consideration to a third party and is broader than the definitions in Virginia and Utah. The definition of “personal data” excludes de-identified data or publicly available information, which is in line with the definitions used in Virginia and Colorado.

Not sure if you’re in compliance with these new regulations? Contact us today for expert help with all your privacy compliance needs.