Connecticut became the fifth state to pass comprehensive privacy legislation this month after the enactment of Senate Bill 6.
The law is more consumer-friendly than recently passed laws in Virginia and Utah with an easier opt-out and consent mechanism.
The Connecticut law reveals a growing split between states taking a more business-friendly approach and those emphasizing ease to consumers.
Earlier this month, Connecticut became the fifth state to enact comprehensive privacy legislation when Governor Ned Lamont (D) signed SB 6 into law, joining California, Connecticut, Utah, and Virginia.
Provisions in Connecticut’s New Privacy Law
Like laws in other states, the Connecticut law gives consumers rights over their data — including the right to access their data; the right to correct and delete data; the right to obtain a copy of the data in a portable format; and the right to opt out of the processing of data for targeted advertising, sales to a third party, or profiling.
However, the Connecticut law gives consumers more protections than the Virginia and Utah models in a few key ways:
The Connecticut law requires businesses to implement an opt-out preference signal for consumers by 2025, and it does not require businesses to authenticate a request, instead permitting a controller to reject a request only if there is a good faith, reasonable, and documented belief that such request is fraudulent.
The law also requires businesses to provide an "effective mechanism" to revoke the consumer consent that is at least as easy as the mechanism by which the consumer provided the consent, with processing to stop "as soon as practicable" and not more than 15 days after receipt of the request.
The law, which goes into effect on July 1, 2023, applies to businesses holding the data of at least 100,000 consumers or that derive 25 percent of annual revenue from the sale of data belonging to at least 25,000 consumers. There is a 60-day right to cure that sunsets on December 31, 2024. The law is solely enforceable by the Connecticut Attorney General with no private right of action.
Privacy Legislation in Other States
The evolution of state privacy legislation has taken us from the consumer rights initially enumerated in California to a more sophisticated law in Virginia. Since then, states have either decided to take a more business-friendly approach as in Utah with numerous exemptions and a permanent right to cure, or they have taken a more consumer-friendly position as in Colorado and Connecticut with an emphasis on ease to the consumer and more of a burden on businesses, and a phased-out right to cure. There could be more iterations if states are eventually successful in pushing for tougher enforcement through a private right of action or opt-in requirements like recent stalled efforts in Florida and Oklahoma.