Processing Your Payment

Please do not leave this page until complete. This can take a few moments.

June 20, 2022

New data privacy law will mean big changes for some CT businesses

PHOTO | CONTRIBUTED William Roberts is a partner in the Hartford office of law firm Day Pitney LLP, where he focuses on data security issues.

Connecticut is among a handful of states stepping up efforts to protect the privacy of consumer data, with the passage of a new law raising plenty of questions and concerns for businesses both in and outside the state that target Connecticut consumers.

Jeffrey Ziplow

“Businesses are going to need to change their ways,” said Jeff Ziplow, a principal at accounting and consulting firm CLA in West Hartford, who specializes in cybersecurity and business risk services. “In the past, it’s been almost like a free-for-all in terms of businesses being able to capture any information they’ve wanted.”

The Connecticut Data Privacy Act (CDPA), signed into law on May 10, establishes rules for businesses operating in the state regarding how people’s data is collected and shared online. It also creates a new set of rights for consumers, giving them more control over their personal online data, including accessing, correcting and deleting it, even the option to opt out of data sales, targeted advertising and profiling.

Marc Lombardi

“The Connecticut law is allowing consumers to say ‘I don’t want to be tracked across applications, I don’t want my personal data sold and I don’t want to be targeted by advertisers based on my activities on your website or others,” said Marc Lombardi, a partner and chair of privacy, cybersecurity and data innovation at Hartford-based law firm Shipman & Goodwin LLP.

Growing trend

The state’s actions are a response to growing consumer awareness around their data privacy as well as the rising incidence of data breaches, when that sensitive data is stolen from a third-party vendor.

Nearly half of survey respondents to a recent Cisco Consumer Privacy Survey, for example, said they felt unable to protect their personal data today, citing companies not being clear about how they are using this data as the top reason. Most respondents also want their national or local governments to play a lead role with respect to protecting data privacy. 

Besides Connecticut, five additional states — Virginia, Utah, Colorado, California and Nevada — have also passed privacy laws regulating how businesses buy, sell, license and share data, some with stricter parameters in place than others.

California consumers, for example, can pursue legal action for a breach of certain information. In Connecticut, the attorney general’s office will handle the enforcement of the CDPA through fines and other penalties.

Data privacy legislation is also underway in nine other states, according to the International Association of Privacy Professionals, including Massachusetts, New York and Rhode Island. There are also growing calls for a broader national data protection law that would overturn the jumble of state actions.

“It’s seemingly inevitable that there will be a national privacy law that will supersede or pre-empt these different state laws,” said Russell Anderson, a business and technology attorney with law firm Pullman & Comley.

Scope of impact

The new Connecticut law, which takes effect July 1, 2023, is creating a learning curve for legal experts, who say they are just beginning to receive calls from businesses concerned about whether they need to comply with its provisions.

“The law only came out in the last few weeks, so we’re all in the process of learning it,” Anderson said.

Russell Anderson is a business and technology attorney with the Connecticut law firm Pullman & Comley.

The CDPA impacts businesses that handle the data of at least 100,000 consumers annually, or those who earn 25% of their annual gross revenue from the sales of data of more than 25,000 consumers.

Handling data generated by 100,000 residents is common among many national and international companies operating in Connecticut and other states with existing privacy laws, said Anderson, and their leaders have largely brought their operations up to date to be compliant with the existing array of state statutes.

“For many national companies, the Connecticut law is like adding another asterisk,” said William Roberts, a partner in the Hartford office of Day Pitney LLP. “Many big companies subject to the Connecticut law are already subject to similar laws in other states.”

But CDPA is the first privacy law of its type passed in New England, Roberts noted. Regional businesses and those that operate only in-state should start evaluating the law’s thresholds, he said. Under that umbrella are businesses that sell goods or services directly to consumers through their websites, social media and mobile application platforms or other online marketing tools, he said.

Linn Freedman

How many Connecticut-based businesses will be impacted is uncertain, said Linn Freedman, chair of the data privacy and cybersecurity team at Robinson+Cole, a national law firm with offices in Hartford.

“Connecticut-based companies need to take a look at the law and determine whether or not it applies to them,” she said. “And if it doesn’t, they need to document that and keep watching the laws.”

Freedman also noted a potentially narrow group of businesses may fall under the law’s scope because of its many exemptions. The law doesn’t apply to nonprofits, state and local governments, higher education institutions, financial and healthcare institutions, among others. It also exempts 16 categories of data including specific information regulated by the Health Insurance Portability and Accountability Act, Fair Credit Reporting Act, and specific employee and job applicant data, among other categories.

Big investment to comply

Legal experts agree companies can begin to take steps to prepare for the new law before its implementation deadline next summer.

For example, the law essentially demands that companies devote sufficient resources to ensuring the privacy and security of consumer data.

“There’s a lot of detail behind it,” said Freedman.

A first step for businesses is to look at all their data governance policies and procedures both internally and outwardly facing, said Lombardi.

“They’ll need to ensure those comply with the rules in Connecticut — and potentially other jurisdictions — and can be operational between now and the compliance deadlines.”

Businesses, for example, are required to conduct and document a data protection assessment, essentially mapping what personal data is collected, its characteristics and potential security exposures with their third- party vendors.

Businesses may also need to reduce those data flows to meet the law’s data minimization requirements to include only information that is “adequate, relevant and reasonably necessary.” That’s a review process that can take up to six weeks for small businesses to many months for larger ones, said Ziplow.

“Lots of companies have third-party contracts and don’t know where that data is going and who is selling what,” he said.

While contracts with third parties will need to be reviewed and potentially rewritten to address the law’s data security protections, businesses may also need to refine existing information systems or consider outsourcing functions required to meet their obligations to respond to consumer requests regarding data access, deletion, portability and correction as well as set up new privacy dashboards accessible online or through mobile apps.

Upfront costs could be significant, including the need to hire an employee devoted to data privacy issues, for businesses to comply with the new law, legal experts agree.

“Complying with the law is going to take time, energy and potentially a big investment,” said Anderson.

Sign up for Enews


Order a PDF