The day’s top stories from around the world
Where the real conversations in privacy happen
Original reporting and feature articles on the latest privacy developments
Alerts and legal analysis of legislative trends
Exploring the technology of privacy
A roundup of the top Canadian privacy news
A roundup of the top European data protection news
A roundup of the top privacy news from the Asia-Pacific region
A roundup of the top privacy news from Latin America
A roundup of US privacy news
Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.
Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.
Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.
Locate and network with fellow privacy professionals using this peer-to-peer directory.
Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.
Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.
Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.
Develop the skills to design, build and operate a comprehensive data protection program.
Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.
Introductory training that builds organizations of professionals with working privacy knowledge.
Learn the legal, operational and compliance requirements of the EU regulation and its global influence.
Meet the stringent requirements to earn this American Bar Association-certified designation.
The global standard for the go-to person for privacy laws, regulations and frameworks
The first and only privacy certification for professionals who manage day-to-day operations
As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.
Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.
The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.
The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for GDPR readiness. Learn more today.
Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.
Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Use the Vendor Demo Center, Privacy Vendor List and Privacy Tech Vendor Report to easily identify privacy products and services to support your work.
On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to international data transfers.
The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
This tracker organizes the privacy-related bills proposed in Congress to keep our members informed of developments within the federal privacy landscape.
Access all reports and surveys published by the IAPP.
Access all white papers published by the IAPP.
IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
The IAPP’s EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you’re meeting your obligations.
This chart maps several comprehensive data protection laws to assist our members in understanding how data protection is being approached around the world.
This interactive tool provides IAPP members access to critical GDPR resources — all in one location.
Join DACH-region data protection professionals for practical discussions of issues and solutions. Presented in German and English.
P.S.R. 2022 is the place for speakers, workshops and networking focused on the intersection of privacy and technology.
Europe’s top experts predict the evolving landscape and give insights into best practices for your privacy programme.
Gain exclusive insights about the ever-changing data privacy landscape in ANZ and beyond.
Explore the full range of U.K. data protection issues, from global policy to daily operational details.
Concentrated learning, sharing, and networking with all sessions delivered in parallel tracks — one in French, the other in English.
The world’s top privacy conference. Whether you work in the public or private sector, anywhere in the world, the Summit is your can’t-miss event.
View our open calls and submission instructions.
Increase visibility for your organization — check out sponsorship opportunities today.
Review upcoming IAPP conferences to see which need to be included in your schedule for the year ahead.
Start taking advantage of the many IAPP member benefits today
See our list of high-profile corporate members—and find out why you should become one, too
Don’t miss out for a minute—continue accessing your benefits
Review current member benefits available to Australia and New Zealand members
On May 10, 2022, Connecticut became the fifth U.S. state with comprehensive consumer privacy legislation after Gov. Ned Lamont, D-Conn., signed Senate Bill 6, An Act Concerning Personal Data Privacy and Online Monitoring, into law. Most provisions of the law will go into effect alongside the Colorado Privacy Act July 1, 2023, giving organizations just under 14 months to come into compliance.
The law includes many of the same rights, obligations and exceptions as the consumer privacy laws already on the books in California, Colorado, Utah and Virginia. It draws heavily from Colorado’s law and the Virginia Consumer Data Protection Act — with many of the law’s provisions either mirroring or falling somewhere between the Colorado and Virginia laws — but contains a few notable distinctions that should be factored into an entity’s compliance efforts.
The scope of the Connecticut law adopts the same basic framework as Virginia and Colorado, but includes some important nuances. The law applies to entities that:
The scope of the law is slightly broader than Virginia and slightly narrower than Colorado, with its threshold for revenue derived from data sales falling between the Virginia law (50% of gross revenues) and the Colorado law (any revenue or discount). It is also important to note that the law explicitly excludes personal data processed solely for payment transactions. Thus, entities that process debit or credit cards only to the extent necessary to complete a sale will not be subject to the law’s requirements.
Notably absent from the Connecticut law is an annual revenue threshold imposing obligations. In practice, this means that, unlike the California Consumer Privacy Act, an entity will not become subject to the law merely due to its annual revenues; and unlike the Utah Consumer Privacy Act, entities need not exceed a certain annual revenue requirement to fall within the law’s scope.
When determining the scope of the law, it is important to consider a few key definitions. It defines “consumer” as a Connecticut resident and, like Virginia, Colorado and Utah, explicitly excludes individuals “acting in a commercial or employment context.” Thus, the personal data of such individuals can be omitted when entities evaluate the law’s applicability.
Additionally, the law defines the “sale of personal data” as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.” Unlike Virginia and Utah — where a sale occurs when personal data is exchanged for monetary consideration only — the law adopts the broader CCPA- and Colorado-like definition that considers an exchange for “other valuable consideration” to also constitute a sale. The definition of “sale of personal data” also explicitly excludes certain disclosures, which follow those found in the Colorado law almost verbatim (e.g., disclosures to a processor or an affiliate of the controller, disclosures that a consumer directs the controller to disclose, etc.).
Like Virginia and Colorado, the Connecticut law’s definition of “personal data” explicitly excludes any deidentified data or publicly available information. “Publicly available information” means “information that (A) is lawfully made available through … government records or widely distributed media, and (B) a controller has a reasonable basis to believe a consumer has lawfully made available to the general public.”
The law also exempts certain types of entities and data from its requirements. The following six types of entities, irrespective of whether the data collected and processed would otherwise be subject to the law, are exempt from the law:
The law contains 16 categories of exempted data, including specific information regulated by HIPAA, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Airline Deregulation Act. Specific employee and job applicant data are also exempt.
Under the law, Connecticut consumers are provided five main rights. Notwithstanding a few deviations, these same rights are in the Virginia and Colorado laws.
Right to access. Consumers have the right to “confirm whether or not a controller is processing the consumer’s personal data and access such personal data.” However, unlike the Virginia law, it provides an exception to this right where “such confirmation or access would require the controller to reveal a trade secret.”
Right to correct. Consumers have the right to “correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data.”
Right to delete. Consumers also have the right to “delete personal data provided by, or obtained about, the consumer.”
Right to data portability. When exercising their access rights, consumers have the right to “obtain a copy of the consumer’s personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means, provided such controller shall not be required to reveal any trade secret.”
The type of data a consumer has a right to obtain a portable copy of is particularly notable. Under the Virginia law, this right is limited to consumer-provided data. However, the law’s approach here is more similar to Colorado by allowing consumers to obtain a copy of the data a controller has processed about them regardless of how the controller acquired it.
Right to opt out. Like Virginia and Colorado, consumers have the right to “opt out of the processing of the personal data for the purposes of:
After the law takes effect, controllers are required to provide “clear and conspicuous” links on their websites that give consumers the choice to opt out of the above types of processing. Beginning Jan. 1, 2025, however, controllers must recognize universal “opt-out preference signal[s]” indicating a consumer’s intent to opt out of targeted advertising and sales, which will trump any conflicting controller-specific privacy setting. This is similar to Colorado’s law mandating recognition of universal opt-out signals beginning July 1, 2024. But unlike Colorado, the law does not require controllers to authenticate opt-out requests, which in theory will make it easier for consumers to opt out. In this sense, the law resembles the California Privacy Rights Act, where, although recognition of universal opt-out signals is optional, opt out requests need not be authenticated since the harms associated with an unauthenticated access request, for example, do not apply to a request that opts a consumer out of targeted advertising, sales, or profiling.
Limits on collection. As is the case under the CCPA and laws in Virginia and Colorado, controllers are required to “limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.”
Limits on use. Unless an exception applies, such as obtaining consent, controllers are prohibited from processing personal data for “purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed.”
Data security. Controllers must also “establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue.”
Consent requirements. Absent consent, the law, like Virginia and Colorado, prohibits controllers from processing sensitive data. “Sensitive data” includes personal data collected from an individual the controller knows is under 13 years old, in which case the data must be processed in accordance with the Children’s Online Privacy Protection Act.
In addition to processing sensitive data, consent is also required to process a consumer’s personal data for targeted advertising or to sell their data if a controller has actual knowledge of, and willfully disregards, that the consumer is between 13 and 16 years old. This provision extends beyond the consent requirements found in Virginia and Colorado’s laws and aligns more with the CPRA, which prohibits selling or sharing data of consumers under 16 without consent.
A consumer’s consent must be “freely given, specific, informed and unambiguous,” and the law specifically dictates that it cannot be obtained through the use of dark patterns. Additionally, controllers are required to “provide an effective mechanism” for consumers to revoke consent that is at least as easy as the mechanism used to provide it. Once revoked, the controller must stop processing the data as soon as practicable, but within 15 days after receiving the revocation.
Nondiscrimination. If a consumer decides to exercise any of their rights provided by the law, controllers are prohibited from discriminating against them by “denying goods or services, charging different prices or rates for goods or services or providing a different level of quality of goods or services to the consumer.”
Transparency. Like its predecessors, Connecticut’s law requires controllers to provide consumers with a “reasonably accessible, clear and meaningful privacy notice.” Privacy notices must include:
Additionally, if personal data is sold to third parties or processed for targeted advertising, controllers are required to “clearly and conspicuously disclose such processing” and how consumers may exercise their opt-out rights.
Responding to consumer requests. The obligations for responding to consumer requests closely resemble those under Virginia and Colorado. Controllers are obligated to respond to a consumer’s request “without undue delay,” but within 45 days after receiving the request, which may be extended an additional 45 days when reasonably necessary. Controllers must also establish a “conspicuously available” appeal process for consumers to appeal a controller’s refusal to act on a request within a reasonable time. Like the Virginia law, controllers must inform consumers in writing within 60 days of any action or inaction taken in response to the appeal. If the appeal is denied, the controller must provide the consumer with an online mechanism or other method to contact and submit a complaint to the attorney general.
Data processing contracts. Like most of its predecessors, the law requires there be a contract between a controller and processor to govern the data processing performed by the processor on behalf of the controller. Such contracts must “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties,” along with other enumerated terms — all of which are substantially similar to the requirements under Virginia and Colorado.
Data protection assessments. For each processing activity “that presents a heightened risk of harm” to consumers, controllers must conduct and document a data protection assessment. The types of activities that must be assessed include:
Like Virginia, Colorado and Utah, the law lacks a private right of action, and, following Virginia’s approach, enforcement falls solely to the attorney general. Prior to initiating an action, the attorney general must notify the controller of its violation. Like Colorado’s law, the law then gives a controller 60 days to cure the violation, which is double the 30-day cure periods granted under the California, Utah and Virginia laws. The law’s right to cure takes after Colorado’s law in more than one way in that it will also cease to be required beginning Jan. 1, 2025, after which the attorney general will have discretion in whether to provide an opportunity to cure.
A violation of the law is considered an unfair trade practice under the Connecticut Unfair Trade Practices Act. As such, entities may face civil penalties up to $5,000 per willful violation. The attorney general may also seek to impose equitable remedies pursuant to the CUTPA, including restitution, disgorgement and injunctive relief.
Although we have yet to see how the Connecticut law will play out in practice, the text of the law provides a solid starting point. Entities preparing for Colorado’s law will be able to leverage some of their compliance efforts, especially when it comes to consumer rights. The law’s heightened protections for children’s data and other important nuances, however, will certainly require additional consideration.
Photo by Balazs Busznyak on Unsplash
Submit for CPEs
If you want to comment on this post, you need to login.
The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, promote and improve the privacy profession globally.
The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.
© 2022 International Association of Privacy Professionals.
All rights reserved.
Pease International Tradeport, 75 Rochester Ave.
Portsmouth, NH 03801 USA • +1 603.427.9200