Connecticut’s Comprehensive Privacy Bill
Connecticut is poised to be the 5th state to pass a comprehensive data privacy law. It is currently awaiting the governor’s signature after passing the Connecticut House and Senate.
Titled: An Act Concerning Personal Data Privacy and Online Monitoring (ACPDPOM), the bill has circumvented the acronym shortage stemming from the CCPA, the CPRA, and the CPA. Regardless of the difference in name, the bill has many similarities to the Colorado Privacy Act (CPA).
Like the CPA, the ACPDPOM would provide consumers with rights of access, rectification, deletion, restriction, portability, the right to opt out of the sale of personal, and the right against automated decision-making. Also, like the CPA and unlike the CPRA, the ACPDPOM would not grant consumers private rights of action.
The obligations that would be imposed by the ACPDPOM are also similar to those in the CPA. It would require controllers to provide notice about their data processing activities. Controllers would also need to perform risk assessments. Controllers would be prohibited from discriminating against consumers who exercised their rights under the data privacy law. Controllers would be limited to processing data according to what is adequate, relevant, and reasonably necessary in relation to the purposes disclosed to the consumer.
Another commonality that the ACPDPOM has with the CPA is the effective date. If passed, it would have a pretty quick turnaround time to becoming effective on July 1, 2023.
The bill would allow a 60-day cure period, but would sunset that cure period on January 1, 2025. The Connecticut Attorney General’s Office would have the exclusive enforcement authority if the bill were passed.
A significant deviation from other data privacy laws is the applicability criteria for the ACPDPOM. It applies to persons who conduct business in the state or produce products or services that are targeted to residents of the state and that during the preceding calendar year (1) controlled or processed the personal data of not less than 75,000 consumers (excluding personal data controller or processed solely for the purpose of completing a payment transaction) or (2) controlled or processed the personal data of not less than 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.
Given that the applicability criteria are based on activity of the previous calendar year and that the bill would be effective July 1, 2023. Companies that may be subject to the law will already be processing data that will affect their applicability. Activity since January 1, 2022 is relevant in determining whether a company must comply with the ACPDPOM.
With a relatively short period available between the law’s signing and its effective date (just over a year), it will be important for companies to act quickly to meet their compliance obligations under the ACPDPOM. Clarip can help companies with their various data privacy compliance needs. We offer automated data subject request fulfillment, automated data mapping, vendor management, consent management, website scanning, and much, much more. Visit us at www.clarip.com or call us at 1-888-252-5653 to learn more.
Email Now:
Mike Mango, VP of Sales
mmango@clarip.com