May 13, 2022
Connecticut has joined California, Virginia, Colorado, and Utah in enacting comprehensive data privacy legislation, with a signature from Governor Lamont this week on the Connecticut Data Privacy Act (“CTDPA”). Meanwhile, the text of Virginia’s privacy law was amended and finalized, and the California Privacy Protection Agency (“CPPA”) held pre-rulemaking stakeholder sessions about topics related to automated decision-making, consumers’ rights, business’ concerns, and cybersecurity, among others. Companies should account for these changes as they develop and refine their privacy compliance programs.
Connecticut Data Privacy Act
The CTDPA draws heavily upon its predecessor statutes in Virginia and Colorado, with very few departures of significance. Indeed, while the specific combination of features in the CTDPA may be unique, the combination is largely made of elements seen in at least one of its preceding laws. The CTDPA will become effective by its terms in a little over a year, on July 1, 2023 – six months after the California Privacy Rights Act (“CPRA”) and Virginia Consumer Data Protection Act (“VCDPA”), simultaneously with the Colorado Privacy Act (“CPA”), and six months before the Utah Consumer Privacy Act (“UCPA”).
Potentially one of the most significant differences between the CTDPA and other states’ laws may be within the threshold requirements. The CTDPA applies to persons that conduct business in Connecticut or produce products or services that are targeted to residents of the state, and that control or process the personal data of a particular number of residents, namely either:
Connecticut is the first state law to explicitly carve out payment transaction data from its applicability threshold; this provision was added to alleviate concerns of restaurants, small convenience stores, and similar businesses that process the personal information of many customers for the sole purpose of completing a transaction.
Like existing state data privacy laws, the CTDPA grants consumers—defined as Connecticut residents who are not acting in a commercial or employment context—various rights, including: (1) to confirm whether an entity acting as a data controller is processing their personal data, and to access such data; (2) to obtain a copy of their personal data in a portable and readily usable format; (3) to correct inaccuracies therein; and (4) to delete personal data provided by, or obtained about, them. It also requires data controllers to practice data minimization and purpose limitation, implement technical safeguards, and conduct data protection assessments. The CTDPA adopts language similar to that of Virginia’s recent amendment, described more fully below, relating to compliance with a consumer’s request to delete by opting the consumer out of the processing of such personal data, where such information was obtained from a source other than the consumer.
Like the Virginia and Colorado laws, the CTDPA allows consumers to opt out of the processing of their personal data for purposes of (a) targeted advertising, (b) the sale of personal data, and (c) profiling in furtherance of solely automated decisions that produce similarly significant effects. Like the California and Colorado laws, the CTDPA permits consumers to designate an authorized agent to act on their behalf and opt out of the processing of their data. By January 1, 2025, data controllers must allow consumers to exercise their opt-out right through an opt-out preference signal. Unlike California, which expects its CPPA to opine on what an opt-out signal might be, and how it might work, this provision is largely undefined, encouraging the market to create signals, bringing with it the potential for confusion as to what signals must be followed. The CTDPA, like other state laws, also prohibits processing a consumer’s sensitive data without consent, and requires data controllers to provide a mechanism for revoking consent that is “at least as easy as” the mechanism by which the consumer provided consent.
Like Virginia, Colorado, and Utah, and unlike California, Connecticut does not include a private right of action in its law – the CTDPA limits enforcement to the states’ attorney general. Until December 31, 2024, enforcement actions will be subject to 60-day cure period; thereafter, the attorney general may, but is not required to, provide an opportunity to correct an alleged violation. A violation of the CTDPA will constitute an unfair trade practice, which carries civil penalties of up to $5,000 per violation for willful offenses.
Finally, the CTDPA, similar to Virginia, requires the joint standing committee of the General Assembly convene a task force to study various topics concerning data privacy. The task force must submit a report of its findings and recommendations to the joint standing committee by January 1, 2023.
Developments in Other States
In April, Virginia Governor Youngkin signed into law three amendments to the VCDPA, which finalizes the VCDPA’s text ahead of its January 1, 2023 effective date. The first amendment concerns consumers’ right to delete their personal information. The VCDPA grants consumers the right to delete “personal data provided by or obtained about” them. The amendment provides that data controllers that have obtained personal data from a source other than the consumer will be deemed to be in compliance with a consumer’s request to delete if they opt the consumer out of the processing of such personal data, allowing businesses to avoid potentially technically infeasible requirements to delete data, so long as they no longer use it for any purpose. The second amendment changes the definition of “nonprofit organization” to include political organizations, thus exempting them from the VCDPA. The third and final amendment provides that all civil penalties, expenses, and attorney fees will be paid into the state treasury and credited toward the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund, rather than a separate Consumer Privacy Fund. Unlike California’s and Colorado’s laws, the VCDPA does not include rulemaking authority. Therefore, businesses subject to the VCDPA can develop their compliance programs ahead of January 1, 2023 without concern of significant changes resulting from the adoption of regulations.
As explained in more detail in a prior update, the CPPA is responsible for implementing and enforcing the CPRA and California Consumer Privacy Act (“CCPA”), a role which includes updating existing regulations and adopting new regulations. The CPPA is currently engaging in preliminary information-gathering activities to help inform its rulemaking. The CPPA accepted written comments in Fall 2021, provided informational sessions in March 2022, and, recently, held stakeholder sessions on May 4, 5, and 6, 2022, to provide an opportunity for stakeholders to speak on topics relevant to the upcoming rulemaking.
The topics discussed during the stakeholder sessions included automated decision-making, data minimization and purpose limitations, dark patterns, consumers’ rights, business’ concerns, and cybersecurity, among others. Between two and ten stakeholders spoke on each topic, and the speakers ranged from individuals to representatives of private organizations, non-profits, government, and industry groups.
Below are highlights from some of the sessions:
The CPPA did not comment on any suggestions, and noted that they were in “listening mode.” The CPPA has not commenced formal rulemaking activities, and continues to gather information. Updates on the CPPA’s activities related to rulemaking are available here.
Separately, there has been no further movement on the proposals floated by the California legislature to extend the business-to-business and employment-related exemptions in the CCPA, leaving businesses to continue to consider how to comply with the CPRA with respect to those individuals’ information.
Proposed data privacy legislation currently remains in committee in Alaska, Louisiana, Massachusetts, Michigan, North Carolina, New Jersey, New York, Ohio, Pennsylvania, Rhode Island, and Vermont. Numerous other states also are actively considering such laws, with drafting and negotiations at various phases.
We will continue to monitor developments in this area, and are available to discuss these issues as applied to your particular business.
This alert was prepared by Cassandra Gaedt-Sheckter, Ryan Bergsieker, Alexander Southwell, Sarah Scharf, Abbey Barrera, Tony Bedel, Courtney Wang, Raquel Sghiatti, and Samantha Abrams-Widdicombe.
Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity and Data Innovation practice group:
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, firstname.lastname@example.org)
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, email@example.com)
Debra Wong Yang – Los Angeles (+1 213-229-7472, firstname.lastname@example.org)
Matthew Benjamin – New York (+1 212-351-4079, email@example.com)
Ryan T. Bergsieker – Denver (+1 303-298-5774, firstname.lastname@example.org)
David P. Burns – Washington, D.C. (+1 202-887-3786, email@example.com)
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, firstname.lastname@example.org)
Svetlana S. Gans – Washington, D.C. (+1 202-955-8657, email@example.com)
Nicola T. Hanna – Los Angeles (+1 213-229-7269, firstname.lastname@example.org)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, email@example.com)
Robert K. Hur – Washington, D.C. (+1 202-887-3674, firstname.lastname@example.org)
Kristin A. Linsley – San Francisco (+1 415-393-8395, email@example.com)
H. Mark Lyon – Palo Alto (+1 650-849-5307, firstname.lastname@example.org)
Karl G. Nelson – Dallas (+1 214-698-3203, email@example.com)
Ashley Rogers – Dallas (+1 214-698-3316, firstname.lastname@example.org)
Deborah L. Stein – Los Angeles (+1 213-229-7164, email@example.com)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, firstname.lastname@example.org)
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, email@example.com)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, firstname.lastname@example.org)
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0) 1 56 43 13 00, email@example.com)
James A. Cox – London (+44 (0) 20 7071 4250, firstname.lastname@example.org)
Patrick Doris – London (+44 (0) 20 7071 4276, email@example.com)
Kai Gesing – Munich (+49 89 189 33-180, firstname.lastname@example.org)
Bernard Grinspan – Paris (+33 (0) 1 56 43 13 00, email@example.com)
Penny Madden – London (+44 (0) 20 7071 4226, firstname.lastname@example.org)
Michael Walther – Munich (+49 89 189 33-180, email@example.com)
Alejandro Guerrero – Brussels (+32 2 554 7218, firstname.lastname@example.org)
Vera Lukic – Paris (+33 (0) 1 56 43 13 00, email@example.com)
Sarah Wazen – London (+44 (0) 20 7071 4203, firstname.lastname@example.org)
Kelly Austin – Hong Kong (+852 2214 3788, email@example.com)
Connell O’Neill – Hong Kong (+852 2214 3812, firstname.lastname@example.org)
Jai S. Pathak – Singapore (+65 6507 3683, email@example.com)
© 2022 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.