On May 10, 2022, Connecticut signed into law the Data Privacy and Online Monitoring Act (Act) to regulate the collection, storage and usage of personal information and create new consumer privacy rights. The Act becomes effective July 1, 2023.
- Establishes a framework for controlling and processing personal data;
- Defines responsibilities and privacy protection standards for data controllers and processors; and
- Grants consumers the right to access, correct, delete and obtain a copy of personal data and opt out of the processing of personal data in certain circumstances.
The Act applies to persons or entities that conduct business in Connecticut, or produce products or services that are targeted to Connecticut residents, if they did either of the following during the prior calendar year:
- Controlled or processed the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- Controlled or processed the personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.
Certain entities are exempt from the law, including state and local government entities, non-profits, higher education institutions, financial institutions subject to the Gramm-Leach-Bliley Act, and qualifying covered entities and business associates subject to the Health Insurance Portability and Accountability Act (“HIPAA”).
Next Steps for Employers
Covered entities must consider adjusting their practice to:
- Keep the collection of personal data to the minimum amount necessary for the purpose of the collection;
- Use personal data to only the purpose of the collection or as the consumer has authorized;
- Establish and implement data security practices to protect the data; and
- Obtain consent before processing sensitive data, including data of any individual under the age of 13, and follow the provisions of the Children’s Online Privacy Protection Act under federal law.
Entities subject to the Act should become familiar with their new obligations and prepare to comply by the effective date.