Connecticut Data Privacy Act: How We Make Sure Convert Remains Compliant
With the introduction of Connecticut SB 6, commonly referred to as the Connecticut Data Privacy Act or “CTDPA”, Connecticut has joined the ranks of US states like California, Virginia, Colorado, Nevada and Utah that have passed comprehensive privacy laws to protect individuals’ personal information.
Despite privacy and data security regulations existing in the United States for decades, those regulations previously only applied to specific businesses, areas, and data types.
These new state regulations, rather than strictly restricting certain forms of data processing, reinforce a growing trend of protecting the privacy rights of individuals more broadly.
More and more US states are enacting laws governing the handling of online information. Check out our assessments of the privacy laws in
The Difference Between Connecticut SB 6 and Other Privacy Laws
Below is a breakdown of the Connecticut SB 6 provisions compared with those of
- The Utah Consumer Privacy Act (UCPA)
- The Colorado Privacy Act (CPA)
- The Nevada State Privacy Law (SB200)
- The Virginia VCDPA
- CCPA (as amended by the California Privacy Rights Act (CPRA))
- The European General Data Protection Regulation (GDPR)
| Key Provisions | Connecticut SB6 | Utah UCPA |
Colorado CPA | Nevada SB220 | Virginia CDPA | California CCPA + CPRA |
Europe GDPR | ||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Ability to Process | |||||||||||||||||||||||||||||||||||||||||||||||
| Data Minimisation | Yes | Yes | Yes | – | Yes | No | Yes | ||||||||||||||||||||||||||||||||||||||||
| Permissible Purpose | Yes | Yes | Yes | – | Yes | No | Yes | ||||||||||||||||||||||||||||||||||||||||
| Individual Rights | |||||||||||||||||||||||||||||||||||||||||||||||
| Right to receive notice of processing activities | Yes | Yes | Yes | Yes | Yes | Yes | Yes | ||||||||||||||||||||||||||||||||||||||||
| Right to access personal data | Yes | Yes | Yes | – | Yes | Yes | Yes | ||||||||||||||||||||||||||||||||||||||||
| Right to data portability. Data should be available in an easily usable format for transfer from one entity/platform to another. | Yes | Yes | Yes | . | Yes | Yes | Yes | ||||||||||||||||||||||||||||||||||||||||
| Right to correct errors in personal data | Yes | No | Yes | – | Yes | No | Yes | ||||||||||||||||||||||||||||||||||||||||
| Right to delete personal data | Yes | Yes | Yes | – | Yes | Yes | Yes | ||||||||||||||||||||||||||||||||||||||||
| Right to opt-out of behavioral advertising | Yes | Yes | No | – | Yes | No | Yes | ||||||||||||||||||||||||||||||||||||||||
| Right to object to automated profiling and decision making | Yes | Yes | No | – | Yes | No | Yes | ||||||||||||||||||||||||||||||||||||||||
| Right to non-discrimination for the exercise of these rights | Yes | Yes | Yes | – | Yes | Yes | Yes | ||||||||||||||||||||||||||||||||||||||||
| Right to opt-out of sales of personal information | Yes | Yes | Yes | Yes | Yes | Yes | No | ||||||||||||||||||||||||||||||||||||||||
| Opt in or opt out for processing of sensitive information | Opt-out | Opt-out | Opt-in | – | Opt-in | Opt-out | Opt-in | ||||||||||||||||||||||||||||||||||||||||
| Right to appeal denial of requests | Yes | No | No | – | Yes | No | No | ||||||||||||||||||||||||||||||||||||||||
| Accountability/Governance | |||||||||||||||||||||||||||||||||||||||||||||||
| Data Protection Assessments | Yes | No | Yes | – | Yes | No | Yes | ||||||||||||||||||||||||||||||||||||||||
| Security | |||||||||||||||||||||||||||||||||||||||||||||||
| Appropriate Data Security to protect information | Yes | No | Yes | – | Yes | Yes | Yes | ||||||||||||||||||||||||||||||||||||||||
| Breach Notification | Yes | Yes | Yes | – | Yes | Yes | Yes | ||||||||||||||||||||||||||||||||||||||||
| Data Transfers Outside European Economic Area (EEA) | |||||||||||||||||||||||||||||||||||||||||||||||
| Additional measures for international transfers | Yes | Yes | Yes | – | No | No | Yes | ||||||||||||||||||||||||||||||||||||||||
| Transfers to Third Parties | |||||||||||||||||||||||||||||||||||||||||||||||
| Contractual Requirements in Service Provider Agreements | Yes | No | Yes | – | Yes | Yes | Yes | ||||||||||||||||||||||||||||||||||||||||
| Marketing | |||||||||||||||||||||||||||||||||||||||||||||||
| Consent for Adtech cookies | Yes | No | No | – | Yes | Yes | Yes | ||||||||||||||||||||||||||||||||||||||||
| Consent obtained prior to direct marketing | Yes | No | Yes | – | No | No | Yes | ||||||||||||||||||||||||||||||||||||||||
| Enforcement Agencies | |||||||||||||||||||||||||||||||||||||||||||||||
| Attorney General | Utah Department of Commerce | Attorney General | – | Attorney General | Attorney General, CPPA | DPA | |||||||||||||||||||||||||||||||||||||||||
| Operative date | |||||||||||||||||||||||||||||||||||||||||||||||
| 1 July 2023 | 31 December 2023 | 1 July 2023 | 1 October 2019 | 1 January 2023 | 1 January 2020/ 1 January 2023 | 25 May 2018 | |||||||||||||||||||||||||||||||||||||||||
Watch this video for more information on the differences between EU and US privacy laws and which privacy standards should be considered when performing A/B testing.
A pattern appears to be emerging in how state legislatures approach broad privacy protection laws, as illustrated in the table above.
The Connecticut SB 6 adopts substantial sections of the Colorado and Virginia statutes practically verbatim, including how to define personal data, how to deal with sensitive personal information, and when to conduct data protection impact assessments.
What are the Key Provisions of Connecticut’s SB 6?
The following are some of the most significant provisions of the Connecticut SB 6:
1. Same Privacy Rights as other State Laws
The Connecticut Data Privacy Act establishes a set of individual privacy rights that are similar to those found in the Utah UCPA, Colorado CPA, Virginia VCDPA, and California CCPA/CPRA.
These rights include viewing, correcting, copying, and deleting personal information.
Consumers can also opt out of the processing of their personal data for advertising, data sales, and profile building.
SB 6, like the other state privacy laws, includes an opt-in system for the type of data processing involving children aged 13 to 16.
2. Privacy Requests Without Technical Approval
When it comes to the way privacy rights requests are submitted and handled, Connecticut’s new law resembles Colorado’s CPA more closely than it does Virginia’s law.
Connecticut is joining California and Colorado in requiring businesses to offer customers the option to opt out of targeted advertising or sales through some sort of technical mechanism. In contrast to California and Colorado though, Connecticut SB 6 does not require approval of the technical mechanism requirements by the state regulator.
3. Broad Definition of Selling Personal Data
Under Connecticut SB 6, “selling of personal data” means exchanging personal data for money or other valuable consideration with a third party.
In embracing “valuable consideration” along with monetary consideration, SB 6 provides a more comprehensive definition of sale, similar to the California CCPA and Colorado CPA definitions.
There are several exceptions to the definition of sale of personal data, including disclosure of personal data at a consumer’s request, disclosures within a company, and disclosure or transfer of personal data to a third party that occurs in the context of an acquisition, bankruptcy, or some other type of transaction.
4. Enforcement Only by the Attorney General
Connecticut SB 6 follows the pattern of only permitting the Attorney General to prosecute offenses.
Connecticut’s Attorney General, like Colorado’s, is required to offer a 60-day notice and opportunity to rectify infractions.
SB 6 violations are considered deceptive trade practices under the State’s Unfair and Deceptive Acts and Practices statute and can result in civil fines of up to $5,000 in addition to actual and punitive damages, as well as attorneys’ fees and costs.
5. Enhanced Security for Sensitive Information
The Connecticut SB 6, like several other privacy laws, provides enhanced safeguards for specific types of information.
This “sensitive data” includes information about a person’s race, ethnicity, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship status, or immigration status; genetic and biometric data that can be used for identification; information collected from children; and geolocation information.
The processing of sensitive data requires the consent of the consumer and, inevitably, increases the potential of harm to the consumer, which is why a Data Privacy Impact Assessment (DPIA) is required.
6. Privacy Policy Disclosures
Connecticut SB 6 requires organizations to update their Privacy Policies to include the following disclosures:
- The types of personal data that the company handles;
- Why the company processes personal data;
- One or more secure and trustworthy ways for consumers to exercise their privacy rights, including the ability to appeal a decision regarding a privacy rights request;
- The categories of personal data exchanged with third parties, if any;
- The types of third parties with whom personal data is exchanged, if any;
- An active email address where a customer can contact the company;
- If a company sells or processes personal data for targeted advertising, the Privacy Policy must state so, as well as how customers can opt out.
Convert’s Privacy Compliance Plan
As more privacy laws are introduced, we can expect the landscape to shift further, with even more novel legislation regarding data privacy, as well as more rounds of comments and revisions.
These factors can all have an impact on how your software is compliant and how your Privacy Policy is worded.
So, how does Convert keep track of all of this data and ensure that we don’t overlook anything?
1. Creating Privacy Relevant Keyword Alerts
We start by setting up Google Alerts for the appropriate terms. Our system will alert us every time new legislation is passed, a new bill is introduced, or a case is decided which contains any of our search terms. The screenshot below illustrates some of those alerts.
The search results may not all be relevant, so we have to sift through the alerts to ensure that we are only evaluating relevant data.
Every good researcher knows that you shouldn’t rely on one source for all your information. That is why Convert is a member of several privacy forums. We also check the materials provided by the International Association of Privacy Professionals, on a weekly basis.
The IAPP, for example, publishes a privacy law comparison chart (see below) that contains useful information about all the privacy bills that have been introduced.
2. Checking the Websites of Data Protection Authorities (DPAs)
While keeping track of new bills, laws, and statutes is crucial, it is equally important to follow data protection authorities and their interpretations. Entities such as these can provide you with crucial information about what will be enforced and how.
In a recent article, we outlined how the Austrian Data Protection Authority made the use of Google Analytics illegal.
3. Reading Privacy Articles
We read opinion articles and stories about privacy and technology, as well as industry perspectives on privacy and information on what the general public thinks about current privacy protections.
Knowing how the industry and the broader public feel about privacy and technology helps us evaluate patterns in enforcement and legislative action, as well as where our sector is headed in the future.
4. Updating Policies and Relevant Information
It’s important to note that Convert takes care of all of the above not only for Privacy Policies but also for Terms and Conditions, End User License Agreements, Disclaimers, Contracts, and the actual A/B tracking scripts.
After gathering all the information, we determine whether or not to make revisions to the policies, and then we update them.
5. Informing Website Visitors
As more consumers check to see if a website has a Privacy Policy and what privacy practices are stated in such policies, the next step is to notify our website’s visitors and Convert users about the changes we are making. All new laws require Privacy Policies to state their effective date or latest revised date. If your Privacy Policy includes this disclosure, website users can easily determine whether the policy has been changed by simply looking at its date.
Convert’s Plan for Connecticut SB 6
If you already have a Convert account, there is nothing you have to worry about! We’ll keep track of this new law, as well as any revisions or regulations, for you. If the law applies to you, your policies will be revised to include the above disclosures before the law takes effect.
We monitor state privacy and cybersecurity legislation closely at Convert. For more information on “how to prepare for the SB 6” and other new U.S. privacy laws, visit our GDPR roadmap.
Written By
Dionysia Kontotasiou
Edited By
Carmen Apostu
