Connecticut Data Privacy Act: How We Make Sure Convert Remains Compliant

Dionysia Kontotasiou
By
July 12, 2022 ·

With the introduction of Connecticut SB 6, commonly referred to as the Connecticut Data Privacy Act or “CTDPA”, Connecticut has joined the ranks of US states like California, Virginia, Colorado, Nevada and Utah that have passed comprehensive privacy laws to protect individuals’ personal information.

Despite privacy and data security regulations existing in the United States for decades, those regulations previously only applied to specific businesses, areas, and data types.

These new state regulations, rather than strictly restricting certain forms of data processing, reinforce a growing trend of protecting the privacy rights of individuals more broadly.

More and more US states are enacting laws governing the handling of online information. Check out our assessments of the privacy laws in

The Difference Between Connecticut SB 6 and Other Privacy Laws

Below is a breakdown of the Connecticut SB 6 provisions compared with those of

  • The Utah Consumer Privacy Act (UCPA)
  • The Colorado Privacy Act (CPA)
  • The Nevada State Privacy Law (SB200)
  • The Virginia VCDPA
  • CCPA (as amended by the California Privacy Rights Act (CPRA))
  • The European General Data Protection Regulation (GDPR)
Key Provisions Connecticut SB6 Utah
UCPA
Colorado CPA Nevada SB220 Virginia CDPA
California
CCPA + CPRA
Europe GDPR
Ability to Process
Data Minimisation Yes Yes Yes Yes No Yes
Permissible Purpose Yes Yes Yes Yes No Yes
Individual Rights
Right to receive notice of processing activities Yes Yes Yes Yes Yes Yes Yes
Right to access personal data Yes Yes Yes Yes Yes Yes
Right to data portability. Data should be available in an easily usable format for transfer from one entity/platform to another. Yes Yes Yes . Yes Yes Yes
Right to correct errors in personal data Yes No Yes Yes No Yes
Right to delete personal data Yes Yes Yes Yes Yes Yes
Right to opt-out of behavioral advertising Yes Yes No Yes No Yes
Right to object to automated profiling and decision making Yes Yes No Yes No Yes
Right to non-discrimination for the exercise of these rights Yes Yes Yes Yes Yes Yes
Right to opt-out of sales of personal information Yes Yes Yes Yes Yes Yes No
Opt in or opt out for processing of sensitive information Opt-out Opt-out Opt-in Opt-in Opt-out Opt-in
Right to appeal denial of requests Yes No No Yes No No
Accountability/Governance
Data Protection Assessments Yes No Yes Yes No Yes
Security
Appropriate Data Security to protect information Yes No Yes Yes Yes Yes
Breach Notification Yes Yes Yes Yes Yes Yes
Data Transfers Outside European Economic Area (EEA)
Additional measures for international transfers Yes Yes Yes No No Yes
Transfers to Third Parties
Contractual Requirements in Service Provider Agreements Yes No Yes Yes Yes Yes
Marketing
Consent for Adtech cookies Yes No No Yes Yes Yes
Consent obtained prior to direct marketing Yes No Yes No No Yes
Enforcement Agencies
Attorney General Utah Department of Commerce Attorney General Attorney General Attorney General, CPPA DPA
Operative date
1 July 2023 31 December 2023 1 July 2023 1 October 2019 1 January 2023 1 January 2020/ 1 January 2023 25 May 2018

Watch this video for more information on the differences between EU and US privacy laws and which privacy standards should be considered when performing A/B testing.

A pattern appears to be emerging in how state legislatures approach broad privacy protection laws, as illustrated in the table above.

The Connecticut SB 6 adopts substantial sections of the Colorado and Virginia statutes practically verbatim, including how to define personal data, how to deal with sensitive personal information, and when to conduct data protection impact assessments.

What are the Key Provisions of Connecticut’s SB 6?

The following are some of the most significant provisions of the Connecticut SB 6:

1.   Same Privacy Rights as other State Laws

The Connecticut Data Privacy Act establishes a set of individual privacy rights that are similar to those found in the Utah UCPA, Colorado CPA, Virginia VCDPA, and California CCPA/CPRA.

These rights include viewing, correcting, copying, and deleting personal information.

Consumers can also opt out of the processing of their personal data for advertising, data sales, and profile building.

SB 6, like the other state privacy laws, includes an opt-in system for the type of data processing involving children aged 13 to 16.

2.   Privacy Requests Without Technical Approval

When it comes to the way privacy rights requests are submitted and handled, Connecticut’s new law resembles Colorado’s CPA more closely than it does Virginia’s law.

Connecticut is joining California and Colorado in requiring businesses to offer customers the option to opt out of targeted advertising or sales through some sort of technical mechanism. In contrast to California and Colorado though, Connecticut SB 6 does not require approval of the technical mechanism requirements by the state regulator.

3.   Broad Definition of Selling Personal Data

Under Connecticut SB 6, “selling of personal data” means exchanging personal data for money or other valuable consideration with a third party.

In embracing “valuable consideration” along with monetary consideration, SB 6 provides a more comprehensive definition of sale, similar to the California CCPA and Colorado CPA definitions.

There are several exceptions to the definition of sale of personal data, including disclosure of personal data at a consumer’s request, disclosures within a company, and disclosure or transfer of personal data to a third party that occurs in the context of an acquisition, bankruptcy, or some other type of transaction.

4.   Enforcement Only by the Attorney General

Connecticut SB 6 follows the pattern of only permitting the Attorney General to prosecute offenses.

Connecticut’s Attorney General, like Colorado’s, is required to offer a 60-day notice and opportunity to rectify infractions.

SB 6 violations are considered deceptive trade practices under the State’s Unfair and Deceptive Acts and Practices statute and can result in civil fines of up to $5,000 in addition to actual and punitive damages, as well as attorneys’ fees and costs.

5.   Enhanced Security for Sensitive Information

The Connecticut SB 6, like several other privacy laws, provides enhanced safeguards for specific types of information.

This “sensitive data” includes information about a person’s race, ethnicity, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship status, or immigration status; genetic and biometric data that can be used for identification; information collected from children; and geolocation information.

The processing of sensitive data requires the consent of the consumer and, inevitably, increases the potential of harm to the consumer, which is why a Data Privacy Impact Assessment (DPIA) is required.

6.   Privacy Policy Disclosures

Connecticut SB 6 requires organizations to update their Privacy Policies to include the following disclosures:

  • The types of personal data that the company handles;
  • Why the company processes personal data;
  • One or more secure and trustworthy ways for consumers to exercise their privacy rights, including the ability to appeal a decision regarding a privacy rights request;
  • The categories of personal data exchanged with third parties, if any;
  • The types of third parties with whom personal data is exchanged, if any;
  • An active email address where a customer can contact the company;
  • If a company sells or processes personal data for targeted advertising, the Privacy Policy must state so, as well as how customers can opt out.

Convert’s Privacy Compliance Plan

As more privacy laws are introduced, we can expect the landscape to shift further, with even more novel legislation regarding data privacy, as well as more rounds of comments and revisions.

These factors can all have an impact on how your software is compliant and how your Privacy Policy is worded.

So, how does Convert keep track of all of this data and ensure that we don’t overlook anything?

1.   Creating Privacy Relevant Keyword Alerts

We start by setting up Google Alerts for the appropriate terms. Our system will alert us every time new legislation is passed, a new bill is introduced, or a case is decided which contains any of our search terms. The screenshot below illustrates some of those alerts.

setting up Google Alerts for the appropriate terms

The search results may not all be relevant, so we have to sift through the alerts to ensure that we are only evaluating relevant data.

Every good researcher knows that you shouldn’t rely on one source for all your information. That is why Convert is a member of several privacy forums. We also check the materials provided by the International Association of Privacy Professionals, on a weekly basis.

The IAPP, for example, publishes a privacy law comparison chart (see below) that contains useful information about all the privacy bills that have been introduced.

2.   Checking the Websites of Data Protection Authorities (DPAs)

While keeping track of new bills, laws, and statutes is crucial, it is equally important to follow data protection authorities and their interpretations. Entities such as these can provide you with crucial information about what will be enforced and how.

Websites of Data Protection Authorities (DPAs)

In a recent article, we outlined how the Austrian Data Protection Authority made the use of Google Analytics illegal.

3.   Reading Privacy Articles

We read opinion articles and stories about privacy and technology, as well as industry perspectives on privacy and information on what the general public thinks about current privacy protections.

Knowing how the industry and the broader public feel about privacy and technology helps us evaluate patterns in enforcement and legislative action, as well as where our sector is headed in the future.

4.   Updating Policies and Relevant Information

It’s important to note that Convert takes care of all of the above not only for Privacy Policies but also for Terms and Conditions, End User License Agreements, Disclaimers, Contracts, and the actual A/B tracking scripts.

After gathering all the information, we determine whether or not to make revisions to the policies, and then we update them.

5.   Informing Website Visitors

As more consumers check to see if a website has a Privacy Policy and what privacy practices are stated in such policies, the next step is to notify our website’s visitors and Convert users about the changes we are making. All new laws require Privacy Policies to state their effective date or latest revised date. If your Privacy Policy includes this disclosure, website users can easily determine whether the policy has been changed by simply looking at its date.

Convert’s Plan for Connecticut SB 6

If you already have a Convert account, there is nothing you have to worry about! We’ll keep track of this new law, as well as any revisions or regulations, for you. If the law applies to you, your policies will be revised to include the above disclosures before the law takes effect.

We monitor state privacy and cybersecurity legislation closely at Convert. For more information on “how to prepare for the SB 6” and other new U.S. privacy laws, visit our GDPR roadmap.

CRO Master
CRO Master
Mobile reading? Scan this QR code and take this blog with you, wherever you go.
Originally published July 12, 2022 - Updated November 11, 2022
Written By
Dionysia Kontotasiou
Dionysia Kontotasiou
Dionysia Kontotasiou
Convert's Head of Integration and Privacy, helping customers with technical queries.
Edited By
Carmen Apostu
Carmen Apostu
Carmen Apostu
Head of Content at Convert

Start your 15-day free trial now.

  • No credit card needed
  • Access to premium features

You can always change your preferences later.
You're Almost Done.
Convert is committed to protecting your privacy.

Important. Please Read.

  • Check your inbox for the password to Convert’s trial account.
  • Log in using the link provided in that email.

This sign up flow is built for maximum security. You’re worth it!