As of May 10, 2022, Connecticut is the fifth state to enact statewide data privacy legislation. According to JD Supra, “the DPA becomes effective on July 1, 2023 and applies to businesses that: (a) transact business in Connecticut or otherwise utilize products or services targeted to Connecticut residents; and (b) either (i) control or process the personal data of at least 100,000 Connecticut residents on an annual basis; or (ii) derive over 25% of their gross revenue from the sale of personal data and control or process the personal data of at least 25,000 Connecticut residents on an annual basis. Certain entities are exempt from the DPA including state and local governments, tax-exempt organizations, higher education institutions, financial institutions subject to the Gramm-Leach-Bliley Act, and “covered entities” and “business associates” as defined by the Health Insurance Portability and Accountability Act (“HIPAA”).
Similar to other state laws already enacted (e.g., California Consumer Privacy Act), the DPA will require opt-in consent for the collection and processing of a consumer’s “sensitive” information, such as information revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, citizenship or immigration status, genetic or biometric data, children’s data and precise geolocation data. The DPA also provides consumers with rights of notice, access, portability, correction and deletion, provided, however, that businesses are afforded certain exemptions in this regard (e.g., to combat fraud). The DPA will also allow consumers to opt out of using their information for certain purposes, such as the sale of personal data and targeted advertising (and similarly require opt-in consent from minors). The DPA will be enforced through the Office of Connecticut’s Attorney General.”
Do you feel like federal privacy laws are coming down the pipeline? How many more states have to get on board before legislation feels imminent?