Upon passage of these privacy laws, these states joined a short list of states with such laws: California, Virginia, and Utah. However, it also marked a substantial shift in the privacy landscape reflected in the growing urgency among lawmakers in states across the country to pass similar legislation. And in May of 2023, three more states used this momentum to join the now ever-expanding list of states with comprehensive data privacy laws in the books—these states include Montana, Tennessee and Indiana. Covered persons should take steps to ensure the proper processes and procedures are in place to comply with new obligations under this growing list of privacy laws, including the Connecticut and Colorado privacy laws which are effective July 1, 2023.
The following article provides a summary of the key elements of each of the Connecticut and Colorado privacy laws. Note to financial institutions: Financial institutions are explicitly excluded from the scope of both the Connecticut and Colorado privacy laws, accordingly, these new laws do NOT apply to you.
At Baldini Lang LLC, we monitor and report on the ever-changing federal and state privacy law landscape. If you are interested in our monthly data privacy tracker, tracking all of the developing federal and state data privacy laws in the United States, contact us for more information.
Who is required to comply with the privacy law?
The Connecticut law generally applies to all persons that (a) conduct business in Connecticut OR (b) produce products or services that are targeted to Connecticut residents, AND that during the preceding calendar year:
- Controlled or processed the personal data of not less than 75,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; OR
- Controlled or processed the personal data of not less than 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.
The Colorado law generally applies to all persons that (a) conduct business in Colorado OR (b) produce or deliver commercial products or services that are intentionally targeted to residents of Colorado; AND that during the preceding calendar year:
- Controlled or processed the personal data of 100,000 consumers or more; OR
- Controlled or processed the personal data of 25,000 consumers or more and derived revenue or receives a discount on the price of goods or services from the sale of personal data.
Although these laws are broadly applicable to all “controllers” and “processors” that fall within the above thresholds, there are a number of specific entity-level and data-level exemptions. For example, both the Connecticut and the Colorado laws specifically exclude the following from its scope:
- Financial institutions and data subject the Gramm-Leach-Bliley Act; and
- Data maintained about consumers in a commercial or employment
Notably, however, the Colorado law is generally broader in its scope and application. One of several differences includes the Colorado law’s application to nonprofit entities. In contrast, the Connecticut law provides an entity-level exemption for all nonprofits. Additionally, as seen in the chart above, in determining whether a person meets the applicability threshold, the Connecticut law excludes from its calculation all personal data collected or processed solely for a one-time transaction. The Colorado does not have a comparable limitation and presumably applies to the collection and processing of personal data for such limited purpose. As a result, the Colorado law will apply to a greater percentage of small businesses than the Connecticut law, as it applies to such entity even if it does not process, maintain, or use the personal data for any purpose outside of the one-time transaction.
These are just a few of the many minor drafting differences that result in the Colorado law having a substantially broader scope than the Connecticut law. If you have not already, you should consult with legal counsel to determine whether your business activities fall within the boundaries of either of these laws.
“Consumer” means an individual who is a Connecticut resident; does not include individuals acting in a commercial or employment context.
“Controller” means a person that, alone or jointly with others determines the purpose and means of processing personal data.
“Processor” means a person that processes personal data on behalf of a controller.
“Personal data” means any information that is linked or reasonably linkable to an identified or identifiable individual; does not include de-identified data or publicly available information.
“Sensitive data” means personal data that includes: (1) racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; (2) genetic or biometric data for the purpose of identification; (3) personal data collected from a known child (under 13); or [Connecticut Only: (4) precise geolocation data].
As seen above, the structure and content of these two laws very closely mirror each other, with the key defined terms being nearly identical. A major difference is that the Connecticut law’s scope of “sensitive data” is slightly larger, as it includes precise geolocation data within its definition, while the Colorado law’s definition of “sensitive data” does not go this far.
Additionally, of some significance, all personal data collected from or about a child is protected under both laws as “sensitive data.” This distinction is important because it means that opt-in consent for the collection of any child data is always required, as with all other sensitive data, thereby providing a higher level of protection to minors, and control for their guardians, under the law (or at least attempting to).
Key Rights and Requirements
Both the Connecticut and Colorado laws provide consumers with the following basic rights, as well as set forth certain key compliance requirements for controllers and processors:
- The Right of A consumer has the right to (1) confirm the specific pieces of personal data the controller is processing and (2) access such personal data. Additionally, a controller must provide a consumer with data portability.
- The Right to Correct. A consumer has the right to request to correct inaccurate personal data.
- The Right to Delete. A consumer has the right to request that a controller delete any personal data collected or obtained about the consumer.
- The Right to Opt-Out. A consumer has the right to “opt-out” of the processing of personal data for purposes of (1) targeted advertising, (2) the sale of personal data, and (3) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer. A controller must provide an opt-out mechanism or preference signal that will enable consumers to opt-out of processing for purposes (1) and (2) as listed above. However, the compliance deadline for this mechanism is delayed to July 1, 2024, under the Colorado law, and to January 1, 2025, under the Connecticut law.
- The Right to Consent to the Processing of Sensitive Data. A controller is prohibited from processing sensitive data concerning a consumer without obtaining the consumer’s affirmative opt-in consent.
- The Right to Revoke Consent. Generally, a consumer also has the right to revoke any consent previously provided. The mechanism for a consumer to revoke consent must be at least as easy as the mechanism by which the consumer provided consent.
- The Right to Appeal. A controller shall establish an appeal process for a consumer to appeal the controller’s decision on a request and/or refusal to take action on a request.
- The Right to Equal Service. A controller is prohibited from discriminating against consumers that choose to exercise any of their rights under the privacy law, including providing lesser quality or denying services or goods, or offering different rates.
- Written Contract Requirement. A controller must have a written contract with its processors that includes specific terms. For example, both Connecticut and Colorado require a contract between a controller and a processor to include a provision providing the controller the opportunity to object to the processor’s engagement of a subcontractor. It is important to note that these contract requirements slightly vary from state to state, and compliance with Connecticut’s contract requirements may not translate directly into compliance with the Colorado law’s contract requirements, and vice versa. To be sure your contract is compliant with each applicable law, you should consult with legal counsel.
- Data Protection A controller is required to conduct and document a data protection assessment for each processing activity that presents a “heightened risk of harm” to a consumer, including: (1) the processing of personal data for the purposes of targeted advertising; (2) the processing of personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of injury to consumers; (3) the sale of personal data; and (4) the processing of sensitive data.
- De-identified Data. De-identified is generally not personal data under the law, however, a controller in possession of de-identified data must: (1) take reasonable measures to ensure that the data cannot be associated with an individual; (2) publicly commit to maintaining and using de-identified data without attempting to re-identify the data; and (3) contractually obligate any recipients of the de-identified data to comply with the foregoing requirements.
Enforcement and Penalties
Both laws provide exclusive enforcement authority to the states’ Attorney General; Colorado also permits enforcement by its district attorneys. Prior to January 1, 2025, violators will be permitted 60 days to cure any violation of the privacy law, but following this date no such cure-period will be provided. However, under the Connecticut law, beginning January 1, 2025, the Connecticut Attorney General will have discretion to allow violators an opportunity to cure prior to the initiation of an action. Neither law provides individuals a private right of action.
Each state considers a violation of its privacy law to be a deceptive act or practice. Accordingly, civil penalties for a violation under each law may be imposed as follows:
- Up to $5,000 per willful violation; and
- Up to $25,000 per violation of a restraining order or an injunction.
- Up to $20,000 per violation;
- Up to $50,000 per violation, where such violation was committed against an elderly person; and
- Up to $10,000 per violation of a court order or an injunction.
As evidenced by the above, the risk of a civil penalty for non-compliance under the Colorado law is much greater than that under the Connecticut law. Nonetheless, these penalties are per violation of the law, so even if multiple violations are related to the same conduct or event, penalties for such individual violations may be imposed separately. Accordingly, any single event could result in numerous violations that will quickly compound the potential penalties imposed and the risk involved.
Contact us for more information.
Your business may have new obligations under the Connecticut and Colorado consumer privacy laws and should implement new practices, procedures, and policies to comply with these new laws before their effective date of July 1, 2023. Baldini Lang LLC has extensive experience working with data privacy laws and assisting clients in mapping out the steps they must take to comply with minimum requirements to best practice standards. Contact us for more information.