On May 11, 2022, Connecticut joined the ranks of California, Utah, Colorado, Virginia, Nevada, and Delaware by passing its own privacy law, Connecticut SB6. This new law went into effect on July 1, 2023 and will provide residents of Connecticut with new privacy rights, as well as require certain websites to have a Privacy Policy that makes the disclosures required by this law.
In this Compliance Guide, we will discuss the following with regard to Connecticut’s privacy law:
- Who needs to comply with Connecticut SB6;
- How the law defines personal data;
- The privacy rights provided to Connecticut residents;
- The Privacy Policy requirements of Connecticut SB6;
- The penalties for failure to comply; and
- How Termageddon handles Privacy Policy updates for this new law.
Table of Contents
Who needs to comply with Connecticut SB6?
Connecticut SB6 applies to persons that do business in Connecticut or that provide goods or services that are targeted towards residents of Connecticut and that during the previous year:
- Controlled or processes the personal data of 100,000 or more Connecticut residents; or
- Controlled or processed the personal data of 25,000 or more residents of Connecticut and derived more than 25% of their gross revenue from the sale of personal data.
It is important to note that first, this law does not apply to nonprofit organizations and second, if the law does not apply to you, you may still need to comply with its requirements by contract if you work with larger companies that do need to comply.
How does the law define personal data?
Since Connecticut SB6 applies only to organizations that meet the criteria above and that control or process personal data, it is important to define how this law defines this term. The law defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable individual.” Putting this into website terms, this would mean data such as names, emails and phone numbers that are usually collected through contact forms, eCommerce forms, or newsletter forms as well as IP addresses that are commonly collected through analytics tools.
What privacy rights are provided to residents of Connecticut by this privacy law?
The goal of Connecticut SB6 is to protect the privacy of residents of the state by imposing certain requirements upon businesses and providing residents of Connecticut with privacy rights. The law provides Connecticut residents with the following privacy rights:
- To confirm whether or not a controller is processing the individual’s personal data and to access such personal data;
- Correct inaccuracies in their personal data;
- Delete personal data;
- Obtain a copy of the individual’s personal data in a portable and, to the extent feasible, readily usable format that allows the individual to transfer that data to another business where the processing is carried out by automated means;
- Opt out of the processing of their personal data for purposes of targeted advertising, the sale of personal data and profiling.
Consumers may exercise any of the above rights as soon as the law goes into effect and may even designate and authorized agent to exercise these privacy rights on their behalf. Businesses will have 45 days to respond to such requests (though that may be extended by an additional 45 days if needed). Similar to Virginia and Colorado’s privacy laws, Connecticut SB6 also allows consumers to appeal if they are not satisfied with the business’ response to their privacy rights request.
Connecticut SB6 Privacy Policy requirements
Connecticut SB6 requires businesses to display a Privacy Policy that contains the following disclosures:
- The categories of personal data processed by the business;
- The purposes for which personal data is processed;
- One or more secure and reliable means for consumers to exercise their privacy rights, including how to appeal a decision that was made with regard to a privacy rights request;
- The categories of personal data that are shared with third parties, if any;
- The categories of third parties, if any, with which personal data is shared;
- An active email address that a consumer may use to contact the business;
- If a business sells personal data or processes it for targeted advertisements, the Privacy Policy must disclose this fact, as well as how consumers can opt out of such uses.
Companies will not only need to have a Privacy Policy that has the disclosures above, but will also need to provide a clear and conspicuous link to the Privacy Policy on their websites.
Penalties for failure to comply
The Attorney General of Connecticut has the exclusive authority to enforce this new law. Until December 31, 2024, companies will have the right to cure alleged violations of the law. Once the right to cure expires, the Attorney General may bring enforcement actions against companies that fail to comply.
Termageddon’s plan for Connecticut SB6
If you do not have a Privacy Policy or do not have a strategy to keep it up to date with changes such as this one, check out Termageddon’s Privacy Policy generator.