Press "Enter" to skip to content

Fifth State in the Union Becomes Fifth State to Enact Data Privacy Legislation

Connecticut data privacy legislationOn May 10, Gov. Ned Lamont signed into law Substitute Senate Bill 6 (Public Act 22-15), Connecticut’s version of comprehensive consumer data privacy legislation.  This makes Connecticut the fifth state to enact such legislation, following California, Virginia, Colorado, and Utah.  The Act will go into effect July 1, 2023.


The Act applies to persons that conduct business in Connecticut or persons that produce products or services that are targeted to Connecticut residents and that during the preceding calendar year:

  1. Controlled or processed the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  2. Controlled or processed the personal data of not less than 25,000 consumers and derived more than 25 percent of their gross revenue from the sale of personal data.

The Act does not apply to:

  1. Nonprofit organizations;
  2. Financial institutions or data subject to the Gramm-Leach-Bliley Act;
  3. Institutions of higher education;
  4. Covered entities and business associates as defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule;
  5. Boards, agencies, and political subdivisions of the state;
  6. National securities associations.

Additionally, the Act exempts the following, as well as other, information and data:

  • Protected health information under HIPAA, and certain other health related data;
  • Personal information used pursuant to the Fair Credit Reporting Act;
  • Data processed or maintained for certain employment purposes.

The Act provides consumers with the right to:

  1. Confirm and access personal information being processed;
  2. Correct inaccuracies;
  3. Delete personal data provided by the consumer or obtained from other sources;
  4. Obtain a portable copy of the consumer’s personal data;
  5. Opt-out of the processing of personal data if the purpose of the processing is: a) targeted advertising; b) sale of personal data; or c) profiling.

A contract between a controller and a processor must ensure:

  1. Each person processing personal data is subject to a duty of confidentiality;
  2. Deletion or return of all personal data at the end of the processor’s provisions of services;
  3. Availability to the controller of information evidencing the processor’s compliance with the Act;
  4. Processor’s contracts with subcontractors are in writing and mirror the obligations of the processor with respect to personal data;
  5. Cooperation from the processor with the controller’s reasonable assessment requirements.

Under the Act, some processing is considered to present a “heightened risk of harm” to consumers:

  1. Processing for the purpose of targeted advertising;
  2. Processing for the purpose of sale;
  3. Processing for the purpose of profiling, in some instances;
  4. Processing sensitive data, such as personal data related to race, religion or health conditions, genetic or biometric data, personal data collected from a known child, and precise geolocation data.

When that is the case, a controller is required to conduct and document a data protection assessment to “identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks.”

The Attorney General may require the disclosure of an assessment if relevant to an investigation, but the assessment is confidential and not subject to public disclosure.


The Attorney General has the exclusive authority to enforce the Act but must first provide a 60-day opportunity to cure if, in the Attorney General’s opinion, cure is possible.  The cure provision sunsets Dec. 31, 2024. 

In the absence of a cure, a violation is enforced as an unfair trade practice pursuant to Conn. Gen. Stat. § 42-110b, allowing for a temporary restraining order or permanent injunction which, if violated can result in a civil penalty of not more than $25,000 per violation.  Additionally, a violative act or practice that was willful may result in a civil penalty of not more than $5,000 per violation.


The Act follows the trend of finding balance between the interests of consumers and businesses.  The Act should not present issues for businesses already tooling up for compliance with the other consumer data privacy acts. For more information and insight from Maurice Wutscher on data privacy and security laws and legislation, visit

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.