The whole world today is trying to establish a framework for controlling and processing consumer personal data. This framework is established by many states to create responsibilities and privacy protection standards for companies.
Businesses operating around the world, therefore, have to familiarize themselves with data laws for global businesses. Connecticut, being one of the states in a hurry to establish data laws, is trying its best through as a way of granting consumers the right to access, correct, delete, or even obtain a copy of their personal data. Additionally, consumer rights under Connecticut's SB893 include opting out of the processing of personal data for specific reasons, including advertising.
The consumer also has the right to obtain a copy of personal data being processed by a company in any way possible. Under the Connecticut Consumer Privacy Act (SB 893), consumers also have the right to request rectification or erasure of inaccurate information collected and stored on them, under certain circumstances.
In this article, we will make sure you understand this new regulation in its entirety.
Connecticut's SB893: Overview
Connecticut's SB893 was introduced by the General Law Committee in 2021 as an act concerning consumer privacy. The provision will be effective starting January 1st, 2023 unless the Committee says otherwise. In this regard, the term “affiliate” refers to the legal entity that has the right to control, is controlled, or is under the common control with other legal entities sharing common branding with the legal entity.
Control in this provision refers to an ownership of or the power to vote more than 50% of the outstanding shares of all the classes of the company’s voting security. Control therefore means control in any manner over the majority election of the directors or an individual exercising similar powers. Authentication implies the process of verifying the consumer under the consumer rights relating to the personal data issue.
Biometric data implies the data generated by automatic measures that can identify an individual’s characteristics. This includes the eye retinas, irises, fingerprints, or other unique biological measures. Biometric data does not include digital photographs, audio, or video recordings. It also omits data used and stored for health care treatment, payments, and operations under HIPAA.
Consent under the Connecticut Consumer Privacy Act is a clear affirmative action that a satisfying consumer has given in regard to the collection, processing, and use of personal data. It may include written statements, electronic means, or any other effective and reasonable affirmative action.
The consumer is a natural person that is a resident of Connecticut acting in an individual or household context. It excludes a natural person acting in a commercial or employment context. The controller in this case is a natural person that alone or jointly processes consumer personal data.
Who Does The Connecticut Consumer Privacy Act (SB 893) Apply To?
The Connecticut SB893 Act, just like the Florida Data Protection Act, has specific details about market actors who must comply with the Act’s provisions. The Connecticut Consumer Privacy Act applies to all businesses operating within the Connecticut Jurisdiction and those collecting and processing personal data.
It also applies to businesses that collect and process data of no less than 100,000 consumers in a calendar year. Lastly, businesses that control or process personal data of more than 25,000 consumers and make more than 50% of gross revenue from operating with the data must establish a robust data compliance to keep their operations legitimate.
The Connecticut Consumer Privacy Act excludes several companies and entities. Such companies are:
- Financial institutions
- Data subject to Title V of the Gramm-Leach-Bliley Act
- Any business governed by the privacy, security, and breach notification rules from the Department of Health and Human Services
- Non-profit organizations
- Organizations of higher learning
Some data is exempted from this law, as shown below:
- Protected health information under HIPAA
- Patient identification information
- Health records
- Personal data for the purposes of a federal policy
- Information collected as part of human subject’s research pursuant to good clinical practice
- Information collected for the purposes of healthcare quality improvement
- Information collected as part of public health reporting or public health surveillance
- Information collected for the purposes of a national security or intelligence activity
- Information collected by the federal government under the Patient Protection and Affordable Care Act
- Information collected as part of a census or survey for statistical purposes
- Health records related to an individual’s participation in a clinical trial
- Consumer information that is not required to be kept confidential pursuant by law
- Inventory information from businesses that are under regulatory control of the state
- Information on specific diseases or conditions owned by a hospital or other healthcare provider
If a company works with any of the previously mentioned entities, then it’s up to the company that collects and processes personal data to make sure that they follow the provisions of the Connecticut Consumer Privacy Act. While it is not required, it is recommended to comply with this law to keep your company data safe and your customers happy.
It’s also important to note that if you do not follow all provisions on data protection, then it will be considered a violation. A violation is a civil violation and can be punished by either an injunction or a fine. Top avoid these massive fines you can hire Helpy today and forget about all the potenital legal troubles.
Any information created, obtained, or maintained by an organization in connection with commercial activities, such as credit reports, insurance scores, and criminal history records would also be exempt under this law if it is used solely for commercial activities.
Under the Connecticut Consumer Privacy Act, the consumer has specific rights that are clearly defined. The consumer can write and present a request on the following grounds:
- To correct outdated information or information collected and saved with noticeable mistakes
- To notify the company to delete data collected and processed on their behalf
- To request the disclosure of personal data, including the source of the data and how long it will be stored
- To request that a company not use or disclose his/her personal data for marketing purposes
- To write requesting clarification about data and inquire whether the data is being processed by the controller
- Opt out of data processing for advertising and other marketing purposes
The controller must comply with the consumer requests unless otherwise detailed to adhere to the consumer rights protection. The controller is equally asked to comply and respond to consumer requests without any delays. They should respond no later than 45 days. On the other hand, the consumer is equally expected to provide in writing any request to extend the time for another 45 days.
The controller must take reasonable steps to verify the accuracy of the data and respond to questions about it. The controller must also provide a notice of its policy for providing access to the data and information regarding the collection, use, and disclosure of data. Controllers must also provide an explanation of how a consumer can contact them, and are equally expected to inform the consumer that they are entitled to obtain a copy of their personal data no later than 30 days after receiving the request.
The consumer has the right to seek redress by way of legal action against the controller if there is a failure or refusal by the controller in complying with any request made by them.
Fines and Penalties
In the case of non-compliance with the provisions of the Act, the Attorney General will be forced to initiate a civil action in the Superior Court. In case the company is found in violation of these provisions of the Act, they can be fined up to $7,000 for each violation.
In conclusion, all qualifying companies in Connecticut and those operating and offering services to Connecticut residents will have to comply with these provisions. Companies must limit data collection to the minimum, meaning only collecting data that is relevant. Otherwise, the Attorney General can be forced to take legal action against the company, leading to a hefty fine.
Consumers have the right to opt out of data processing by the controller for certain actions, thus that data will never be collected. Additionally, they have the right to ask the controller to delete personal data and/or modify data wrongly collected or outdated pieces of data.