Connecticut Can’t Help Itself, Amends Consumer Privacy Law Again

BROADENED APPLICABILITY

The CTDPA now applies to entities doing business in Connecticut that 1) process 35,000 consumers’ data; 2) control or process consumers’ sensitive data; or 3) offer consumers’ personal data for sale. This is greatly broadened, as the CTDPA formerly only applied to entities that processed over 100,000 consumers’ data or derived 25% or more of their gross revenue from the sale of data and processed over 25,000 consumers’ data. Data processed solely for payment transactions is excluded from these thresholds.

EXEMPTIONS

The amended CTDPA narrows the Gramm-Leach-Bliley Act exemption to a data-level exemption from the original laws’ entity-level exemption. However, the amendments introduce an exemption for bona fide financial institutions like insurers, investment advisors, banks, and credit unions. The amended CTDPA also no longer applies to political committees.

NEW RIGHTS

The amended CTDPA allows consumers to request a variety of new information, including if any inferences are being made using their data or if any profiling is occurring using their data. If the profiling is used to significant effect, the consumer may be able to request to review the data used, correct the data, question the result of the decision, request reevaluation of the decision, and be informed of the reasoning for the result. Consumers may now also obtain a list of the third parties to whom a controller has sold the consumer’s data, similar to the rights under Oregon’s and Minnesota’s consumer privacy laws.

DEFINITIONS

Publicly available information now includes information that has been disseminated to the general public from widely distributed media – somewhat broadening the scope of an exception that used to only be applicable to government records and information that a consumer made available to the general public directly.

Sensitive data has had its definition expanded to include data revealing disability or treatment, status as nonbinary or transgender, information derived from genetic or biometric data, neural data, a variety of financial information (including account number, account log-in information, and credit card numbers), and government identification numbers. Information collected from a child is now sensitive if the controller willfully disregards that the individual is a child; the previous version of the law required actual knowledge.

BROADER PERMITTED USES FOR SECONDARY PROCESSING

In order to determine whether consent is required for a secondary processing purpose, the controller must now take into account the following:

• The reasonable expectations of the consumer;
• The similarity between the new processing purpose and the old one;
• The impact the processing may have on the consumer;
• The relationship between the consumer and the controller and the context in which the data was collected; and
• The existence of additional safeguards for the data.

CHANGES TO THE SALE OF DATA

Controllers may no longer sell sensitive personal data without consent. The amended law raises the age for which sale of personal data is prohibited from 16 to 18 and removes the consent exception sales of data of minors between the age of 13 and 16.

NEW DISCLOSURES

The amended CTDPA calls for additional disclosures in controllers’ privacy notices, including:

• The categories of third parties to whom data is sold;
• Whether the controller conducts any processing of personal data for targeted advertising;
• Whether the controller sells personal data to a third party for targeted advertising;
• If the controller processes personal data for the purpose of training large language models; and
• When the privacy notice was last updated.

Additionally, consumers must be given the opportunity to withdraw their consent following a material retroactive change to the privacy notice.

IMPACT ASSESSMENTS

Controllers that engage in profiling for the purposes of making a decision that produces a significant effect concerning a consumer will need to conduct impact assessments. Impact assessments must include:

• A statement by the controller disclosing the purposes and intended uses and benefits afforded by the profiling;
• An analysis of whether such profiling poses any reasonable or foreseeable heightened risk to the consumer, and, if so:
  • The nature of the heightened risk; and
  • The steps taken to mitigate the heightened risk;
• A description of the main categories of personal data processed as inputs for the purposes of such profiling and the profiling’s outputs;
• An overview of the main categories of personal data the controller used to customize such profiling if the controller used data to customize such profiling;
• Any metrics used to evaluate the performance and known limitations of such profiling;
• A description of transparency measures; and
• Monitoring and safeguards employed for the profiling.

The definition for a decision that produces a significant effect remains largely the same but has been expanded to note explicitly that it includes decisions made on behalf of the controller in addition to decisions made by the controller. Note that these impact assessments are distinct from the data protection assessments associated with processing that presents a heightened risk of harm.

KEY TAKEAWAYS

• The CTDPA will apply to a significantly larger swath of entities with a much lower applicability threshold.
• Profiling is increasingly becoming a high-compliance burden activity, with numerous rights given to consumers related to it.
• Impact assessments add another hurdle for entities trying to automate internal processes related to decision making and artificial intelligence.

Our cross-practice team continues to closely monitor global privacy and cybersecurity developments. To learn more, reach out to one of the authors or your regular McDermott lawyer to discuss the potential legal implications for your business.