Connecticut (and Others) May Soon Have a Comprehensive Privacy Law
Connecticut is on target to be the next state to enact a comprehensive privacy law, following California, Virginia, Colorado, and Utah. The Connecticut General Assembly passed An Act Concerning Personal Data Privacy and Online Monitoring (the Act) on April 28, 2022, and it is currently with the governor awaiting signature. Once signed, the Act will take effect on July 1, 2023.
The Act applies to individuals and entities doing business in Connecticut, or that produce products or services that are targeted to Connecticut residents; and that in the preceding year, controlled or processed the personal data of at least: (a) 100,000 Connecticut residents (excluding for the purpose of completing a payment transaction); or (b) 25,000 Connecticut residents, if the individual or entity derived more than 25% of their annual gross revenue from selling personal data.
The Connecticut law shares many of the features of laws passed in Virginia, Colorado, and Utah. The Act provides consumers certain rights, including rights: (1) to know whether a controller is processing personal data and to opt out of processing of personal data for sales, targeted advertising, or profiling; (2) to access the data maintained; (3) to correct and delete the data; and (4) to obtain a copy of the data. The Act also requires controllers to provide notice to consumers before processing data, to practice data minimization, to safeguard personal data, and in some cases to conduct and document a data protection assessment.
There is no private right of action under the Act, although violations could be considered unfair trade practices under Connecticut’s Unfair Trade Practices Act. The Connecticut Attorney General is tasked with enforcement of the Act. The Act also provides a 60-day cure period for violations reported by December 31, 2024; after that date, the Attorney General has discretion to allowing entities to cure violations.
Many other state legislatures are considering privacy laws and we anticipate other states will pass privacy legislation in the coming months. Given the ever-changing data privacy landscape, the Baker Botts Data Privacy and Security team has put together a table showing the status of some of the key proposals. While passage of these laws is not guaranteed, the recent flurry of new legislation demonstrates the increasing attention that legislatures, both state and federal, are paying to privacy and security concerns.
Pending legislation can change rapidly, with the bills moving in and out of committees, failing key votes, or otherwise being changed through the legislative processes. While we endeavor to provide the most up-to-date information regarding these pending laws, it is possible that the below information becomes outdated since the publication of this alert. If you have a question about pending legislation, our team is ready to provide you with the most current information possible. Please reach out to any of our team members for further assistance.
States with Comprehensive Data Protection Laws
|
California |
California Consumer Privacy Act (CCPA)
California Privacy Rights Act (CPRA) |
CCPA Effective January 1, 2020
CPRA Effective January 1, 2023 |
Provides consumers with right to access, to opt-out of sales and automated decision making, and to correction, deletion, and portability Private right of action Risk assessment requirement Enforcement by new California Privacy Protection Agency |
|
Colorado |
Colorado Privacy Act (SB 190) |
Effective July 1, 2023 |
Provides consumers right of access and to opt-out of sales, and to correction, deletion, and portability No private right of action. Enforced by Attorney General Risk assessment requirement |
|
Utah |
Consumer Privacy Act (SB227) |
Effective Date, December 31, 2023 |
Provides consumers with rights to access, deletion, and opt-out. No private right of action. Enforced by Division of Consumer Protection and Attorney General. |
|
Virginia |
Consumer Data Protection Act; data deletion request (HB381) |
Effective January 1, 2023 |
Amended the Virginia Consumer Data Protection Act to add new exception to a controller’s responsibility to respond to a data deletion request. |
Pending Legislation
|
State |
Pending Legislation |
Status |
Overview |
|
Alaska |
Consumer Data Privacy Act (HB159) Alaska Consumer Information Protection Act (HB 222) |
Pending in House Judiciary Committee Pending in Senate Labor and Commerce Committee Pending in House Labor and Commerce Committee |
Provides consumers with right of access, deletion, and opt-out Enforcement by Attorney General Establishes data broker registration requirements and making violation of the CDPA an unfair/ deceptive practice Focuses on collection and use of personal information |
|
Arizona |
(HB2790) |
Introduced on February 16, 2022 |
Provides consumers with right of access, correction, deletion, and opt-out Enforcement exclusively by Attorney General |
|
Connecticut |
An Act Concerning Personal Data Privacy and Online Monitoring |
Awaiting signature of Governor If signed, effective July 1, 2023 |
Provides consumers right of access and to opt-out of sales, and to correction, deletion, and portability No private right of action. Enforced by Attorney General Risk assessment requirement |
|
Georgia |
Georgia Computer Data Privacy Act (SB394) |
Passed to Senate Committee on Science and Technology on January 27, 2022 |
Provides consumers with rights to access, deletion and opt-out Enforcement by private right of action and Attorney General |
|
Indiana |
Consumer Data Protection (SB358) |
Passed Senate on February 1, 2022. Pending in House Committee on Commerce, Small Business and Economic Development Committee reported amend do pass; adopted |
Provides consumers with right of access, correction, data portability, deletion, and opt-out Enforcement by Attorney General
|
|
Iowa |
Placed on Calendar |
Provides consumers with rights of access, deletion, correction, and opt-out Myriad exceptions that allow for processing of personal data Enforcement exclusively by Attorney General |
|
|
Kentucky |
Consumer Data Privacy (HB9) |
Under Consideration by Judiciary Committee Amended version passed on February 23, 2022 |
Requires notice to consumers of data collection, sharing and selling Provides consumer with rights including access, opt-out, deletion, and correction Enforcement by private right of action |
|
Louisiana |
Louisiana Consumer Privacy Act (HB987) |
Pending under the House Committee on Commerce on April 6, 2022 |
Provides consumer the right to access, obtain, and (delete) personal data, and to opt out of providing data for personal ads |
|
Massachusetts |
Massachusetts Information Privacy and Security Act (S2687) Massachusetts Information Privacy and Security Act (H4514) |
Referred to Senate Committee on Ways and Means on February 14, 2022 Referred to Joint Committee on Healthcare Financing on March 3, 2022 |
Provides consumers with rights of access, deletion, correction, and opt-out Enforcement exclusively by Attorney General
|
|
Michigan |
Consumer Privacy Act (HB5989) |
Referred to the House Committee on Communications and Technology April 12, 2022 |
Establishes privacy rights of consumers, provides notices to consumers regarding the processing and sale of personal data, and establish standards regarding the processing and sale of personal data |
|
Nebraska |
Uniform Personal Data Protection Act (LB1188) |
Public hearing on February 28, 2022 |
Provides consumers with rights of access, data portability, and correction No explicit right to opt-out Allows for “compatible data practices” without data subject consent Enforcement exclusively by Attorney General |
|
New Jersey |
New Jersey Disclosure and Accountability Transparency Act (A505) |
Referred to Assembly Science, Innovation and Technology Committee on January 11, 2022 Introduced in Senate, referred to Senate Commerce Committee on January 11, 2022 Referred to Assembly Science, Innovation and Technology Committee on January 11, 2022
|
Establishes certain requirements for disclosure and processing of personally identifiable information; establishes Office of Data Protection and Responsible Use in Division of Consumer Affairs Requires commercial Internet websites and online services to notify consumers of collection and disclosure of personally identifiable information and allows consumers to opt out Requires commercial Internet websites and online services to notify consumers of collection and disclosure of personally identifiable information and allows consumers to opt out |
|
New York |
New York Privacy Act New York Privacy Act Digital Fairness Act |
Referred to Consumer Affairs and Protection on January 7, 2022 Committed to Internet and Technology Committee on February 8, 2022 Referred to Consumer Affairs and Protection Committee on January 5, 2022 Referred to Consumer Protection Committee on January 6, 2022 Referred to Consumer Affairs and Protection Committee on January 5, 2022 |
Requires companies to disclose methods of deidentifying personal information, places safeguards around data sharing, and allows consumers to obtain the names of entities with whom their information is shared Requires companies to disclose methods of deidentifying personal information, places safeguards around data sharing, and allows consumers to obtain the names of entities with whom their information is shared Amends the general business law, the executive law, the state finance law and the education law, in relation to enacting the “Digital Fairness Act” Allows consumers to request the categories of personal information a business has sold or disclosed to third parties Allows consumers to request the categories of personal information a business has sold or disclosed to third parties |
|
North Carolina |
Consumer Privacy Act (S569) |
Referred to Committee on Rules and Operations of the Senate on April 7, 2022 |
Provides consumer the rights to access, obtain, edit, and delete personal data, and to opt out of providing data for personal ads Establishes data protection policies, limitations on the collection of personal information, and limitations on processing personal data |
|
Ohio |
Ohio Personal Privacy Act |
Re-referred to Government Oversight Committee on February 22, 2022 |
Requires businesses to provide consumers with a notice about the personal data that it processes about the consumer by providing a reasonably accessible, clear, and conspicuously posted privacy policy |
|
Oklahoma |
Oklahoma Computer Data Privacy Act (HB1602) |
Passed House on March 4, 2021 Pending before Senate Judiciary Committee |
Provides consumers with rights of access, deletion, and opt-out Enforcement by Oklahoma Corporation Commission |
|
Pennsylvania |
All pending before House Consumer Affairs Committee |
All bills related to similar subject matter Provide rights of access, deletion, and opt-out HB2257 provides enforcement exclusively by Attorney General |
|
|
Rhode Island |
Data Transparency and Privacy Protection Act (H7400) RI Information Privacy Act (H7917) |
H7400 Introduced on February 9, 2022 Pending before House Innovation, Internet, and Technology Committee March 22, 2022 - Committee recommended measure be held for further study H7917 Introduced on March 7, 2022 March 31, 2022 - Committee recommended measure be held for further study |
Only provides right of access. Requires notice of categories of information collected and categories of third-parties information is shared with Enforcement exclusively by Attorney General Allows individuals to access and learn about what information is stored on them |
|
South Carolina |
South Carolina Biometric Data Privacy Act (H3063) |
Pending in House Committee on Labor, Commerce and Industry (since January 12, 2021) |
Provides for rights of deletion and opt-out for biometric information |
|
Vermont |
Pending in House Committee on Commerce and Economic Development (since January 29, 2021) Pending in House Committee on Commerce and Economic Development (since January 11, 2022) |
Explicitly intended to provide Vermont consumers with the data protections provided by the California Consumer Privacy Act Relates to enhancing data privacy protections for consumers |
|
|
Washington |
Protecting and Enforcing the Foundational Data Privacy Rights of Washingtonians (HB1850)
|
Pending in House Committee on Appropriations
|
Provides consumers with rights of access, correction, deletion, data portability, and opt-out Exceptions for government, air carriers, employers, and certain non-profits Creates a private right of action |
|
West Virginia |
Pending in House Committee on the Judiciary |
Provides consumers with right to opt-out of sale or sharing of personal information |
|
|
Wisconsin |
Passed by Assembly on February 23, 2022 Pending in Senate Committee on Government Operations, Legal Review and Consumer Protection Failed to concur in pursuant to Senate Joint Resolution 1 |
Provides consumers with rights of access, deletion, correction, and opt-out Enforcement exclusively by the Attorney General |
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.
