Party of Five: Connecticut Poised to Pass Fifth U.S. State Privacy Law, Improving Upon Virginia, Colorado

This week, the Connecticut legislature passed Senate Bill 6, an ‘Act Concerning Personal Data Privacy and Online Monitoring.’ If SB 6 is enacted by Governor Lamont, Connecticut will follow California, Virginia, Colorado, and Utah as the fifth U.S. state to adopt a baseline regime for the governance of personal data. The law would come into effect on July 1, 2023.

Connecticut’s privacy bill goes beyond existing state privacy laws by directly limiting the use of facial recognition technology, establishing default protections for adolescent data, and strengthening consumer choice, including through requiring recognition of many global opt-out signals. Nevertheless, a federal privacy law remains necessary to ensure that all Americans are guaranteed strong, baseline protections for the processing of their personal information.

-Keir Lamont, Senior Counsel, Future of Privacy Forum

While SB 6 is similar to laws recently passed in Colorado and Virginia, it contains several significant expansions of consumer privacy rights. In addition to core requirements to obtain affirmative consent to process sensitive personal information; consumer rights to opt out of targeted advertising, data sales, and certain profiling decisions; and obligations for businesses to conduct risk assessments and meet purpose specification and data minimization standards, the bill includes:

• Clear limits on facial recognition technology: SB 6 would designate biometric data generated from photographs or videos for the unique purpose of identifying a specific individual as a category of sensitive information subject to affirmative consent requirements. In contrast, other recently adopted comprehensive state privacy laws either do not require consent for facial recognition (California), do not define the term “biometric data” (Colorado), or contain ambiguous language (Virginia).
• Default protections for adolescent data: Connecticut would join California as the only states to require consent for the monetization of the data of children aged 13 to 15.
• Global opt-out signals and stronger consumer opt-out rights: SB 6 would strengthen individual controls by limiting the circumstances where businesses may reject consumer requests to opt out of data sales, targeted advertising, and profiling. Connecticut would also join Colorado as the only state laws to clearly, explicitly require the recognition of ‘global’ signals exercising these opt-out rights.
• Explicit right to revoke consent: SB 6 goes beyond other state privacy laws by explicitly requiring companies to provide an easy-to-use mechanism allowing consumers to revoke consent for certain high-risk processing of personal data.

Like other state privacy laws, enforcement of SB 6 would be left to the exclusive discretion of the state Attorney General. However, the bill does not provide for future rulemaking, which may limit the ability of SB 6 to adapt to emerging technologies and business practices, and could prevent harmonization with other state approaches on complicated multi-jurisdictional compliance topics, such as global opt-out preference signals. Finally, along with the much weaker Utah Consumer Privacy Act enacted earlier this year, Connecticut’s SB 6 appears to solidify a trend of emerging state privacy laws iterating on the Virginia-Colorado legislative framework, rather than following the narrower regulatory model under development in California.