Thought Leadership

Connecticut (and Others) May Soon Have a Comprehensive Privacy Law

Client Updates

Connecticut is on target to be the next state to enact a comprehensive privacy law, following California, Virginia, Colorado, and Utah. The Connecticut General Assembly passed An Act Concerning Personal Data Privacy and Online Monitoring (the Act) on April 28, 2022, and it is currently with the governor awaiting signature. Once signed, the Act will take effect on July 1, 2023.

The Act applies to individuals and entities doing business in Connecticut, or that produce products or services that are targeted to Connecticut residents; and that in the preceding year, controlled or processed the personal data of at least: (a) 100,000 Connecticut residents (excluding for the purpose of completing a payment transaction); or (b) 25,000 Connecticut residents, if the individual or entity derived more than 25% of their annual gross revenue from selling personal data.

The Connecticut law shares many of the features of laws passed in Virginia, Colorado, and Utah. The Act provides consumers certain rights, including rights: (1) to know whether a controller is processing personal data and to opt out of processing of personal data for sales, targeted advertising, or profiling; (2) to access the data maintained; (3) to correct and delete the data; and (4) to obtain a copy of the data. The Act also requires controllers to provide notice to consumers before processing data, to practice data minimization, to safeguard personal data, and in some cases to conduct and document a data protection assessment.

There is no private right of action under the Act, although violations could be considered unfair trade practices under Connecticut’s Unfair Trade Practices Act. The Connecticut Attorney General is tasked with enforcement of the Act. The Act also provides a 60-day cure period for violations reported by December 31, 2024; after that date, the Attorney General has discretion to allowing entities to cure violations.

Many other state legislatures are considering privacy laws and we anticipate other states will pass privacy legislation in the coming months. Given the ever-changing data privacy landscape, the Baker Botts Data Privacy and Security team has put together a table showing the status of some of the key proposals. While passage of these laws is not guaranteed, the recent flurry of new legislation demonstrates the increasing attention that legislatures, both state and federal, are paying to privacy and security concerns.

Pending legislation can change rapidly, with the bills moving in and out of committees, failing key votes, or otherwise being changed through the legislative processes. While we endeavor to provide the most up-to-date information regarding these pending laws, it is possible that the below information becomes outdated since the publication of this alert. If you have a question about pending legislation, our team is ready to provide you with the most current information possible. Please reach out to any of our team members for further assistance.

States with Comprehensive Data Protection Laws

California

California Consumer Privacy Act

(CCPA)

 

California Privacy Rights Act

(CPRA)

CCPA

Effective January 1, 2020

 

CPRA

Effective January 1, 2023

Provides consumers with right to access, to opt-out of sales and automated decision making, and to correction, deletion, and portability

Private right of action

Risk assessment requirement

Enforcement by new California Privacy Protection Agency

Colorado

Colorado Privacy Act

(SB 190)

Effective July 1, 2023

Provides consumers right of access and to opt-out of sales, and to correction, deletion, and portability

No private right of action. Enforced by Attorney General

Risk assessment requirement

Utah

Consumer Privacy Act (SB227)

Effective Date, December 31, 2023

Provides consumers with rights to access, deletion, and opt-out.

No private right of action. Enforced by Division of Consumer Protection and Attorney General.

Virginia

Consumer Data Protection Act; data deletion request (HB381)

Effective January 1, 2023

Amended the Virginia Consumer Data Protection Act to add new exception to a controller’s responsibility to respond to a data deletion request.


Pending Legislation


State

Pending Legislation

Status

Overview

Alaska

Consumer Data Privacy Act (HB159)

SB116

Alaska Consumer Information Protection Act

(HB 222)

Pending in House Judiciary Committee

Pending in Senate Labor and Commerce Committee

Pending in House Labor and Commerce Committee

Provides consumers with right of access, deletion, and opt-out

Enforcement by Attorney General

Establishes data broker registration requirements and making violation of the CDPA an unfair/ deceptive practice

Focuses on collection and use of personal information

Arizona

(HB2790)

Introduced on February 16, 2022

Provides consumers with right of access, correction, deletion, and opt-out

Enforcement exclusively by Attorney General

Connecticut

An Act Concerning Personal Data Privacy and Online Monitoring

(Public Act 22-15)

Awaiting signature of Governor

If signed, effective July 1, 2023

Provides consumers right of access and to opt-out of sales, and to correction, deletion, and portability

No private right of action. Enforced by Attorney General

Risk assessment requirement

Georgia

Georgia Computer Data Privacy Act

(SB394)

Passed to Senate Committee on Science and Technology on January 27, 2022

Provides consumers with rights to access, deletion and opt-out

Enforcement by private right of action and Attorney General

Indiana

Consumer Data Protection (SB358)

Passed Senate on February 1, 2022.

Pending in House Committee on Commerce, Small Business and Economic Development

Committee reported amend do pass; adopted

Provides consumers with right of access, correction, data portability, deletion, and opt-out

Enforcement by Attorney General

 

Iowa

House File 2506

Placed on Calendar

Provides consumers with rights of access, deletion, correction, and opt-out

Myriad exceptions that allow for processing of personal data

Enforcement exclusively by Attorney General

Kentucky

Consumer Data Privacy

(HB9)

Under Consideration by Judiciary Committee

Amended version passed on February 23, 2022

Requires notice to consumers of data collection, sharing and selling

Provides consumer with rights including access, opt-out, deletion, and correction

Enforcement by private right of action

Louisiana

Louisiana Consumer Privacy Act

(HB987)

Pending under the House Committee on Commerce on April 6, 2022

Provides consumer the right to access, obtain, and (delete) personal data, and to opt out of providing data for personal ads

Massachusetts

Massachusetts Information Privacy and Security Act (S2687)

Massachusetts Information Privacy and Security Act

(H4514)

Referred to Senate Committee on Ways and Means on February 14, 2022

Referred to Joint Committee on Healthcare Financing on March 3, 2022

Provides consumers with rights of access, deletion, correction, and opt-out

Enforcement exclusively by Attorney General

 

Michigan

Consumer Privacy Act

(HB5989)

Referred to the House Committee on Communications and Technology April 12, 2022

Establishes privacy rights of consumers, provides notices to consumers regarding the processing and sale of personal data, and establish standards regarding the processing and sale of personal data

Nebraska

Uniform Personal Data Protection Act

(LB1188)

Public hearing on February 28, 2022

Provides consumers with rights of access, data portability, and correction

No explicit right to opt-out

Allows for “compatible data practices” without data subject consent

Enforcement exclusively by Attorney General

New Jersey

New Jersey Disclosure and Accountability Transparency Act (A505)

S332

A1971

Referred to Assembly Science, Innovation and Technology Committee on January 11, 2022

Introduced in Senate, referred to Senate Commerce Committee on January 11, 2022

Referred to Assembly Science, Innovation and Technology Committee on January 11, 2022

 

 

Establishes certain requirements for disclosure and processing of personally identifiable information; establishes Office of Data Protection and Responsible Use in Division of Consumer Affairs

Requires commercial Internet websites and online services to notify consumers of collection and disclosure of personally identifiable information and allows consumers to opt out

Requires commercial Internet websites and online services to notify consumers of collection and disclosure of personally identifiable information and allows consumers to opt out

New York

New York Privacy Act

(A680B)

New York Privacy Act

(S6701A)

Digital Fairness Act

(A6042)

S567

A3709

Referred to Consumer Affairs and Protection on January 7, 2022

Committed to Internet and Technology Committee on February 8, 2022

Referred to Consumer Affairs and Protection Committee on January 5, 2022

Referred to Consumer Protection Committee on January 6, 2022

Referred to Consumer Affairs and Protection Committee on January 5, 2022

Requires companies to disclose methods of deidentifying personal information, places safeguards around data sharing, and allows consumers to obtain the names of entities with whom their information is shared

Requires companies to disclose methods of deidentifying personal information, places safeguards around data sharing, and allows consumers to obtain the names of entities with whom their information is shared

Amends the general business law, the executive law, the state finance law and the education law, in relation to enacting the “Digital Fairness Act”

Allows consumers to request the categories of personal information a business has sold or disclosed to third parties

Allows consumers to request the categories of personal information a business has sold or disclosed to third parties

North Carolina

Consumer Privacy Act (S569)

Referred to Committee on Rules and Operations of the Senate on April 7, 2022

Provides consumer the rights to access, obtain, edit, and delete personal data, and to opt out of providing data for personal ads

Establishes data protection policies, limitations on the collection of personal information, and limitations on processing personal data

Ohio

Ohio Personal Privacy Act

(HB376)

Re-referred to Government Oversight Committee on February 22, 2022

Requires businesses to provide consumers with a notice about the personal data that it processes about the consumer by providing a reasonably accessible, clear, and conspicuously posted privacy policy

Oklahoma

Oklahoma Computer Data Privacy Act

(HB1602)

Passed House on March 4, 2021

Pending before Senate Judiciary Committee

Provides consumers with rights of access, deletion, and opt-out

Enforcement by Oklahoma Corporation Commission

Pennsylvania

HB1126

HB2202

HB2257

All pending before House Consumer Affairs Committee

All bills related to similar subject matter

Provide rights of access, deletion, and opt-out

HB2257 provides enforcement exclusively by Attorney General

Rhode Island

Data Transparency and Privacy Protection Act (H7400)

RI Information Privacy Act

(H7917)

H7400

Introduced on February 9, 2022

Pending before House Innovation, Internet, and Technology Committee

March 22, 2022 - Committee recommended measure be held for further study

H7917

Introduced on March 7, 2022

March 31, 2022 - Committee recommended measure be held for further study

Only provides right of access. Requires notice of categories of information collected and categories of third-parties information is shared with

Enforcement exclusively by Attorney General

Allows individuals to access and learn about what information is stored on them

South Carolina

South Carolina Biometric Data Privacy Act

(H3063)

Pending in House Committee on Labor, Commerce and Industry (since January 12, 2021)

Provides for rights of deletion and opt-out for biometric information

Vermont

H.160

H.570

Pending in House Committee on Commerce and Economic Development (since January 29, 2021)

Pending in House Committee on Commerce and Economic Development (since January 11, 2022)

Explicitly intended to provide Vermont consumers with the data protections provided by the California Consumer Privacy Act

Relates to enhancing data privacy protections for consumers

Washington

Protecting and Enforcing the Foundational Data Privacy Rights of Washingtonians (HB1850)

 

Pending in House Committee on Appropriations

 

 

Provides consumers with rights of access, correction, deletion, data portability, and opt-out

Exceptions for government, air carriers, employers, and certain non-profits

Creates a private right of action

West Virginia

HB4454

Pending in House Committee on the Judiciary

Provides consumers with right to opt-out of sale or sharing of personal information

Wisconsin

2021 Assembly Bill 957

Passed by Assembly on February 23, 2022

Pending in Senate Committee on Government Operations, Legal Review and Consumer Protection

Failed to concur in pursuant to Senate Joint Resolution 1

Provides consumers with rights of access, deletion, correction, and opt-out

Enforcement exclusively by the Attorney General


ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.

Related Professionals