The first major U.S. state to pass a comprehensive data privacy law was California with the passing of CCPA. The California Consumer Privacy Act (CCPA) is a data privacy law that was passed in California in 2018. The CCPA went into effect on January 1, 2020 and grants California residents certain rights with respect to their personal information.
Under the CCPA, businesses that collect or process personal information of California residents must provide consumers with certain disclosures and rights, including:
Notice: Businesses must provide consumers with a notice at or before the point of collection of their personal information that describes the categories of personal information being collected and the purposes for which the information will be used.
Right to Know: Consumers have the right to request that businesses disclose the categories and specific pieces of personal information that they have collected about them, as well as the sources from which the information was collected and the purposes for which it was collected.
Right to Delete: Consumers have the right to request that businesses delete their personal information, subject to certain exceptions.
Opt-Out: Consumers have the right to opt-out of the sale of their personal information.
Non-Discrimination: Businesses are prohibited from discriminating against consumers who exercise their CCPA rights.
The CCPA applies to businesses that meet certain criteria, including having annual gross revenues of more than $25 million, collecting personal information of 50,000 or more consumers, households, or devices, or deriving 50% or more of their annual revenues from the sale of personal information.
In addition to these requirements, the CCPA also requires businesses to implement certain security measures to protect personal information against unauthorized access, disclosure, or destruction.
Overall, the CCPA is one of the most comprehensive data privacy laws in the United States and has set the standard for other state-level data privacy laws, such as Virginia's Consumer Data Protection Act and New York's proposed Biometric Privacy Act. And most notably, legislation proposed in Connecticut.
Connecticut Data Privacy
Connecticut does not currently have a comprehensive data privacy law, but it has recently proposed a new data privacy law known as the "Act Concerning Data Privacy" (Senate Bill 893). The bill was introduced in January 2021 and is currently being reviewed by the state legislature.
If passed, the new law would require businesses that collect or process personal data of Connecticut residents to comply with certain data privacy requirements, including:
Transparency: Businesses would need to provide individuals with clear and concise notices about the types of personal data being collected, the purposes for which it is being collected, and with whom it is being shared.
Access: Businesses would need to provide individuals with the right to access, correct, and delete their personal data.
Security: Businesses would need to implement reasonable security measures to protect personal data against unauthorized access, disclosure, or destruction.
Data Breach Notification: Businesses would need to notify individuals and the Connecticut Attorney General in the event of a data breach.
De-identification: Businesses would need to de-identify or destroy personal data when it is no longer needed for the purposes for which it was collected.
The proposed law would apply to businesses that collect or process personal data of Connecticut residents, regardless of where the business is located. It would also create a private right of action for individuals to sue businesses for violations of the law.
Overall, the Act Concerning Data Privacy is similar to other data privacy laws that have been passed in other states and at the federal level. If passed, it would provide Connecticut residents with greater control over their personal data and increase the accountability of businesses that collect and process personal data.