Merging company

CT privacy bill aims to give internet users more control over sensitive data

Connecticut lawmakers are considering a sweeping bill to give residents more control over the sensitive personal data that websites and apps constantly collect, often hidden from the average internet user.

The law would give people the right to access the data that companies have collected about them, to opt out of the sale of that information, and to request that it be deleted or corrected if it is inaccurate.

It would feature some of the strongest consumer protections in the country, experts said, especially for minors under 18, as well as some of the toughest enforcement options.

The proposal has received increased attention from local lawmakers this session amid growing concern about big data collection and growing threats to people’s information, including hacks and other data breaches.

“It’s really time to take this seriously,” said Nora Duncan, state director for AARP in Connecticut, which has publicly supported the bill. “I think the requirements it places on how businesses must protect data and the ability it gives consumers to control their own data will make things more secure over time.”

A recent AARP survey found that one-third of people over 45 said they or a family member had been the victim of a scam or fraud, Duncan said.

The bill was passed by the Judiciary Committee on Monday. Variants of the legislation have already been tabled, but none have advanced to this session’s bill, which ends May 4.

“People are becoming more aware of how their data is being used,” said the bill’s lead sponsor, Sen. James Maroney, D-Milford. “We are trying to find the right balance to provide consumers with good protections. We wanted to make sure it is possible for businesses to comply.

The proposal has sparked debate, however, amid concerns about what the new rules could cost small businesses.

John Blair, associate attorney for the Connecticut Business & Industry Association, pointed to a projection that companies with fewer than 20 employees would incur compliance costs of $50,000 in the first year after the data privacy law passed. in California, the first US state to do so; companies that employ between 100 and 500 were likely to spend $450,000.

Still, Blair said, complying with a law similar to what has already been passed in other states would be easier for Connecticut businesses.

“The overriding goal for us is for the legislation to be consistent with other states,” he said. “We are following this very closely.”

Particular concern has been raised about how restaurants would be affected.

“This industry has just been hammered by the pandemic,” said Sen. John Kissel, R-Enfield, who voted in favor of the bill on Monday.

Kissel said restaurants collect customer data to run day-to-day operations, but they often don’t monetize it like other industries do. “Very often they only use the data to reserve tables and take orders. They don’t really trade in it like other entities.

Scott Dolch, CEO of the Connecticut Restaurant Association, said in early March that restaurants and other hospitality businesses would face an unknown financial burden to comply with data protections.

“Without solid cost numbers, how can we be sure that passing this legislation won’t force more restaurants to close because compliance simply costs too much?” Dolch wrote in his public testimony; he could not be reached for comment last week.

If the legislation is passed, Connecticut would become just the fifth state in the nation to enact such data privacy protections.

Many other states are actively considering their own data privacy bills. Connecticut is one of nearly two dozen states considering data privacy bills, according to research by law firm Husch Blackwell.

David Stauss, head of the law firm’s privacy and cybersecurity practice group, said states passed their own data privacy laws as Congress debated, but failed to adopt anything at the national level.

“The reason you see so many states doing it is because the feds haven’t done it,” Stauss said. “In the absence of federal action, the states step in and almost challenge the federal government to do something.”

Red and blue states, meanwhile, have put forward proposals in recent years, but many have so far struggled to get the bills past the finish line.

Already in 2022, eight states attempted to pass data privacy legislation, but failed to do so before the close of their sessions, according to Husch Blackwell.

Stauss said of the bills that still have a chance this year, Connecticut has some of the strongest consumer protections that could make it a model for other states. But enacting tougher measures is a bigger challenge, he said.

“It is infinitely more difficult to pass a good privacy bill than to pass a bad privacy bill,” he said.

Stauss pointed to the additional protections for minors up to age 18 in Connecticut’s proposal — a higher standard than other states have adopted. And unlike other states, companies would only receive a warning of a possible violation until the end of 2024. After that, the attorney general can decide whether the company deserves a warning before a harsher penalty.

Data privacy legislation began to gain traction in the United States after the European Union passed a sweeping law now called “GDPR”, which took effect in May 2018.

California was the first U.S. state to follow suit with a law that took effect in 2020, though it has imposed stricter limits on the type of organizations it applies to than European rules, according to Thompson. Reuters.

Virginia and Colorado followed suit, passing their own laws in 2021. Utah became the fourth state to approve legislation in late March, widely seen as more business-friendly than the previous three.

Many large companies based in Connecticut are already required to comply with the laws of other states, if they do business in that state.

For example: Stamford-based Charter Communications said in a recent investor disclosure that the growing number of state proposals “could lead to additional network and information security requirements for our business,” but it is not known what these effects will be.

Maroney said Connecticut’s bill most closely resembles Colorado’s law.

Connecticut’s bill would apply to any company that “controls or processes” the data of more than 75,000 consumers each calendar year. The law would set a lower threshold for companies that regularly sell personal data; it would apply to any organization that processes 25,000 pieces of consumer information if it generates more than a quarter of its revenue from the sale of personal data.

However, the bill provides broad exemptions for higher education institutions, health care providers, state government, and any nonprofit organization. It also exempts data collected for the purpose of completing a simple transaction and adds additional protections for minors up to age 18 – a higher standard than adopted by other states. Maroney said healthcare entities in particular are already subject to heavy privacy regulations.

Even as states consider extensive legislative efforts, doubts remain about how many citizens would use the tools the new laws provide, such as taking the initiative to try to recover their data.

The requests consumers have to submit to tell companies to stop collecting their personal data can be confusing and difficult to navigate, according to the company.

In California, a 2020 Consumer Reports survey asked about 500 residents to opt out of having their information sold on various websites. Testers said they were frustrated with the process more than half the time.

Maureen Mahoney, senior policy analyst for Consumer Reports, testified in support of the Connecticut bill, but argued for its provisions to go even further by completely prohibiting the collection and sale of certain personal data. Opt-out laws rely on individuals “to track down and navigate divergent opt-out processes for potentially thousands of different companies,” she said in early March.

Maroney, the senator, said the bill would provide Connecticut consumers with a solution by providing a one-stop option to opt out of having their data collected and sold by any company covered by the law.