Jayne Ponder, Lindsey Tonsager, Libbie Canter & Alexandra Scott of Covington and Burling write:
The Connecticut legislature passed Connecticut SB 6 on April 28, 2022. If signed by the governor, the bill would take effect on July 1, 2023, though the task force created by the bill will be required to begin work sooner.
The bill closely resembles the Colorado Privacy Act, with a few notable additions. Like the Colorado Privacy Act, the bill adopts “controller” and “processor” terminology, provides consumers with rights to access, correct, delete, obtain a copy, and opt-out of certain types of processing of their personal data, and requires consent for certain activities.
Read more at InsidePrivacy.
Over at Workplace Privacy Report, Joseph J. Lazzarotti and Jason C. Gavejian compare SB6 to Virginia’s and summarize some of the key features:
Jurisdictional Scope. The Act would apply to persons that conduct business in Connecticut or that produce products or services that are targeted to residents of Connecticut and that during the preceding calendar year: (i) controlled or processed personal data of at least 75,000 consumers (under the VCDPA this threshold is at least 100,000 Virginians) or (ii) controlled or processed personal data of at least 25,000 consumers and derived over 25 percent of gross revenue from the sale of personal data (50 percent under the VCDPA).
Exemptions. The Act provides exemptions at two levels, the entity level and the data level. Entities exempted from the Act include (i) agencies, commissions, districts, etc. of the state or political subdivisions, (ii) nonprofits, (iii) higher education, (iv) national securities associations, (v) financial institutions or data subject to Gramm-Leach-Bliley Act (GLBA), and (vi) hospitals as defined under Connecticut law. Note that the Act does not include a broad-based, entity-level exemption for covered entities and business associates as defined under HIPAA.
Read more at Workplace Privacy, Data Management & Security Report.