Connecticut Amends Data Breach Notification and Data Protection Laws | Practical Law

Connecticut Amends Data Breach Notification and Data Protection Laws | Practical Law

Connecticut has amended several laws protecting personal information, including its data breach notification law to expand the personal information definition and clarify when covered entities can provide substitute notice, and its data security law to clarify that it does not create a private right of action even though violations are unfair trade practices. It also amended the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) to clarify when data controllers must obtain consent from minors.

Connecticut Amends Data Breach Notification and Data Protection Laws

Practical Law Legal Update w-039-8223 (Approx. 4 pages)

Connecticut Amends Data Breach Notification and Data Protection Laws

by Practical Law Data Privacy & Cybersecurity
Published on 19 Jun 2023Connecticut
Connecticut has amended several laws protecting personal information, including its data breach notification law to expand the personal information definition and clarify when covered entities can provide substitute notice, and its data security law to clarify that it does not create a private right of action even though violations are unfair trade practices. It also amended the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) to clarify when data controllers must obtain consent from minors.
On June 14, 2023, Connecticut Governor Ned Lamont signed SB 1058, a collection of different statutory amendments recommended by the Connecticut's Attorney General (AG), including to the state's data breach notification and general data security statutes (Conn. Gen. Stat. Ann. § 36a-701b and 42-471), and to the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) (Conn. Gen. Stat. Ann. §§ 42-515 to 42-525).

Data Breach Notification Amendments

Section 4 of SB 1058 expands the data breach notification statute's personal information definition to include precise geolocation data, adopting the CTDPA's definition of that term.
It also clarifies that:
  • The covered entity's notice to the AG must demonstrate the reason it may provide a substitute notice, namely that:
    • the cost of providing individual notices would exceed $250,000;
    • the affected class to notify exceeds 500,000 persons; or
    • the covered entity lacks sufficient contact information.
  • The AG may deposit any civil penalties collected for data breach notification law violations into the state's privacy protection guaranty and enforcement account created under Conn. Gen. Stat. Ann. § 42-472a.
The data breach notification statute amendments take effect October 1, 2023. For more on Connecticut's data breach notification statute, see State Q&A, Data Breach Notification Laws: Connecticut.

Data Security and CTDPA Amendments

Section 5 of SB 1058 amends the state's general data security statute to clarify that:
  • Violations of the statute are considered an unfair trade practice under Conn. Gen. Stat. Ann. § 42-110b.
  • The statute does not create a private right of action.
Section 6 of SB 1058 amends the CTDPA to clarify that the requirement to obtain consent before processing, selling, or using for targeted advertising purposes, personal data from consumers aged 13 to 15, applies when the data controller either:
  • Actually knows the consumer's age.
  • Willfully disregards the consumer's age.
The CTDPA and general data security statute amendments take effect July 1, 2023. For more on the CTDPA, see Practice Note, Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) Quick Facts: Overview.