You are responsible for reading, understanding and agreeing to the National Law Review's (NLRs) and the National Law Forum LLC's Terms of Use and Privacy Policy before using the National Law Review website. 42-110b (2016). NLRB General Counsel Abruzzo Issues Memo on Employer Surveillance in 2022 Labor and Employment Tri-State Legislative Update: CT, MA, and RI. proposed The Massachusetts data privacy bill, the This website uses cookies to improve your experience while you navigate through the website. Luckily, many organizations have already put compliance programs in place for the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), so adding some nuances from other state laws, including Connecticut, will not be as daunting as the first go-round with Californias law. (NEW) (Effective July 1, 2023) As used in this section and sections 2 to 11, inclusive, of this act, unless the context otherwise requires: (1) "Affiliate" means a legal entity that . Leveraging Knowledge to Manage Your Data Risks. It also defines certain limitations around when companies may reject consumer requests to opt out of data sales, targeted advertising, and profiling. Serial Relator Brings Multiple Lawsuits Alleging False Claims Act FTC Takes Action Against Chegg for Alleged Security Failures that Hunton Andrews Kurths Privacy and Cybersecurity, Takeaways from GAOs FY 2022 Bid Protest Report, Long Time Coming: SEC Adopts Final Dodd-Frank Clawback Rules. Oklahoma Telephone Solicitation Act goes into effect Chinas National Intellectual Property Administration Releases New Ninth Circuit Holds Time Spent Logging On and Off Computers May Be Employment Tip of the Month November 2022, Sizeable Increases to 2023 Plan Limits Due to Inflation. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firms Privacy, Cybersecurity and Data Innovation practice group: United States Potentially one of the most significant differences between the CTDPA and other states laws may be within the threshold requirements. While a violation of SB 6s requirements constitutes an unfair trade practice under the Connecticut Unfair Trade Practices Act (CUTPA), the private right of action and class action provisions of CUTPA do not extend to violations of SB 6. The 2022 legislative session adjourns today (May 4) and the Governor has 15 days to either sign the CDPA, allow it to become law at the end of the 15 day period without his signature, or veto. We also use third-party cookies that help us analyze and understand how you use this website. SB 6 protects consumers, which are generally defined as Connecticut residents who are not acting (1) in a commercial or employment context, or (2) on behalf of a business, nonprofit, or government agencies (e.g., as an employee). Protection Afforded to Journalists and Their So Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. Has The SEC Conflated Indemnification And Insurance? P.A. [14] The third and final amendment provides that all civil penalties, expenses, and attorney fees will be paid into the state treasury and credited toward the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund, rather than a separate Consumer Privacy Fund. Thus, unlike the CCPA (as amended by the California Privacy Rights Act (CPRA)) or UCPA, an entity will not become subject to the law due to its annual revenues or by exceeding a certain revenue requirement.4 However, the CTDPAs 25 percent gross revenue obtained from data sales threshold is a substantial difference from the 50 percent gross revenue limit found in the VCDPA and UCPA. United States: SEC Proposes New Requirements for Adviser Oversight of Time Is Money: A Quick Wage-Hour Tip on Complying with Californias Fun with Non-Fungible Tokens: An Intro Before Jumping In, SEC Adopts Final Rules Mandating Compensation Clawback Policies. Ninth Circuit Takes Broad View of Protected Activity under the NLRB GC To Urge Board to Regulate Electronic Worker Monitoring and Outside the Beltway of Health Care - Episode 21 [PODCAST], Key Terms and Conditions for Buyers and Sellers in the Supply Chain. SB 6 requires theGeneral Law Committee, the Connecticut General Assembly committee in charge of matters pertaining to consumer protection, to establish a task force that will provide recommendations pertaining to certain issues, including but not limited to: healthcare data privacy (g., information sharing among healthcare and social care providers); childrens privacy (g., parental consent and parental requests submitted on behalf of a minor); and. If enacted, SB 6 will go into effect on July 1, 2023, with exceptions for certain provisions. [6] By January1, 2025, data controllers must allow consumers to exercise their opt-out right through an opt-out preference signal. Entities subject to the law will have to provide clear and conspicuous links on their websites giving consumers the choice to opt-out of that type of processing and provide a universal opt-out preference signal by January 1, 2025. Fifth Circuit Widens Availability of Federal Jurisdiction in Property Goldman Sachs Successful in Getting 401(k) Fee Class Action Dismissed. Sess. In particular, SB 6 would cover entities that collect data on more than 65,000 consumers or those making 25% of their revenue from selling the data on more than 25,000 consumers. A controller must respond to consumers rights requests without undue delay, and within specific enumerated timelines, subject to verifying the identity of the consumer and authorized agent making the request. Ordinary Observer Conducts Product-by-Product Analysis in View of Alaska Businesswoman Indicted on Tax Evasion and Filing False Tax United States Department of Justice (DOJ), Know Your Rights: EEOC Releases Updated Worksite Poster. Neither the VCDPA nor the CPA specify the exact manner in which a controller must provide the opt-out right, only that the manner must be clearly and conspicuously disclosed by the controller. Consumer Data Protection Act, extending to both data the individual has provided to the business, and to data obtained from other sources. 22-15 . Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. Connecticut is gearing up to be the next state with a comprehensive privacy law. The CPDPA is designed to establish a framework for controlling and processing personal data. The CTDPA broadly defines the "sale of personal data" to include the exchange of personal data for monetary or "other valuable CMA BLOCKS META/GIPHY IT MIGHT BE THE META UNIVERSE BUT WE'RE Five Data Quality Nightmares That Haunt Marketers and How Avoid Them. Overall, the CTDPA has more similarities to Colorados CPA than Virginias VCDPA, adopting the Colorado data portability requirement as well as a similar sunset provision and definition of sale of personal data. The CTDPA has comparatively less in common with the CCPA and the UCPA. The Connecticut Attorney General (AG) has exclusive authority to enforce SB 6. Updates on the CPPAs activities related to rulemaking are available here. Clients frequently turn to her for advice and counsel on complex issues that arise under the Health Insurance Portability and Accountability Act (HIPAA), the Confidentiality of Medical Information Act (CMIA), the California Consumer Privacy Act (CCPA), the FTC Act and the FTC Health Breach Notification Rule. Also consistent with the other state data privacy laws, the CPDPA requires that data controllers enter into a written contract with data processors prior to disclosing the personal data, outlining specific instructions for the data processing and data security requirements for the protection of the personal data. The task force will be terminated upon submission of its final report. Read her full rc.com bio here. The National Law Review is not a law firm nor is www.NatLawReview.com intended to be a referral service for attorneys and/or other professionals. Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. SECTION 5. S. Ashlie Beringer Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, aberinger@gibsondunn.com) So bereiten sich Arbeitgeber auf die elektronische New Employment Law Requirements for Companies with US-Based Employees. Starting at 1 a page, $5 a minute, our team will do all the redaction work for you. 2016 CT.gov | Connecticut's Official State Website. A consumer may exercise their rights under the bill directly or through another person designated to serve as the consumers authorized agent. The law excludes 16 different categories of data from its purview, including protected health information under HIPAA, information subject to the Fair Credit Reporting Act, employee and job applicant data, and information protected by the Family Educational Rights and Privacy Act. LITIGATION MINUTE: CHOICE OF LAW AND FORUM CLAUSES IN DEAL WORK. State Voting Leave Requirements: A Refresher in Preparation for the How Colleges, Universities Can Prep for U.S. Supreme Courts DHS Again Extends I-9 Compliance Flexibility, Also Proposes Framework CFTC Whistleblower Report Reveals Tremendous Success for Taxpayers. part 2),12 (5) a range of clinical research information13 and (6) information originating from and intermingled to be indistinguishable with, or information treated in the same manner as, CTDPA-exempt information that is maintained by a covered entity or business associate or by a Part 2 program or qualified service organization.14, Similar to the other comprehensive state privacy laws, the CTDPA defines personal data as any information that is linked or reasonably linkable to an identified or identifiable individual.15 The law also excludes from the definition de-identified or publicly available information.16, Like the VCDPA, the UCPA, and the CPA, the CTDPAs definition of consumer specifies that an individual must be a Connecticut resident and explicitly excludes individuals acting in a commercial or employment context. This means information collected in the context of a business-to-business or employment relationship will not be covered by the CTDPA.17, Like the VCDPA and CPA (but unlike the UCPA), the CTDPA requires opt-in consent for the collection and processing of sensitive data.18 The CTDPA defines sensitive data as personal data that reveals (1) racial or ethnic origin, (2) religious beliefs, (3) mental or physical health condition or diagnosis, (4) sex life, (5) sexual orientation, (6) citizenship or immigration status, (7) the processing of genetic or biometric data for the purpose of uniquely identifying an individual, (8) childrens data and (9) precise geolocation data.19, In its definition of consent, the CTDPA also explicitly excludes dark patterns.20 Much like other state consumer privacy laws as well as the GDPR, consent under the CTDPA must be freely given, specific, informed and unambiguous.21, The CTDPA grants consumers a broad swath of rights. Burn After Reading Data Retention Compliance. As a relevant example, before California's consumer data privacy act was passed, . On April 28, 2022, the Connecticut House of Representatives voted 144-5 in support of Senate Bill 6, the Connecticut Data Privacy Act ("CDPA" or "Act"), which . It includes both protection of Social Security Numbers and a broad data protection requirement. parts 160 and 164). The law does not apply to nonprofits, state and local governments, higher education institutions, or national securities associations registered under the Securities Exchange Act. Assemb., Reg. Connecticut has joined California, Virginia, Colorado, and Utah in enacting comprehensive data privacy legislation, with a signature from Governor Lamont this week on the Connecticut Data Privacy Act (CTDPA). Patrick Doris London (+44 (0) 20 7071 4276, pdoris@gibsondunn.com) [9] Until December31, 2024, enforcement actions will be subject to 60-day cure period; thereafter, the attorney general may, but is not required to, provide an opportunity to correct an alleged violation. Gibson, Dunn & Crutcher LLP 2022. The CCPA applies to businesses that conduct business in California and satisfy one or more of the following thresholds: (1) annual gross revenue in excess of $25,000,000 in the preceding year; (2) annually buys, sells or shares personal information of 100,000 or more consumers or households or (3) derives 50 percent or more of its annual revenue from selling or sharing consumers personal information; S.B. All information these cookies collect is aggregated and therefore anonymous. 6, 2022 Gen. CHAPTER I - GENERAL PROVISIONS SECTION 1. His practice has a particular focus on the the ingestion and sharing of data by way of strategic data transactions, data brokers, and vendor relationships, the implications of digital advertising (as companies look toward A senior member of our Data Privacy & Cybersecurity Practice Group, Glenn Brown provides business-oriented advice to clients in numerous industries on data privacy and regulatory compliance matters, including regulatory investigations and examinations. All of these state consumer privacy laws, including the California Consumer Privacy Act (CCPA), involve multiple detailed consumer rights and company obligations that compliance plans will need to account for (see our previous posts here and here). By Linn Foster Freedman on May 12, 2022 Posted in Data Privacy Connecticut Governor Ned Lamont signed the Personal Data Privacy and Online Monitoring Act (CPDPA) into law on May 10, 2022, making Connecticut the most recent state to pass its own privacy law in the absence of comprehensive federal privacy legislation. Like its predecessors, Connecticut's law requires controllers to provide consumers with a "reasonably accessible, clear and meaningful privacy notice." Privacy notices must include: The categories of personal data processed by the controller. Michael Walther Munich (+49 89 189 33-180, mwalther@gibsondunn.com) 08-167, entitled "An Act Concerning the Confidentiality of Social Security . Beginning January 1, 2025, the AG will be able to grant opportunities to cure alleged violations at the AGs discretion, considering the following factors: (1) the number of violations, (2) the controller or processors size and complexity, (3) the nature and extent of the processing, (4) the substantial likelihood of injury to the public, (5) the safety of persons or property and (6) whether the alleged violation was caused by a human or technical error.51, Additionally, starting September 1, 2022, the Connecticut General Assembly will convene a task force to study a variety of data privacy topics, including (1) information sharing among health care and social care providers, to make recommendations aimed at eliminating health disparities and inequities across sectors, (2) algorithmic decision-making and recommendations to reduce related bias, (3) the possibility of legislation on complying with parent deletion requests under COPPA, (4) age verification of children on social media, (5) data colocation issues, (6) possible expansion of CTDPA and (7) other data privacy topics.52 This task force has until January 1, 2023, to submit its findings and recommendations.53. The CPPA is currently engaging in preliminary information-gathering activities to help inform its rulemaking. There is no private right of action under SB 6. As with other state privacy laws, a major part of complying with the CTDPA involves posting privacy disclosures on a business's website (and anywhere else it collects personal data). Civility: Civility and courtesy are the hallmarks of professionalism. font size, Federal Trade Commission websiteon business privacy policies, Better Business Bureau Guide: Security and Privacy Made Simpler, National Federation of Independent Business. Jai S. Pathak Singapore (+65 6507 3683, jpathak@gibsondunn.com). Key Provisions Connecticut's " An Act Concerning Personal Data Privacy And Online Monito ring " will go into effect on July 1, 2023. Monday, May 2, 2022. The law is quite comprehensive with strict provisions on a data subject's rights to request data deletion data and withdraw their consent. Starting at $99 a month, use CaseGuard Studio to redact UNLIMITED number of video, audio, PDF, and image files all in one place and one redaction software.. On-Demand Redaction Services. You also have the option to opt-out of these cookies. Civ. 08-167 titled An Act Concerning the Confidentiality of Social Security Numbers, became effective on October 1, 2008. Crypto Showdown: SECs Lawsuit Against Ripple Labs Reaches Critical BIS Implements New Chinese Supercomputer and Semiconductor International Trade Practice at Squire Patton Boggs. only to observe the Connecticut Rules of Professional Conduct, but also conduct myself in accordance with the following Principles of Professionalism when dealing with my clients, opposing parties, fellow counsel, self-represented parties, the Courts, and the general public. Controllers are responsible for: (1) limiting the collection of data to what is adequate, relevant and reasonably necessary in relation to the purpose for which data is processed (as disclosed to customers), (2) establishing, implementing, and maintaining data security practices, among other requirements, and (3) must offer an effective . The Governor signed HB 5658 into law on June 10, 2008, and it became Public Act No. So bereiten sich Arbeitgeber auf die elektronische Arbeitsunfhigkeitsbescheinigung Biden-Harris Administration Announces $53 Million for 132 Community Air Pollution Value-Based Care Conference 2022: Hot Topics and Trends, 2022 West Coast Forum - Beverly Hills, CA, Mitigating Title IX Liability in Athletic Fundraising Policies and Procedures, Trade Secrets, Restrictive Covenants, and No-Poach Agreements in Health Care. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. The law shares and expands upon provisions of privacy laws recently enacted by Virginia, Utah, Colorado, and California. Specifically, controllers and processors that comply with the requirements of the Childrens Online Privacy Protection Act (COPPA) are compliant with any parental consent requirements of the CTDPA.8, Health and life sciences data exemptions: In addition to the exemption for HIPAA covered entities and business associates, the CTDPA includes some specific data-based exemptions particularly relevant to the health and life sciences sector. The National Law Review is a free to use, no-log in database of legal and business articles. We will continue to monitor developments in this area, and are available to discuss these issues as applied to your particular business. Like the Virginia and Colorado laws, the CTDPA allows consumers to opt out of the processing of their personal data for purposes of (a) targeted advertising, (b) the sale of personal data, and (c) profiling in furtherance of solely automated decisions that produce similarly significant effects. Connecticut is poised to become the fifth state to pass comprehensive consumer privacy legislation, after California, Virginia, Colorado, and Utah. She counsels a range of public and private clients from industries such as construction, education, health care, insurance, manufacturing, real estate, utilities and critical infrastructure, marine and charitable organizations, on state and federal data privacy and security investigations, as well as emergency data breach response and mitigation. By continuing to browse our website, you consent to our use of cookies as set forth in our. The parent or legal guardian of a known child may exercise consumer rights on the childs behalf. Controllers will be required to update their website and other Privacy notices to be transparent about the categories of data collected, the purpose of the collection, how consumers can exercise their rights under the law, including an active email address at which to contact the controller, what information is shared with third parties, and the categories of third parties with which the controller shares the information. Scope. The SEC's Immensely Impracticable Impracticability Exception. Linn is an Adjunct Professor of the Practice of Cybersecurity at Brown University and an Adjunct Professor of Law at Roger Williams University School of Law. Deborah L. Stein Los Angeles (+1 213-229-7164, dstein@gibsondunn.com) The information published here is believed . The bill provides for an enforcement grace period through December 31, 2024, meaning that between July 1, 2023, and December 31, 2024, the AG must provide entities with notice of alleged violations and an opportunity to cure any such violations within the 60-day period following delivery of such notice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. Why the Insolvency, Restructuring and Dissolution Act 2018 (IRDA) May Foley Manufacturing Update: November 2, 2022. These cookies will be stored in your browser only with your consent. [14] S 534, 2022 Gen. Entity-level exemptions: The CTDPA exempts state and local government entities, nonprofits, institutions of higher education, certain national security associations, financial institutions covered by the Gramm-Leach-Bliley Act (GLBA) and covered entities and business associates as defined under HIPAA.5, Data-based exemptions: Data exempt under the CTDPA includes personal data regulated by the Fair Credit Reporting Act (FCRA), the Drivers Privacy Protection Act (DPPA), the Family Educational Rights and Privacy Act (FERPA), the Farm Credit Act (FCA) and the Airline Deregulation Act (ADA).6 Like the VCDPA and the UCPA, the CTDPA exempts data processed or maintained (1) in the course of an individual applying to, or acting as an employee, agent or independent contractor of a controller, processor or third party, to the extent that the data is collected and used within the context of that role, (2) as emergency contact information for an individual and used for emergency contact purposes, or (3) to administer benefits for another individual and used to administer those benefits.7 Additionally, similar to the VCDPA and UCPA, there is a limited exemption for processing childrens data. For the first 18 months of enforcement (until December 31, 2024), the Attorney General must provide notice of a violation at least 60 days before an enforcement action can be made. A Question OpenSky Should ATA Calls for Stakeholder Letter on Telemedicine Controlled Equitable Mootness No Bar to Slicing & Dicing Exculpation EPA Region 1 Expands NPDES Stormwater Permitting Requirement to Sites Unpacking Averages: Finding Medical Device Predicates Without Using 2023 Employee Benefit Plan Limits Announced by IRS. The CTDPA contains requirements for both controllers and processors, similar to those found in the other state privacy laws. Assemb., Reg. These disclosures must include the following information: The CTDPA applies to persons that conduct business in Connecticut or persons that produce products or services that are targeted to Connecticut residents and that occurred during the preceding calendar year. The CTDPA is still much stricter than the UCPA, which was notably more business friendly than other state consumer privacy laws. Necessary cookies are absolutely essential for the website to function properly. Some of the features on CT.gov will not function properly with out javascript enabled. EPA Provides Report to Congress on Its Capacity to Implement Certain SEC Adopts Amendments Requiring Electronic Filing of Forms 144. Connecticut follows in the steps of Nevada, California, Virginia, Colorado and Utah in enacting its own comprehensive privacy legislation, with more pending in various state legislatures. Last Updated: September 2022 Click To View (PDF) The IAPP created a timeline of key dates from the comprehensive data privacy laws in California, Colorado, Connecticut, Utah and Virginia. The Connecticut attorney general will have exclusive authority to enforce violations of the CTDPA. Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The CTDPA contains provisions granting similar rights to consumers, placing obligations on data controllers and processors, and providing exemptions to those obligations as the consumer privacy laws of California, Colorado, Virginia and Utah. : MyPillow and Mike Lindell Facing MASSIVE EXPOSURE Alabama Medical Cannabis Application Window Is Open: [Insert Michael Ankura CTIX FLASH Update - November 1, 2022, Ankura Cyber Threat Investigations and Expert Services, Brazil Limits New Privacy Laws Obligations on Small Entities. Declaration of Policy. Jurisdiction for violations is solely with the AG 2023 will be a busy compliance year for state data privacy laws as laws in Virginia, Colorado, Utah, and now Connecticut will all go into effect. Other states are poised to follow in Connecticut's footsteps. Note: Particular dates and deadlines should always be verified. Keypoint: This week the Delaware House passed a data broker bill, the Connecticut Data Privacy Act was sent to the Governor, Louisiana scheduled a hearing Connecticut Data Breach Notification Statute (Full Text) C.G.S.A. Senate Bill ('SB') 6 for An Act Concerning Personal Data Privacy and Online Monitoring was filed, on 16 March 2022, with the Legislative Commissioner's Office. While this list is not all-inclusive, these files provide several helpful starting points: regular The Control Our Data Act (CODA), a discussion draft released by the Republican members of the House Energy and Commerce Committee in November 2021.