301.519.9237 exdirector@nesaus.org
Chair of the general law committee, Sen. James Maroney, D-Milford, discusses a bill. Sens. Mary Abrams, D-Meriden, and Matt Lesser, D-Middletown, in background. CTMirror.org

4.18.22 -CT Insider

Experts say proposed legislation would feature some of the strongest consumer protections in the country

Connecticut lawmakers are considering a sweeping bill aimed at giving residents more control over sensitive personal data that websites and apps constantly collect, often in ways hidden to the average internet user.

The law would give people with the right to access data that companies have collected about them, opt out of the sale of that information and request that it be deleted or corrected if it is inaccurate.

It would feature some of the strongest consumer protections in the country, experts said, particularly for minors under age 18, as well as among the toughest enforcement options.

The proposal has received heightened attention from local lawmakers this session amid growing concern around big data collection and increasing threats to people’s information, including from hacks and other data breaches.

“It’s just really time to get serious about this,” said Nora Duncan, state director for the AARP in Connecticut, which has publicly backed the bill. “I think the requirements it puts forth on how companies have to protect data and the ability it gives consumers to control their own data will make things more secure over time.”

A recent AARP survey found one third of people over 45 said they or a family member had been a victim of a scam or a fraud, Duncan said.

The bill passed out of the Judiciary Committee on Monday. Variations of the legislation have been filed before, but none advanced as far as the bill this session, which closes on May 4.

“People are becoming more aware of how their data is being used,” said the bill’s lead sponsor Sen. James Maroney, D-Milford. “We’re trying to strike the balance of giving consumers good protections. We wanted to make sure that it is possible for companies to comply.”

The proposal has stirred debate, however, amid worries about what the new rules could cost small businesses.

John Blair, associate counsel for the Connecticut Business & Industry Association, pointed to one projection that estimated companies with fewer than 20 employees would incur compliance costs of $50,000 in the first year after the data privacy law passed in California, the first American state to do so; businesses that employ between 100 and 500 were likely to spend $450,000.

Still, Blair said, complying with a law similar to what has already passed in other states would be easier on Connecticut’s businesses.

“The overarching goal for us is that the legislation be consistent with other states,” he said. “We’re monitoring it very closely.”

Particular concern has been raised about how restaurants would be impacted.

“That industry has just been hammered through the pandemic,” Sen. John Kissel, R-Enfield, who voted in support of the bill on Monday.

Kissel said restaurants collect customer data in order to run day-to-day operations, but they often don’t then monetize it in ways other industries do. “Quite often, they utilize data just to reserve tables and take orders. They’re not really trading in it like other entities.”

Scott Dolch, CEO of the Connecticut Restaurant Association, said in early March that restaurants and other hospitality businesses would face an unknown financial burden to comply with the data protections. 

“Without solid numbers of what the costs will be, how can we be sure passing this legislation won’t force more restaurants to close their doors because compliance is just too costly?” Dolch wrote in his public testimony; he could not be reached for comment last week. 

If the legislation passes, Connecticut could become just the fifth state in the nation to pass such data privacy protections.

Many other states are actively considering data privacy bills of their own. Connecticut is one of nearly two dozen states considering data privacy bills, according to research by the law firm Husch Blackwell.

David Stauss, leader of the law firm’s privacy and cybersecurity practice group, said states have taken on passing their own data privacy laws as Congress has debated, but failed, to pass anything on the national level. 

“The reason why you’re seeing so many states do it is because the federal government has not,” Stauss said. “In the absence of federal action, states are jumping in and almost daring the federal government to do something.”

Both red and blue states, meanwhile, have inched proposals forward in recent years, but many have so far struggled to get bills past the finish line.

In 2022 already, eight states have tried to pass data privacy legislation, but failed to do so before their sessions closed, according to Husch Blackwell.

Stauss said of the bills that still have a shot this year, Connecticut has some of the strongest consumer protections that could make it a model for other states. But passing tougher measures is a bigger challenge, he said.

“It is infinitely harder to pass a good privacy bill than it is to pass a bad privacy bill,” he said. 

Stauss pointed to the additional protections for minors up to age 18 in Connecticut’s proposal — a higher standard than other states have adopted. And unlike in other states, businesses would only receive warning of a possible violation until the end of 2024. After that, the Attorney General will be able to decide whether the business deserves a warning before a tougher penalty.

Data privacy legislation began to gain ground in the United States after the European Union passed a sweeping law now referred to as “GDPR,” which took effect in May 2018.

California was the first American state to follow suit with a law that took effect in 2020, although it placed stricter limits on what kind of organizations it applies to than the European rules, according to Thompson Reuters.

Virginia and Colorado followed, passing their own laws in 2021. Utah became the fourth state to approve legislation in late March, widely regarded as more business-friendly than the prior three.

Many large Connecticut-based businesses are already required to comply with the other states’ laws, if they do business in that state.

For example: Charter Communications, based in Stamford, stated in recent disclosure to investors the growing number of state proposals “could result in additional network and information security requirements for our business,” but it is unclear what those effects will be.

Maroney said the Connecticut bill most closely resembles Colorado’s law.

The Connecticut bill would apply to any business that “controlled or processed” the data of more than 75,000 consumers each calendar year. The law would set a lower threshold for companies that regularly sell personal data; it would apply to any organization that processes 25,000 consumers’ information if it generates more than a quarter of its revenue from selling personal data.

However, the bill carves out broad exemptions for institutions of higher learning, health care providers, the state government and any nonprofit. It also exempts data collected for the sake of making a simple transaction, and adds additional protections for minors up to age 18 — a higher standard than other states have adopted. Maroney said health care entities in particular are already subject to heavy privacy regulations.

Even as states consider broad legislative efforts, doubts remain about how many citizens would utilize tools the new laws provide them, such as taking the initiative to try to claw back their data.

Requests consumers must submit to tell companies to stop collecting their personal data can be confusing and hard to navigate, depending on the company.

In California, a Consumer Reports survey in 2020 had about 500 residents try to opt out of the sale of their information on various websites. The testers said they were frustrated by the process more than half of the time.

Maureen Mahoney, a senior policy analyst for Consumer Reports, testified in support of the Connecticut bill, but advocated that its provisions go even further by prohibiting the collection and sale of certain personal data altogether. Opt-out laws rely upon individuals “to hunt down and navigate divergent opt-out processes for potentially thousands of different companies,” she said in early March. 

Maroney, the senator, said the bill would give Connecticut consumers a solution by providing a one-stop-shopping option to opt out of having their data collected and sold by any business covered by the law.