What Does Connecticut’s Consumer Privacy Act Mean for Brand Marketers?
When the Connecticut General Assembly passed the Connecticut Data Privacy Act last week, it became the fifth U.S. state to pass legislation regulating how people’s data is collected and shared online. More so than any previous legislation, Connecticut’s law could have a major impact on the way brand marketers connect with digital consumers.
Provisions allowing consumers to opt out of data sales, targeted advertising, and profiling are more stringent in Connecticut’s legislation than in similar laws passed in California, Utah, Virginia, and Colorado. Connecticut’s law also offers stronger protections for children’s data and biometric data, and it will sunset the right to cure, which means companies won’t be able to fix violations before an enforcement action is initiated.
Privacy expert Dan Clarke says Connecticut’s law arguably has the most consumer-friendly opt-out provision of any state law in the U.S., having removed the authentication requirement from the global opt-out signal and defining a ‘sale’ in the broadest terms.
“While removal of the authentication requirement may not sound significant, especially with Colorado already observing a global privacy control, many companies use this to their advantage by creating additional hurdles for the consumer,” Clarke says. “Typically they’ll require a specific verification — an additional step many companies hope consumers won’t take — to avoid the opt-out.”
With this new requirement, and without additional rulemaking, Clarke says browsers can be set to opt-out as a default.
Connecticut’s legislation targets businesses holding data on more than 100,000 consumers, or those businesses that earn 25% of their annual revenue from the sale of data of more than 25,000 consumers. Without intervention, the Connecticut Data Privacy Act would take effect July 1, 2023.
One major hurdle Clarke sees with Connecticut’s new legislation is the requirement for companies to make it as easy for consumers to revoke consent as it is to provide consent initially.
Many companies have been able to discourage the global opt-out by making authentication an additional step, but under the new Connecticut privacy act, they would no longer be able to do that. Clarke believes this could translate to a significantly higher opt-out rate than what’s been seen in other states.
Connecticut wrote its privacy legislation to be consumer-centric. The focus on reducing steps consumers must take to opt out of data collection reflects that philosophy.
For children’s data, Connecticut’s legislation is especially restrictive. As in Colorado, Connecticut requires websites and companies to obtain parental consent for the collection of personal data from children under 13 years of age. But it also goes further by specifically stating that companies and websites should “not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer’s personal data without the consumer’s consent, under circumstances” where they have knowledge that the consumer is at least 13 years old but younger than 18.
The passage of the Connecticut Data Privacy Act sets the stage for other states to follow suit with additional privacy restrictions that could limit the way brand marketers connect with audiences online.
“As we’ve seen in the past, state privacy laws tend to build off of or borrow elements from one another. Connecticut has now raised the bar on consumer privacy rights, and we may see other states follow suit,” Clarke says. “Now is the time to start planning, especially for assessments and the implications around sensitive data and the global opt-out mechanism — and that’s a technical challenge for many organizations.”
Stephanie Miles is a senior editor at Street Fight.