Connecticut enacts data privacy updates, new law inspired by California’s ‘Delete Act’
Connecticut residents are set to receive new data privacy protections over the next year, after the legislature passed two updates to the state’s 2023 comprehensive privacy law and Gov. Ned Lamont signed a new law Friday inspired by California’s popular “Delete Act.”
The new law, Senate Bill 4, directs the state to develop an accessible, online platform that enables residents to delete their information from registered data brokers with a single click, similar to California’s Delete Request and Opt-out Platform, referred to as DROP, which was legislatively mandated by the state’s novel 2023 privacy law, the Delete Act. Connecticut’s law also requires data brokers operating in the state to join a registry, prohibits the sale of consumers’ geolocation data and places strict limitations on the use of license plate reader technology.
The law goes into effect Oct. 1.
Meanwhile, the updates to the Connecticut Data Privacy Act (CTDPA) were passed and signed by Lamont earlier in May, significantly expanding the scope of the law. Beginning in July, the CTDPA’s applicability threshold will drop from 100,000 to 35,000 Connecticut consumers, and the law will also extend to businesses that process sensitive data or offer personal data for sale, regardless of size.
The amendments also introduce new data protections for minors and offer others for artificial intelligence-related practices. Specifically, they introduce required assessments of certain automated profiling activities and increase transparency around the use of personal data to train AI models.
SB 4 also provides some protections for other technologies, like facial recognition technology and license plate readers, by imposing new safeguards on their use.
The new law formally regulates facial recognition under Connecticut’s privacy framework; requires that businesses post notice when they use the technology, even if it’s for security or fraud-prevention purposes; limits how facial-recognition databases may be maintained; and expands consumer rights related to automated profiling decisions.
Additionally, SB 4 places restrictions on how Connecticut agencies may use and share data from automatic license plate readers, prohibiting state agencies from contracting with vendors that sell or improperly disclose license plate information; shields ALPR records from public disclosure; and prohibits the use of that data for being used for immigration enforcement or investigations involving reproductive or gender-affirming health care.
All three legislative measures come after William Tong, the state’s attorney general, in February released several recommendations for the state’s legislature on data privacy in his third annual report about CTDPA enforcement. This year’s recommendations included narrowing the definition of “publicly available information” — which expands what data and data brokers are covered — and adopting a privacy law specific to genetic data. Tong also recommended expanding the utility of the CTDPA’s universal opt-out provisions and enacting specific safeguards that govern chatbot and AI products, particularly to protect children from manipulation and harm.
Matt Schwartz, a senior policy analyst at Consumer Reports, praised Lamont’s signing of the bill into law. The organization said it helped to build California’s Delete Act and recently released a model bill, the State Location Privacy Act, for states that would ban the sale of consumers’ precise geolocation information.
“This new privacy law will help protect consumers from imminent harm to their safety, autonomy, and finances by making it harder to stalk people, steal their identity, or engage in hyper-targeted marketing for scams. We congratulate the legislature and Governor Lamont for making these critical improvements to the state’s privacy framework,” Schwartz said.
