Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • Montana becomes the ninth state to enact comprehensive privacy legislation

    Privacy, Cyber Risk & Data Security

    On May 19, the Montana governor signed SB 384 to enact the Consumer Data Privacy Act (CDPA) and establish a framework for controlling and processing consumer personal data in the state. Montana is now the ninth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, Utah, Iowa, Indiana, and Tennessee. The CDPA applies to any person that conducts business in the state or produces products or services targeted to state residents and, during a calendar year, (i) controls or processes personal data of at least 50,000 consumers (“excluding personal data controlled or processed solely for the purpose of completing a payment transaction”), or (ii) controls or processes personal data of at least 25,000 consumers and derives 25 percent of gross revenue from the sale of personal data. The CDPA provides several exemptions, including nonprofit organizations, registered securities associations, financial institutions, data governed by the Gramm-Leach-Bliley Act and certain other federal laws, and covered entities governed by the Health Insurance Portability and Accountability Act. Highlights of the CDPA include:

    • Consumers’ rights. Under the CDPA, consumers will be able to access their personal data; correct inaccuracies; request deletion of their data; obtain a copy of their data in a portable format; and opt out of the sale of their data. A consumer may also designate an authorized agent to act on the consumer’s behalf to opt out of the processing of their personal data.
    • Data controllers’ responsibilities. Data controllers under the CDPA will be responsible for, among other things, (i) responding to consumer requests within 45 days unless extenuating circumstances arise and providing requested information free of charge, one for each consumer during a 12-month period; (ii) establishing a process to allow consumer appeals within a reasonable time period after a controller’s refusal to take action on a consumer’s request; (iii) establishing clear and conspicuous opt-out methods on a website that require consumers to affirmatively and freely choose to opt out of any processing of their personal data (and allowing for a mechanism that lets consumers revoke consent that is at least as easy as the mechanism used to provide consent); (iv) limiting the collection of data to what is adequate, relevant, and reasonably necessary for a specified purpose; (v) securing personal data from unauthorized access; (vi) processing data in compliance with state and federal anti-discrimination laws; (vii) obtaining consumer consent in order to process sensitive data; (viii) providing clear and meaningful privacy notices; and (ix) conducting data protection assessments and ensuring deidentified data cannot be associated with a consumer. The CDPA also sets forth obligations relating to contracts between a controller and a processor, including ensuring that contracts between a controller and a processor do not waive or limit consumer data rights.
    • No private right of action but enforcement by state attorney general. The CDPA explicitly prohibits a private right of action. Instead, it grants the state attorney general excusive authority to enforce the law.
    • Right to cure. Upon discovering a potential violation of the CDPA, the attorney general must give the data controller notice. The data controller then has 60 days to cure the alleged violation before the attorney general can file suit. The cure provision expires April 1, 2026.

    The CDPA takes effect October 1, 2024.

    Privacy, Cyber Risk & Data Security State Issues State Legislation Montana Consumer Protection

  • Tennessee becomes 8th state to enact comprehensive privacy legislation

    Privacy, Cyber Risk & Data Security

    On May 11, the Tennessee governor signed HB 1181 to enact the Tennessee Information Protection Act (TIPA) and establish a framework for controlling and processing consumers’ personal data in the state. Tennessee is now the eighth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, Utah, Iowa, and Indiana. TIPA applies to any person that conducts business in the state or produces products or services targeted to residents and, during a calendar year, (i) controls or processes personal data of at least 100,000 Tennessee residents or (ii) controls or processes personal data of at least 25,000 Tennessee residents and derives 50 percent of gross revenue from the sale of personal data. TIPA provides for several exemptions, including financial institutions and data governed by the Gramm-Leach-Bliley Act and certain other federal laws, as well as covered entities governed by the Health Insurance Portability and Accountability Act. Highlights of TIPA include:

    • Consumers’ rights. Under TIPA, consumers will be able to access their personal data; make corrections; request deletion of their data; obtain a copy of their data in a portable format; request what categories of information were sold or disclosed; and opt out of the sale of their data.
    • Controllers’ responsibilities. Data controllers under TIPA will be responsible for, among other things, (i) responding to consumers’ requests within 45 days unless extenuating circumstances arise and providing requested information free of charge, up to twice annually for each consumer; (ii) establishing an appeals process to allow consumer appeals within a reasonable time period after a controller’s refusal to take action on a consumer’s request; (iii) limiting the collection of data to what is required and reasonably necessary for a specified purpose; (iv) not processing data for reasons incompatible with the specified purpose; (v) securing personal data from unauthorized access; (vi) not processing data in violation of state or federal anti-discrimination laws; (vii) obtaining consumer consent in order to process sensitive data; (viii) ensuring contracts and agreements do not waive or limit consumers’ data rights; and (ix) providing clear and meaningful privacy notices. TIPA also sets forth obligations relating to contracts between a controller and a processor.
    • No private right of action but enforcement by state attorney general. TIPA explicitly prohibits a private right of action. Instead, it grants the state attorney general excusive authority to enforce the law and seek penalties of up to $15,000 per violation and treble damages for willful or knowing violations. The attorney general may also recover reasonable expenses, including attorney fees, for any initiated action.
    • Right to cure. Upon discovering a potential violation of TIPA, the attorney general must give the data controller written notice. The data controller then has 60 days to cure the alleged violation before the attorney general can file suit.
    • Affirmative defense. TIPA establishes an affirmative defense for violations for controllers and processors that adopt a privacy program “that reasonably conforms” to the National Institute of Standards and Technology Privacy Framework and complies with required provisions. Failing “to maintain a privacy program that reflects the controller or processor's data privacy practices to a reasonable degree of accuracy” will be considered an unfair and deceptive act or practice under Tennessee law.

    TIPA takes effect July 1, 2024.

    Privacy, Cyber Risk & Data Security State Issues State Legislation Tennessee Consumer Protection

  • Indiana becomes seventh state to enact comprehensive privacy legislation

    Privacy, Cyber Risk & Data Security

    On May 1, the Indiana governor signed SB 5 to establish a framework for controlling and processing consumers’ personal data in the state. Indiana is now the seventh state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, Utah, and Iowa (covered by Special Alerts here and here and InfoBytes here, here, here, and here). The Act applies to any person that conducts business in the state or produces products or services targeted to residents and, during a calendar year, (i) controls or processes personal data of at least 100,000 Indiana residents or (ii) controls or processes personal data of at least 25,000 Indiana residents and derives more than 50 percent of gross revenue from the sale of personal data. The Act outlines exemptions, including financial institutions and data subject to the Gramm-Leach-Bliley Act, as well as covered entities governed by the Health Insurance Portability and Accountability Act.

    Indiana consumers will have the right to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) correct inaccuracies; (iii) delete their data; (iv) obtain a copy of personal data processed by a controller; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, or certain profiling. The Act outlines data controller responsibilities, including a requirement that controllers must respond to consumers’ requests within 45 days unless extenuating circumstances arise. The Act also limits the collection of personal data “to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer,” and requires controllers to implement data security protection practices “appropriate to the volume and nature of the personal data at issue” and conduct data protection assessments for processing activities created on or generated after December 31, 2025, that present a heightened risk of harm to consumers. Under the Act, controllers may not process consumers’ personal data without first obtaining consent, or in the case of a minor, without processing such data in accordance with the Children’s Online Privacy Protection Act. Additionally, the Act sets forth obligations relating to contracts between a controller and a processor.

    While the Act explicitly prohibits its use as a basis for a private right of action, it does grant the state attorney general exclusive authority to enforce the law. Additionally, upon discovering a potential violation of the Act, the attorney general must give the controller or processor written notice and 30 days to cure the alleged violation before the attorney general can file suit. The attorney general may seek injunctive relief and civil penalties not to exceed $7,500 for each violation.

    The Act takes effect January 1, 2026.

    Privacy, Cyber Risk & Data Security State Issues State Legislation Indiana Consumer Protection COPPA

  • Washington State passes new health data privacy measures

    Privacy, Cyber Risk & Data Security

    On April 27, the Washington State governor signed HB 1155 to enact the My Health My Data Act—a comprehensive health privacy law that provides broad restrictions on the use of consumer health data. The Act is intended to cover health data not covered by the Health Insurance Portability and Accountability Act. The Act defines a regulated entity as any legal entity that conducts business in the state of Washington or engages with Washington residents that (alone or jointly with others) “determines the purpose and means of collecting, processing, sharing, or selling of consumer health data.” Government agencies, tribal nations, and contracted service providers that process such data on behalf of a government agency are exempt. The Act increases privacy protections, and outlines several requirements, such as (i) entities must maintain a consumer health data privacy policy that clearly and conspicuously discloses the categories of health data collected and specifies how the data will be used, collected, and shared (including with third parties and affiliates); (ii) entities must obtain consent from consumers prior to collecting, sharing, and selling their health data; (iii) entities are restricted from geofencing particular locations to collect and sell data; and (iv) entities are required to develop specific privacy disclosures. Consumers are also empowered with the right to have their health data deleted. The Act outlines numerous compliance elements relating to access restrictions, replying to consumers, and processor requirements. The Act also specifies the types of information and documents for which the Act is not applicable. In addition, the Act provides a private right of action to consumers and grants the state attorney general enforcement authority as well.

    The Act is effective July 23. Regulated entities must comply by March 31, 2024, except for certain provisions applicable to small businesses that have until June 30, 2024 to comply.

    Privacy, Cyber Risk & Data Security State Legislation State Issues Washington Consumer Protection Medical Data

  • Iowa becomes sixth state to enact comprehensive privacy legislation

    Privacy, Cyber Risk & Data Security

    On March 28, the Iowa governor signed SF 262, establishing a framework for controlling and processing consumers’ personal data in the state. Iowa is now the sixth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Connecticut, Virginia, and Utah (covered by Special Alerts here and here and InfoBytes here, here, and here).

    • Consumer rights. Iowa consumers will have the right to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) delete their data; (iii) obtain a copy of their personal data processed by a controller (“except as to personal data that is defined as personal information pursuant to section 715C.1 that is subject to security breach protection”); and (iv) opt out of the sale of their data.
    • Controller responsibilities. The Act requires controllers—the persons that determine the purpose and means of processing personal data—to respond to consumers’ requests free of charge within 90 days (the response period may be extended an additional 45 days under extenuating circumstances). A controller must also provide a consumer, without undue delay, of its justification should it decline to take action regarding the consumer’s request, as well as instructions for appealing the decision. Controllers are also required to implement reasonable data security practices to protect the confidentiality, integrity, and accessibility of personal data, and must not process collected sensitive data without notifying the consumer and allowing for the opportunity to opt out of such processing (or in the case of data involving a minor, without processing such data in accordance with the Children’s Online Privacy Protection Act). Controllers may not violate state and federal laws that prohibit discriminatory practices when processing personal data and may not discriminate against a consumer for exercising any of the provided consumer rights. Contacts that purport or waive or limit consumer rights shall be deemed void and unenforceable.
    • Disclosures. Controllers are required to provide consumers “a reasonably accessible, clear, and meaningful privacy notice” that outlines the categories of personal data to be processed, the purpose for processing the data, and how consumers may submit requests to exercise their personal rights (a controller may not require a consumer to create a new account to exercise consumer rights). The privacy notice must also outline the categories of data that may be shared with third parties, as well as the categories of applicable third parties, and clearly disclose when personal data is being sold or used in targeted advertising to allow a consumer the right to opt out of such activity.
    • Processor duties. Processors shall help controllers fulfill their obligations under the Act. A contract established between a controller and a processor will “govern the processor’s data processing procedures with respect to processing performed on behalf of the controller,” and must “clearly set forth instructions for processing personal data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and duties of both parties.”
    • Exemptions and limitations. The Act also outlines various processing exemptions, including those related to pseudonymous data, and addresses certain actions that a controller or processor is able to take with respect to complying with federal, state, or local laws, investigations, or law enforcement agency inquiries, among others. The Act also limits the collection of personal data to what is adequate, relevant and necessary in relation to the purposes for which such data is processed, and requires controllers to implement data security protection practices.
    • Enforcement. Although the Act explicitly prohibits its use as a basis for a private right of action, it does grant the state attorney general exclusive authority to enforce the law. Additionally, upon discovering a potential violation of the Act, the attorney general must give the controller or processor written notice and 90 days to cure the alleged violation before the attorney general can file suit. Should the controller or processor continue to violate the Act, the attorney general may seek an injunction and civil penalties of up to $7,500 for each violation.

    The Act takes effect January 1, 2025.

    Privacy, Cyber Risk & Data Security State Issues State Legislation Iowa Consumer Protection

  • Pennsylvania amends privacy bill

    Privacy, Cyber Risk & Data Security

    On November 3, the Pennsylvania governor signed SB 696 to amend the Breach of Personal Information Notification Act. The bill, among other things, prohibits employees of the Commonwealth from using non-secured Internet connections. The bill also includes data storage policy provisions, which establish that an entity that maintains, stores, or manages computerized data on behalf of Pennsylvania that constitutes personal information must develop a policy to govern reasonably proper storage of the personal information. The bill further notes that a goal of the policy must be to reduce the risk of future breaches of the security of the system. The bill is effective 180 days after approval by the governor.

    Privacy, Cyber Risk & Data Security State Issues State Legislation Pennsylvania Data Breach

  • California adopts “first-in-nation” act to safeguard children’s online data and privacy

    Privacy, Cyber Risk & Data Security

    On September 15, the California governor signed into law the California Age-Appropriate Design Code Act (the Act), calling it the “first-in-nation” bill to protect children’s online data and privacy. AB 2273 establishes new legal requirements for businesses that provide online products and services that are “likely to be accessed by children” under 18 years of age based on certain factors. These factors include whether the feature is: (i) “directed to children,” as defined by the Children’s Online Privacy Protection Act (COPPA); (ii) “determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children”; (iii) advertised to children; (iv) is substantially similar to, or the same as, an online service, product, or feature routinely accessed by a significant number of children; (v) designed to appeal to children; or (vi) determined to be, based on internal company research, significantly accessed by children. Notably, in contrast to COPPA, the Act more broadly defines “child” as a consumer who is under the age of 18 (COPPA defines “child” as an individual under 13 years of age).

    The Act also outlines specific requirements for covered businesses, including:

    • Businesses must configure all default privacy settings offered by the online service, product, or feature to one that offers a high level of privacy, “unless the business can demonstrate a compelling reason that a different setting is in the best interests of children”;
    • Businesses must “concisely” and “prominently” provide clear privacy information, terms of service, policies, and community standards suited to the age of the children likely to access the online service, product, or feature;
    • Prior to offering any new online services, products, or features that are likely to be accessed by children before July 1, 2024, businesses must complete a Data Protection Impact Assessment (DPIA) on or before the same date. Businesses must also document any “risk of material detriment to children” that arises from the DPIA, create a mitigation plan, and, upon written request, provide the DPIA to the state attorney general;
    • Businesses must “[e]stimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business or apply the privacy and data protections afforded to children to all consumers”;
    • Should an online service, product, or feature allow a child’s parent, guardian, or any other consumer to monitor the child’s online activity or track the child’s location, businesses must provide an obvious signal to the child when the child is being monitored or tracked;
    • Businesses must “[e]nforce published terms, policies and community standards established by the business, including, but not limited to, privacy policies and those concerning children”; and
    • Businesses must provide prominent, accessible, and responsive tools to help children (or their parents/guardians) exercise their privacy rights and report concerns.

    Additionally, covered businesses are prohibited from using a child’s personal information (i) in a way that the business knows, or has reason to know, is materially detrimental to a child’s physical health, mental health, or well-being; or (ii) for any reason other than a reason for which the personal information was collected, unless a business can show a compelling reason that using the personal information is in the “best interests of children.” The Act also places restrictions on profiling, collecting, selling, or sharing children’s geolocation data, or using dark patterns to encourage children to provide personal information beyond what is reasonably expected.

    The Act also establishes the California Children’s Data Protection Working Group, which will study and report to the legislature best practices for implementing the Act, and will also, among other things, evaluate ways to leverage the expertise of the California Privacy Protection Agency in the long-term development of data privacy policies that affect the privacy, rights, and safety of children online. The state attorney general is tasked with enforcing the Act and may seek an injunction or civil penalty against any business that violates its provisions. Violators may be subject to a penalty of up to $2,500 per affected child for each negligent violation, and up to $7,500 per affected child for each intentional violation; however, businesses may be provided a 90-day cure period if they have achieved “substantial compliance” with the Act’s assessment and mitigation requirements.

    The Act takes effect July 1, 2024.

    Privacy, Cyber Risk & Data Security State Issues State Legislation Consumer Protection California COPPA CPPA State Attorney General Enforcement

  • Temporary exemptions under CCPA/CPRA for human resource and business-to-business data set to expire January 1, 2023

    Privacy, Cyber Risk & Data Security

    The California legislative session ended on August 31, foreclosing any chance of the legislature extending temporary exemptions under the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) related to human resource and business-to-business data, set to expire January 1, 2023. The legislature proposed several bills throughout the legislative session that would have extend the exemptions, but all of them stalled. In a last-ditch effort, a California assembly member proposed amendments to AB 1102 that would have extended the exemptions to January 1, 2025 if adopted during the August 31 floor session.

    According to the amendments, the CPRA recognized that various rights afforded to consumers under the CCPA and CPRA are not suited to the employment context, and as such, clarified that the CPRA “does not apply to personal information collected by a business about a natural person in the course of the natural person acting within the employment context, including emergency contact information, information necessary to administer benefits, or information collected in the course of business to business communications or transactions.” The amendments attempted to extend the exemption for “personal information that is collected and used by a business solely within the context of having an emergency contact on file, administering specified benefits, or a person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or an independent contractor of that business.” The amendments also proposed extending certain exemptions related to “personal information reflecting a communication or a transaction between a business and a company, partnership, sole proprietorship, nonprofit, or government agency that occurs solely within the context of the business conducting due diligence or providing or receiving a product or service.” Although the amendments did not address the reason for the extension for the business exemption, they stated that while the legislature and advocates continue to engage in discussions concerning the enactment of “robust and implementable privacy protections tailored to the employment context,” extending the exemptions would provide temporary protections around worker monitoring while giving businesses more time to enact these protections. However, the amendments were not adopted, and the exemptions will expire as originally intended on January 1, 2023.

    As previously covered by InfoBytes, the CPRA (largely effective January 1, 2023, with enforcement delayed until July 1, 2023) was approved by ballot measure in November 2020 to amend and build on the CCPA. In July, the California Privacy Protection Agency initiated formal rulemaking procedures to adopt proposed regulations implementing the CPRA (covered by InfoBytes here). CPPA Executive Director Ashkan Soltani said he expects the rulemaking process to extend into the second half of the year.

    Privacy, Cyber Risk & Data Security State Issues State Legislation CCPA CPRA CPPA Agency Rule-Making & Guidance Consumer Protection

  • Connecticut becomes fifth state to enact comprehensive privacy legislation

    Privacy, Cyber Risk & Data Security

    On May 10, the Connecticut governor signed SB 6, establishing a framework for controlling and processing consumers’ personal data in the state. Connecticut is now the fifth state in the nation to enact comprehensive consumer privacy measures, following California, Colorado, Virginia, and Utah (covered by Buckley Special Alerts here and here and InfoBytes here and here). As previously covered by InfoBytes, Connecticut consumers will have the right to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) correct inaccuracies; (iii) delete their data; (iv) obtain a copy of personal data processed by a controller; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, or profiling to assist solely automated decisions. The Act also outlines data controller responsibilities, including a requirement that controllers must respond to consumers’ requests free of charge within 45 days unless extenuating circumstances arise. The Act also limits the collection of personal data “to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer,” and requires controllers to implement data security protection practices “appropriate to the volume and nature of the personal data at issue” and conduct data protection assessments for processing activities that present a heightened risk of harm to consumers. While the Act explicitly prohibits its use as a basis for a private right of action, it does grant the state attorney general exclusive authority to enforce the law. Additionally, upon discovering a potential violation of the Act, the attorney general must give the controller or processor written notice and 60 days to cure the alleged violation before the attorney general can file suit. The Act takes effect July 1, 2023.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Connecticut Consumer Protection

  • Connecticut legislature passes consumer data privacy bill

    Privacy, Cyber Risk & Data Security

    Recently, the Connecticut legislature passed SB 6, which would enact provisions related to consumer data privacy and online monitoring. Highlights of the bill include:

    • Applicability. The bill will apply to a controller that conducts business in the state or produces products or services for consumer residents that, during the preceding calendar year, “controlled or processed the personal data of not less than seventy-five thousand consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction” or “controlled or processed the personal data of not less than twenty-five thousand consumers and derived more than twenty-five per cent of their gross revenue from the sale of personal data.” Certain entities and types of data are exempt from the bill’s requirements, including state governmental entities; nonprofits; higher education institutes; national security associations registered under the Securities Exchange Act of 1934; financial institutions or data subject to federal privacy disclosure requirements; hospitals; certain types of health information subject to federal health privacy laws; consumer reporting agencies, furnishers, and consumer report users of information involving personal data bearing on a consumer’s credit; personal data regulated by certain federal regulations; and air carriers. Additionally, a controller and processor will be considered to be in compliance with the bill’s parental consent obligations provided it complies with verifiable parental consent mechanisms under the Children’s Online Privacy Protection Act.
    • Consumer rights. Under the bill, consumers will be able to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) correct inaccuracies; (iii) delete their data; (iv) obtain a copy of personal data processed by a controller; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, or profiling to assist solely automated decisions. A consumer may designate another person to serve as his or her authorized agent to opt out of the processing of such consumer’s personal data.
    • Controllers’ and processors’ responsibilities. Under the bill, controllers will be responsible for responding to consumers’ requests within 45 days (an additional 45-day extension may be requested under certain circumstances). Responses to consumers’ requests must be provided free of charge, unless the request is “manifestly unfounded, excessive or repetitive,” in which case a controller may charge a reasonable administrative fee or decline to act on the request (a controller bears the burden of explaining the denial and must also establish an appeals process, including a method through which a consumer may submit a complaint to the state attorney general). Among other things, controllers must “[l]imit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer” and are required to implement data security protection practices “appropriate to the volume and nature of the personal data at issue” and conduct data protection assessments for processing activities that present a heightened risk of harm to consumers. Controllers may not process personal data in violation of federal and state laws that prohibit unlawful discrimination against consumers and must provide an effective mechanism for consumers to revoke consent that is at least as easy as the method used to provide consent. Controllers must cease processing data within 15 days of receiving a revocation request. The bill also requires controllers to provide privacy notices to consumers disclosing certain information regarding data collection and sharing practices (including sharing with third parties), and if the controller sells a consumer’s personal data to third parties or engages in targeted advertising, the controller must disclose how consumers may exercise their rights under the bill. Controllers also will be prohibited from processing sensitive personal data without first presenting a consumer with the opportunity to opt out. The bill further specifies requirements for processing de-identified data or pseudonymous data. Data processors must adhere to a controller’s instructions and enter into contracts with clearly specified instructions for processing personal data.
    • Private right of action and state attorney general enforcement. The bill explicitly prohibits a private right of action. Instead, it grants the state attorney general exclusive authority to enforce the law. The attorney general may also require a controller to disclose any data protection assessments relevant to an investigation. A violation of the bill’s provisions will constitute an unfair trade practice.
    • Right to cure. Upon discovering a potential violation of the bill, the attorney general (during the period beginning July 1, 2023 through December 31, 2024) must provide a controller or processor written notice of violation. The controller or processor then has 60 days to cure the alleged violation before the attorney general can file suit. Beginning on January 1, 2025, the attorney general, when determining whether to provide a controller or processor the opportunity to cure an alleged violation, may consider the number of violations, the controller/processor’s size and complexity, the nature and extent of the processing activities, the substantial likelihood of public injury, and the safety of persons or property.

    If enacted in its current form, the bill would take effect July 1, 2023.

    Privacy/Cyber Risk & Data Security State Issues State Legislation Connecticut Consumer Protection COPPA State Attorney General Enforcement

Pages

Upcoming Events