InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Connecticut legislature passes consumer data privacy bill
Recently, the Connecticut legislature passed SB 6, which would enact provisions related to consumer data privacy and online monitoring. Highlights of the bill include:
- Applicability. The bill will apply to a controller that conducts business in the state or produces products or services for consumer residents that, during the preceding calendar year, “controlled or processed the personal data of not less than seventy-five thousand consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction” or “controlled or processed the personal data of not less than twenty-five thousand consumers and derived more than twenty-five per cent of their gross revenue from the sale of personal data.” Certain entities and types of data are exempt from the bill’s requirements, including state governmental entities; nonprofits; higher education institutes; national security associations registered under the Securities Exchange Act of 1934; financial institutions or data subject to federal privacy disclosure requirements; hospitals; certain types of health information subject to federal health privacy laws; consumer reporting agencies, furnishers, and consumer report users of information involving personal data bearing on a consumer’s credit; personal data regulated by certain federal regulations; and air carriers. Additionally, a controller and processor will be considered to be in compliance with the bill’s parental consent obligations provided it complies with verifiable parental consent mechanisms under the Children’s Online Privacy Protection Act.
- Consumer rights. Under the bill, consumers will be able to, among other things, (i) confirm whether their personal data is being processed and access their data; (ii) correct inaccuracies; (iii) delete their data; (iv) obtain a copy of personal data processed by a controller; and (v) opt out of the processing of their data for targeted advertising, the sale of their data, or profiling to assist solely automated decisions. A consumer may designate another person to serve as his or her authorized agent to opt out of the processing of such consumer’s personal data.
- Controllers’ and processors’ responsibilities. Under the bill, controllers will be responsible for responding to consumers’ requests within 45 days (an additional 45-day extension may be requested under certain circumstances). Responses to consumers’ requests must be provided free of charge, unless the request is “manifestly unfounded, excessive or repetitive,” in which case a controller may charge a reasonable administrative fee or decline to act on the request (a controller bears the burden of explaining the denial and must also establish an appeals process, including a method through which a consumer may submit a complaint to the state attorney general). Among other things, controllers must “[l]imit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer” and are required to implement data security protection practices “appropriate to the volume and nature of the personal data at issue” and conduct data protection assessments for processing activities that present a heightened risk of harm to consumers. Controllers may not process personal data in violation of federal and state laws that prohibit unlawful discrimination against consumers and must provide an effective mechanism for consumers to revoke consent that is at least as easy as the method used to provide consent. Controllers must cease processing data within 15 days of receiving a revocation request. The bill also requires controllers to provide privacy notices to consumers disclosing certain information regarding data collection and sharing practices (including sharing with third parties), and if the controller sells a consumer’s personal data to third parties or engages in targeted advertising, the controller must disclose how consumers may exercise their rights under the bill. Controllers also will be prohibited from processing sensitive personal data without first presenting a consumer with the opportunity to opt out. The bill further specifies requirements for processing de-identified data or pseudonymous data. Data processors must adhere to a controller’s instructions and enter into contracts with clearly specified instructions for processing personal data.
- Private right of action and state attorney general enforcement. The bill explicitly prohibits a private right of action. Instead, it grants the state attorney general exclusive authority to enforce the law. The attorney general may also require a controller to disclose any data protection assessments relevant to an investigation. A violation of the bill’s provisions will constitute an unfair trade practice.
- Right to cure. Upon discovering a potential violation of the bill, the attorney general (during the period beginning July 1, 2023 through December 31, 2024) must provide a controller or processor written notice of violation. The controller or processor then has 60 days to cure the alleged violation before the attorney general can file suit. Beginning on January 1, 2025, the attorney general, when determining whether to provide a controller or processor the opportunity to cure an alleged violation, may consider the number of violations, the controller/processor’s size and complexity, the nature and extent of the processing activities, the substantial likelihood of public injury, and the safety of persons or property.
If enacted in its current form, the bill would take effect July 1, 2023.
Collection agency must pay $100,000
On January 10, the Connecticut Department of Banking (Department) issued an order against a California-based collection agency (respondent) for failing to request a hearing within the prescribed time period after a notice regarding submission of certain information was sent by the Department. According to the order, the Department sent the respondent an information request and after requesting additional time to supply the information, the respondent notified the Department that it was voluntarily surrendering its license to collect in Connecticut. However, the respondent still failed to submit the requested information, which the state said is mandatory before it would consider the surrender of the respondent’s license. The Department ordered the respondent to cease and desist from violating Section 36a-17(e) of the Connecticut General Statutes and to pay a $100,000 civil money penalty. The Department also revoked the respondent’s license to act as a consumer collection agency in Connecticut.
Creditor must pay fine for collecting debts under a different name
Recently, the Connecticut Department of Banking entered into a consent order with a North Carolina-based company resolving allegations that it violated Connecticut collection practices laws and regulations by allegedly using a name other than the company’s legal name when collecting unpaid debts without a Connecticut consumer collection agency license. The Department’s investigation stemmed from a newspaper article in which a Connecticut resident complained that he received bills from a company in an attempt to collect $314 for a Covid-19 test. The company responded to the Department’s inquiry by stating that a collection agency license was not required because the collections were made by an in-house division of the company, and not on behalf of a third party. The company also cited cases in which federal courts dismissed similar allegations under the federal FDCPA. After an investigation, the Department alleged that the company constituted as a “creditor” and by using a different name, was in violation of the Regulations of Connecticut State Agencies, “which prohibits the use of any business, company or organization name other than the true name of the creditor’s organization.” The consent order requires that the company pay a civil money penalty of $10,000 and that the company cease and desist from using any name other than its true legal name to collect debts.
Connecticut Department of Banking extends work from home guidance for licensees
On March 1, the Connecticut Department of Banking issued a memorandum extending through June 30, 2021, its no-action position (previously discussed here, here, and here) with respect to various licensees temporarily working from home during Covid-19, provided that certain criteria set forth in the memorandum are met.
Connecticut extends eviction moratorium
On August 21, the Connecticut governor issued Executive Order No. 7000, which, among other things, extends the eviction moratorium set forth in previous executive orders, subject to certain modifications (previously discussed here). Pursuant to the modifications, a landlord of a dwelling unit is prohibited from delivering a notice to quit or serve or return a summary process action until October 1, 2020, subject to certain exceptions.
Connecticut Department of Banking extends work from home guidance for licensees
On August 21, the Connecticut Department of Banking issued a memorandum extending through December 31, 2020, its no-action position (previously discussed here and here) with respect to various licensees temporarily working from home during Covid-19, provided that certain criteria set forth in the memorandum are met.
Connecticut governor authorizes creation of temporary mortgage and rental assistance programs
On July 13, the Connecticut governor issued Executive Order No. 7GGG, which authorizes the Connecticut Department of Housing to create a temporary rental housing assistance program for tenants who meet criteria established by the department. The order also authorizes the Connecticut Housing Finance Authority to create a temporary mortgage assistance program for borrowers who meet certain criteria to be established by the department to mitigate the effects of the Covid-19 pandemic.
Work-from-home no action position extended by Connecticut banking commissioner
On June 19, the banking commissioner in Connecticut issued a memorandum extending its “no action” position regarding temporary work-from-home guidance. Previously covered here and here, the memorandum permits consumer credit licensees to work from home, even though such home location is not licensed by the Banking Department, so long as certain criteria spelled out in the memorandum are met. The guidance is extended through August 31, 2020.
Connecticut Department of Banking issues an extension guidance on working from home
On May 20, the Connecticut Department of Banking issued a memorandum extending its no-action position (previously discussed, here) with respect to licensees temporarily working from home during Covid-19 through June 30, 2020, provided that certain criteria set forth in the memorandum are met.
Connecticut Insurance Department will grant extensions to foreign insurers for hard copy filings
On April 29, the Connecticut Department of Insurance issued a bulletin to foreign-chartered insurers, health care centers, and fraternal benefit societies authorized to do business in Connecticut discussing regulatory relief in light of the Covid-19 pandemic. The department continues to require that foreign companies timely make all required electronic filings. However, upon request, it will grant an additional 30 or 45 days to complete many hard copy filings, a list of which is included in the bulletin.