On May 4, 2022, Connecticut became the fifth U.S. state to pass a set of data privacy rules and regulations aimed at protecting the privacy of its constituents. The bill, S.B. No. 6: Act Concerning Personal Data Privacy and Online Monitoring, joins similar legislative pieces passed in California, Virginia, Colorado and Utah. This rising trend of U.S. states passing data privacy bills and enforcing these new regulations on domestic and international companies operating in their region can present new challenges for large-scale and small-scale organizations, as these organizations’ complex systems must now comply with new privacy requirements and deliver new data management systems for a subset of their worldwide user group.
The five domestic bills, which were heavily inspired by the 2018 European Union General Data Protection Regulation (GDPR), range in terms of how state citizens can access their data, request their data, and manage how affected organizations sell and analyze their data. Several US states have spent years attempting to pass their own version of GDPR privacy laws due to the lack of privacy legislation at the federal level. New York, Texas, Washington, and dozens of other states have faced issues in establishing their own privacy laws due to opposition from businesses that state the new requirements create a significant amount of extra work for effectively any business with a website.
The Connecticut bill, which will take effect July 1, 2023, resembles the privacy laws passed in Colorado, Virginia, and Utah in that it allows residents to opt out of sales, targeted advertising, and profiling. By 2025, the Connecticut bill will also require companies to acknowledge opt-out preference signals for targeted advertising and sales. Notably, the Connecticut bill also requires companies to honor browser privacy signals, like the Global Privacy Control (GPC), so that consumers can opt out of data sales at all companies via a switch they can turn on/off in their browser of choice. Companies would need to establish new systems in their current environment that would allow them to automatically detect GPC and turn off data tracking sales.
The implementation of GPC could present complex challenges for already complex existing ecosystems at both large-scale and small-scale companies. Large scale companies could encounter difficulties applying GPC and other data-privacy-safety technologies across their multiple products, subsidiaries, and systems, while smaller organizations could find implementation of new technologies both financially taxing and difficult to onload onto already existing smaller teams.
State privacy laws have been passed and seem to be increasing both magnitude and scope, RH-ISAC members have several options, listed below, that can help organizations better manage how to identify, understand, and best comply with new state data-privacy regulations:
- Utilize open-source bill tracking sites that specifically track state-privacy laws, in either a blog-based format or via interactive graph.
- Utilize internal or external legal teams to better understand new and established legislation for states that organizations operate in.
- Utilize third-party compliance organizations that specialize in state-privacy certification and compliance.
- Understand the differences and specific regulations that separate individual privacy bills. While some states have established an independent task force to enforce state regulations and investigate violations, other states have no such body, and rely on citizen-reported violations for investigations. Organizations that understand the specific violation in each state and understand the remediation/or appeal process can respond accordingly.