Connecticut 2021 Regular Session

Connecticut Senate Bill SB00893 Compare Versions

Version 1 (Old)

Version 2 (New)

Old	New		Differences
1	1
2	2
3		-	LCO \\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-~~R03~~-
	3	+	LCO \\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-R02-
4	4		SB.docx
5	5		1 of 20
6	6
7	7		General Assembly Substitute Bill No. 893
8	8		January Session, 2021
9	9
10	10
11	11
12	12
13	13
14	14		AN ACT CONCERNING CO NSUMER PRIVACY.
15	15		Be it enacted by the Senate and House of Representatives in General
16	16		Assembly convened:
17	17
18	18		Section 1. (NEW) (Effective January 1, 2023) As used in this section and 1
19	19		sections 2 to 11, inclusive, of this act, unless the context otherwise 2
20	20		requires: 3
21	21		(1) "Affiliate" means a legal entity that controls, is controlled by, or is 4
22	22		under common control with another legal entity or shares common 5
23	23		branding with another legal entity. For the purposes of this subdivision, 6
24	24		"control" or "controlled" means (A) ownership of, or the power to vote, 7
25	25		more than fifty per cent of the outstanding shares of any class of voting 8
26	26		security of a company, (B) control in any manner over the election of a 9
27	27		majority of the directors or of individuals exercising similar functions, 10
28	28		or (C) the power to exercise controlling influence over the management 11
29	29		of a company. 12
30	30		(2) "Authenticate" means to verify through reasonable means that the 13
31	31		consumer is the same consumer exercising such consumer rights with 14
32	32		respect to the personal data at issue. 15
33	33		(3) "Biometric data" means data generated by automatic 16
34	34		measurements of an individual's biological characteristics, such as a 17
35	35		fingerprint, voiceprint, eye retinas, irises or other unique biological 18 Substitute Bill No. 893
36	36
37	37
38	38		LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
39		-	~~R03~~-SB.docx }
	39	+	R02-SB.docx }
40	40		2 of 20
41	41
42	42		patterns or characteristics that are used to identify a specific individual. 19
43	43		"Biometric data" does not include a physical or digital photograph, a 20
44	44		video or audio recording or data generated therefrom, or information 21
45	45		collected, used or stored for health care treatment, payment or 22
46	46		operations under HIPAA. 23
47	47		(4) "Business associate" has the same meaning as provided in HIPAA. 24
48	48		(5) "Child" means any natural person less than thirteen years of age. 25
49	49		(6) "Consent" means a clear affirmative act signifying a consumer's 26
50	50		freely given, specific, informed and unambiguous agreement to allow 27
51	51		the processing of personal data relating to the consumer. "Consent" may 28
52	52		include a written statement, including by electronic means, or any other 29
53	53		unambiguous affirmative action. 30
54	54		(7) "Consumer" means a natural person who is a resident of this state 31
55	55		and acting only in an individual or household context. "Consumer" does 32
56	56		not include a natural person acting in a commercial or employment 33
57	57		context. 34
58	58		(8) "Controller" means a natural or legal person that, alone or jointly 35
59	59		with others, determines the purpose and means of processing personal 36
60	60		data. 37
61	61		(9) "Covered entity" has the same meaning as provided in HIPAA. 38
62	62		(10) "Decisions that produce legal or similarly significant effects 39
63	63		concerning a consumer" means decisions made by the controller that 40
64	64		result in the provision or denial by the controller of financial and 41
65	65		lending services, housing, insurance, education enrollment, criminal 42
66	66		justice, employment opportunities, health care services or access to basic 43
67	67		necessities, such as food and water. 44
68	68		(11) "De-identified data" means data that cannot reasonably be linked 45
69	69		to an identified or identifiable natural person, or a device linked to such 46
70	70		person. 47 Substitute Bill No. 893
71	71
72	72
73	73		LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
74		-	~~R03~~-SB.docx }
	74	+	R02-SB.docx }
75	75		3 of 20
76	76
77	77		(12) "Health record" means the health-related record of an individual, 48
78	78		and may include, but need not be limited to, continuity of care 49
79	79		documents, discharge summaries and other information or data relating 50
80	80		to a patient's demographics, medical history, medication, allergies, 51
81	81		immunizations, laboratory test results, radiology or other diagnostic 52
82	82		images, vital signs and statistics. 53
83	83		(13) "Health care provider" means any person, corporation, limited 54
84	84		liability company, facility or institution licensed by this state to provide 55
85	85		health care or professional services, or an officer, employee or agent 56
86	86		thereof acting in the course and scope of his or her employment. 57
87	87		(14) "HIPAA" means the Health Insurance Portability and 58
88	88		Accountability Act of 1996, 42 USC 1320d et seq. 59
89	89		(15) "Identified or identifiable natural person" means a person who 60
90	90		can be readily identified, directly or indirectly. 61
91	91		(16) "Institution of higher education" means any person, school, 62
92	92		board, association, limited liability company or corporation that is 63
93	93		licensed or accredited to offer one or more programs of higher learning 64
94	94		leading to one or more degrees. 65
95	95		(17) "Nonprofit organization" means any organization that is exempt 66
96	96		from taxation under Section 501(c)(3) of the Internal Revenue Code of 67
97	97		1986, or any subsequent corresponding internal revenue code of the 68
98	98		United States, as amended from time to time. 69
99	99		(18) "Personal data" means any information that is linked or 70
100	100		reasonably linkable to an identified or identifiable natural person. 71
101	101		"Personal data" does not include de-identified data or publicly available 72
102	102		information. 73
103	103		(19) "Precise geolocation data" means information derived from 74
104	104		technology, including, but not limited to, global positioning system 75
105	105		level latitude and longitude coordinates or other mechanisms, that 76
106	106		directly identify the specific location of a natural person with precision 77 Substitute Bill No. 893
107	107
108	108
109	109		LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
110		-	~~R03~~-SB.docx }
	110	+	R02-SB.docx }
111	111		4 of 20
112	112
113	113		and accuracy within a radius of one thousand seven hundred fifty feet. 78
114	114		"Precise geolocation data" does not include the content of 79
115	115		communications or any data generated by or connected to advanced 80
116	116		utility metering infrastructure systems or equipment for use by a utility. 81
117	117		(20) "Process" or "processing" means any operation or set of 82
118	118		operations performed, whether by manual or automated means, on 83
119	119		personal data or on sets of personal data, such as the collection, use, 84
120	120		storage, disclosure, analysis, deletion or modification of personal data. 85
121	121		(21) "Processor" means a natural or legal entity that processes 86
122	122		personal data on behalf of a controller. 87
123	123		(22) "Profiling" means any form of automated processing performed 88
124	124		on personal data to evaluate, analyze, or predict personal aspects related 89
125	125		to an identified or identifiable natural person's economic situation, 90
126	126		health, personal preferences, interests, reliability, behavior, location or 91
127	127		movements. 92
128	128		(23) "Protected health information" has the same meaning as 93
129	129		provided in HIPAA. 94
130	130		(24) "Pseudonymous data" means personal data that cannot be 95
131	131		attributed to a specific natural person without the use of additional 96
132	132		information, provided that such additional information is kept 97
133	133		separately and is subject to appropriate technical and organizational 98
134	134		measures to ensure that the personal data is not attributed to an 99
135	135		identified or identifiable natural person. 100
136	136		(25) "Publicly available information" means information that is 101
137	137		lawfully made available through federal, state or municipal government 102
138	138		records, or information that a business has a reasonable basis to believe 103
139	139		is lawfully made available to the general public through widely 104
140	140		distributed media, by the consumer, or by a person to whom the 105
141	141		consumer has disclosed the information, unless the consumer has 106
142	142		restricted the information to a specific audience. 107 Substitute Bill No. 893
143	143
144	144
145	145		LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
146		-	~~R03~~-SB.docx }
	146	+	R02-SB.docx }
147	147		5 of 20
148	148
149	149		(26) "Sale of personal data" means the exchange of personal data for 108
150	150		monetary consideration by the controller to a third party. "Sale of 109
151	151		personal data" does not include: (A) The disclosure of personal data to 110
152	152		a processor that processes the personal data on behalf of the controller, 111
153	153		(B) the disclosure of personal data to a third party for purposes of 112
154	154		providing a product or service requested by the consumer, (C) the 113
155	155		disclosure or transfer of personal data to an affiliate of the controller, (D) 114
156	156		the disclosure of information that the consumer (i) intentionally made 115
157	157		available to the general public via a channel of mass media, and (ii) did 116
158	158		not restrict to a specific audience, or (E) the disclosure or transfer of 117
159	159		personal data to a third party as an asset that is part of a merger, 118
160	160		acquisition, bankruptcy or other transaction in which the third party 119
161	161		assumes control of all or part of the controller's assets. 120
162	162		(27) "Sensitive data" means personal data that includes: (A) Data 121
163	163		revealing racial or ethnic origin, religious beliefs, mental or physical 122
164	164		health diagnosis, sexual orientation or citizenship or immigration 123
165	165		status, (B) the processing of genetic or biometric data for the purpose of 124
166	166		uniquely identifying a natural person, (C) personal data collected from 125
167	167		a known child, or (D) precise geolocation data. 126
168	168		(28) "Targeted advertising" means displaying advertisements to a 127
169	169		consumer where the advertisement is selected based on personal data 128
170	170		obtained from that consumer's activities over time and across 129
171	171		nonaffiliated Internet web sites or online applications to predict such 130
172	172		consumer's preferences or interests. "Targeted advertising" does not 131
173	173		include: (A) Advertisements based on activities within a controller's 132
174	174		own Internet web sites or online applications, (B) advertisements based 133
175	175		on the context of a consumer's current search query, visit to an Internet 134
176	176		web site or online application, (C) advertisements directed to a 135
177	177		consumer in response to the consumer's request for information or 136
178	178		feedback, or (D) the processing of personal data solely for measuring or 137
179	179		reporting advertising performance, reach or frequency. 138
180	180		(29) "Third party" means a natural or legal person, public authority, 139
181	181		agency or body other than the consumer, controller, processor or an 140 Substitute Bill No. 893
182	182
183	183
184	184		LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
185		-	~~R03~~-SB.docx }
	185	+	R02-SB.docx }
186	186		6 of 20
187	187
188	188		affiliate of the processor or the controller. 141
189	189		Sec. 2. (NEW) (Effective January 1, 2023) The provisions of sections 1 142
190	190		to 11, inclusive, of this act apply to persons that conduct business in this 143
191	191		state or persons that produce products or services that are targeted to 144
192	192		residents of this state and that: (1) During a calendar year, control or 145
193	193		process the personal data of not less than one hundred thousand 146
194	194		consumers, or (2) control or process the personal data of not less than 147
195	195		twenty-five thousand consumers and derive more than fifty per cent of 148
196	196		their gross revenue from the sale of personal data. 149
197	197		Sec. 3. (NEW) (Effective January 1, 2023) (a) The provisions of sections 150
198	198		1 to 11, inclusive, of this act shall not apply to any: (1) Body, authority, 151
199	199		board, bureau, commission, district or agency of this state or of any 152
200	200		political subdivision of this state, (2) financial institution or data subject 153
201	201		to Title V of the Gramm-Leach-Bliley Act, 15 USC 6801 et seq., (3) 154
202	202		covered entity or business associate governed by the privacy, security 155
203	203		and breach notification rules issued by the United States Department of 156
204	204		Health and Human Services, 45 CFR 160 and 164, established pursuant 157
205	205		to HIPAA, and the Health Information Technology for Economic and 158
206	206		Clinical Health Act, (4) nonprofit organization, or (5) institution of 159
207	207		higher education. 160
208	208		(b) The following information and data is exempt from the provisions 161
209	209		of sections 1 to 11, inclusive, of this act: (1) Protected health information 162
210	210		under HIPAA, (2) health records, (3) patient identifying information for 163
211	211		purposes of 42 USC 290dd-2, (4) identifiable private information for 164
212	212		purposes of the federal policy for the protection of human subjects 165
213	213		under 45 CFR 46, (5) identifiable private information that is otherwise 166
214	214		information collected as part of human subjects research pursuant to the 167
215	215		good clinical practice guidelines issued by the International Council for 168
216	216		Harmonization of Technical Requirements for Pharmaceuticals for 169
217	217		Human Use, (6) the protection of human subjects under 21 CFR 6, 50 170
218	218		and 56, or personal data used or shared in research, as defined in 45 CFR 171
219	219		164.501, that is conducted in accordance with the standards set forth in 172
220	220		this subdivision and subdivisions (4) and (5) of this subsection, or other 173 Substitute Bill No. 893
221	221
222	222
223	223		LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
224		-	~~R03~~-SB.docx }
	224	+	R02-SB.docx }
225	225		7 of 20
226	226
227	227		research conducted in accordance with applicable law, (7) information 174
228	228		and documents created for purposes of the Health Care Quality 175
229	229		Improvement Act of 1986, 42 USC 11101 et seq., (8) patient safety work 176
230	230		product for purposes of the Patient Safety and Quality Improvement 177
231	231		Act, 42 USC 299b-21 et seq., (9) information derived from any of the 178
232	232		health care related information listed in this subsection that is de-179
233	233		identified in accordance with the requirements for de-identification 180
234	234		pursuant to HIPAA, (10) information originating from, and 181
235	235		intermingled to be indistinguishable with, or information treated in the 182
236	236		same manner as information exempt under this subsection that is 183
237	237		maintained by a covered entity or business associate, program or 184
238	238		qualified service organization, as specified in 42 USC 290dd-2, (11) 185
239	239		information used for public health activities and purposes as authorized 186
240	240		by HIPAA, (12) the collection, maintenance, disclosure, sale, 187
241	241		communication or use of any personal information bearing on a 188
242	242		consumer's credit worthiness, credit standing, credit capacity, character, 189
243	243		general reputation, personal characteristics or mode of living by a 190
244	244		consumer reporting agency, furnisher or user that provides information 191
245	245		for use in a consumer report, and by a user of a consumer report, but 192
246	246		only to the extent that such activity is regulated by and authorized 193
247	247		under the Fair Credit Reporting Act, 15 USC 1681 et seq., (13) personal 194
248	248		data collected, processed, sold or disclosed in compliance with the 195
249	249		Driver's Privacy Protection Act of 1994, 18 USC 2721 et seq., (14) 196
250	250		personal data regulated by the Family Educational Rights and Privacy 197
251	251		Act, 20 USC 1232g et seq., (15) personal data collected, processed, sold 198
252	252		or disclosed in compliance with the Farm Credit Act, 12 USC 2001 et 199
253	253		seq., and (16) data processed or maintained (A) in the course of an 200
254	254		individual applying to, employed by, or acting as an agent or 201
255	255		independent contractor of, a controller, processor or third party, to the 202
256	256		extent that the data is collected and used within the context of that role; 203
257	257		(B) as the emergency contact information of an individual under 204
258	258		sections 1 to 11, inclusive, of this act used for emergency contact 205
259	259		purposes, or (C) that is necessary to retain to administer benefits for 206
260	260		another individual relating to the individual under subdivision (1) of 207
261	261		this subsection and used for the purposes of administering such 208 Substitute Bill No. 893
262	262
263	263
264	264		LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
265		-	~~R03~~-SB.docx }
	265	+	R02-SB.docx }
266	266		8 of 20
267	267
268	268		benefits. 209
269	269		(c) Controllers and processors that comply with the verifiable 210
270	270		parental consent requirements of the Children's Online Privacy 211
271	271		Protection Act, 15 USC 6501 et seq., shall be deemed compliant with any 212
272	272		obligation to obtain parental consent pursuant to sections 1 to 11, 213
273	273		inclusive, of this act. 214
274	274		Sec. 4. (NEW) (Effective January 1, 2023) (a) A consumer may invoke 215
275	275		the consumer rights authorized pursuant to this section at any time by 216
276	276		submitting a request to a controller specifying the consumer rights the 217
277	277		consumer wishes to invoke. A known child's parent or legal guardian 218
278	278		may invoke such consumer rights on behalf of the child regarding 219
279	279		processing personal data belonging to the known child. A controller 220
280	280		shall comply with an authenticated consumer request to exercise the 221
281	281		right to: (1) Confirm whether or not a controller is processing the 222
282	282		consumer's personal data and to access such personal data, (2) correct 223
283	283		inaccuracies in the consumer's personal data, taking into account the 224
284	284		nature of the personal data and the purposes of the processing of the 225
285	285		consumer's personal data, (3) delete personal data provided by, or 226
286	286		obtained about, the consumer, (4) obtain a copy of the consumer's 227
287	287		personal data that the consumer previously provided to the controller 228
288	288		in a portable and, to the extent technically feasible, readily usable format 229
289	289		that allows the consumer to transmit the data to another controller 230
290	290		without hindrance, where the processing is carried out by automated 231
291	291		means, and (5) opt out of the processing of the personal data for 232
292	292		purposes of (A) targeted advertising, (B) the sale of personal data, or (C) 233
293	293		profiling in furtherance of decisions that produce legal or similarly 234
294	294		significant effects concerning the consumer. 235
295	295		(b) Except as otherwise provided in sections 1 to 11, inclusive, of this 236
296	296		act, a controller shall comply with a request by a consumer to exercise 237
297	297		the consumer rights authorized pursuant to said sections as follows: 238
298	298		(1) A controller shall respond to the consumer without undue delay, 239
299	299		but not later than forty-five days after receipt of the request. The 240 Substitute Bill No. 893
300	300
301	301
302	302		LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
303		-	~~R03~~-SB.docx }
	303	+	R02-SB.docx }
304	304		9 of 20
305	305
306	306		response period may be extended once by forty-five additional days 241
307	307		when reasonably necessary, considering the complexity and number of 242
308	308		the consumer's requests, provided the controller informs the consumer 243
309	309		of any such extension within the initial forty-five-day response period, 244
310	310		together with the reason for the extension. 245
311	311		(2) If a controller declines to take action regarding the consumer's 246
312	312		request, the controller shall inform the consumer without undue delay, 247
313	313		but not later than forty-five days after receipt of the request, of the 248
314	314		justification for declining to take action and instructions for how to 249
315	315		appeal the decision. 250
316	316		(3) Information provided in response to a consumer request shall be 251
317	317		provided by a controller free of charge, up to twice annually per 252
318	318		consumer. If requests from a consumer are manifestly unfounded, 253
319	319		excessive or repetitive, the controller may charge the consumer a 254
320	320		reasonable fee to cover the administrative costs of complying with the 255
321	321		request or decline to act on the request. The controller bears the burden 256
322	322		of demonstrating the manifestly unfounded, excessive or repetitive 257
323	323		nature of the request. 258
324	324		(4) If a controller is unable to authenticate the request using 259
325	325		commercially reasonable efforts, the controller shall not be required to 260
326	326		comply with a request to initiate an action pursuant to this section and 261
327	327		may request that the consumer provide additional information 262
328	328		reasonably necessary to authenticate the consumer and the consumer's 263
329	329		request. 264
330	330		(c) A controller shall establish a process for a consumer to appeal the 265
331	331		controller's refusal to take action on a request within a reasonable period 266
332	332		of time after the consumer's receipt of the decision. The appeal process 267
333	333		shall be conspicuously available and similar to the process for 268
334	334		submitting requests to initiate action pursuant to this section. Not later 269
335	335		than sixty days after receipt of an appeal, a controller shall inform the 270
336	336		consumer in writing of any action taken or not taken in response to the 271
337	337		appeal, including a written explanation of the reasons for the decisions. 272 Substitute Bill No. 893
338	338
339	339
340	340		LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
341		-	~~R03~~-SB.docx }
	341	+	R02-SB.docx }
342	342		10 of 20
343	343
344	344		If the appeal is denied, the controller shall also provide the consumer 273
345	345		with an online mechanism, if available, or other method through which 274
346	346		the consumer may contact the Attorney General to submit a complaint. 275
347	347		Sec. 5. (NEW) (Effective January 1, 2023) (a) A controller shall: (1) Limit 276
348	348		the collection of personal data to what is adequate, relevant and 277
349	349		reasonably necessary in relation to the purposes for which such data is 278
350	350		processed, as disclosed to the consumer, (2) except as otherwise 279
351	351		provided in sections 1 to 11, inclusive, of this act, not process personal 280
352	352		data for purposes that are neither reasonably necessary to nor 281
353	353		compatible with the disclosed purposes for which such personal data is 282
354	354		processed, as disclosed to the consumer, unless the controller obtains 283
355	355		the consumer's consent, (3) establish, implement and maintain 284
356	356		reasonable administrative, technical and physical data security practices 285
357	357		to protect the confidentiality, integrity and accessibility of personal data 286
358	358		appropriate to the volume and nature of the personal data at issue, (4) 287
359	359		not process sensitive data concerning a consumer without obtaining the 288
360	360		consumer's consent, or, in the case of the processing of sensitive data 289
361	361		concerning a known child, without processing such data in accordance 290
362	362		with the federal Children's Online Privacy Protection Act, 15 USC 6501 291
363	363		et seq., and (5) not process personal data in violation of the laws of this 292
364	364		state and federal laws that prohibit unlawful discrimination against 293
365	365		consumers. A controller shall not discriminate against a consumer for 294
366	366		exercising any of the consumer rights contained in sections 1 to 11, 295
367	367		inclusive, of this act, including denying goods or services, charging 296
368	368		different prices or rates for goods or services or providing a different 297
369	369		level of quality of goods and services to the consumer. Nothing in this 298
370	370		subsection shall be construed to require a controller to provide a 299
371	371		product or service that requires the personal data of a consumer that the 300
372	372		controller does not collect or maintain or to prohibit a controller from 301
373	373		offering a different price, rate, level, quality or selection of goods or 302
374	374		services to a consumer, including offering goods or services for no fee, 303
375	375		if the consumer has exercised his right to opt out or the offer is related 304
376	376		to a consumer's voluntary participation in a bona fide loyalty, rewards, 305
377	377		premium features, discounts or club card program. 306 Substitute Bill No. 893
378	378
379	379
380	380		LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
381		-	~~R03~~-SB.docx }
	381	+	R02-SB.docx }
382	382		11 of 20
383	383
384	384		(b) Controllers shall provide consumers with a reasonably accessible, 307
385	385		clear, and meaningful privacy notice that includes: (1) The categories of 308
386	386		personal data processed by the controller, (2) the purpose for processing 309
387	387		personal data, (3) how consumers may exercise their consumer rights, 310
388	388		including how a consumer may appeal a controller's decision with 311
389	389		regard to the consumer's request, (4) the categories of personal data that 312
390	390		the controller shares with third parties, if any, and (5) the categories of 313
391	391		third parties, if any, with which the controller shares personal data. 314
392	392		(c) If a controller sells personal data to third parties or processes 315
393	393		personal data for targeted advertising, the controller shall clearly and 316
394	394		conspicuously disclose such processing, as well as the manner in which 317
395	395		a consumer may exercise the right to opt out of such processing. 318
396	396		(d) A controller shall establish, and shall describe in a privacy notice, 319
397	397		one or more secure and reliable means for consumers to submit a 320
398	398		request to exercise their consumer rights pursuant to sections 1 to 11, 321
399	399		inclusive, of this act. Such means shall take into account the ways in 322
400	400		which consumers normally interact with the controller, the need for 323
401	401		secure and reliable communication of such requests, and the ability of 324
402	402		the controller to authenticate the identity of the consumer making the 325
403	403		request. Controllers shall not require a consumer to create a new account 326
404	404		in order to exercise consumer rights, but may require a consumer to use 327
405	405		an existing account. 328
406	406		Sec. 6. (NEW) (Effective January 1, 2023) (a) A processor shall adhere 329
407	407		to the instructions of a controller and shall assist the controller in 330
408	408		meeting its obligations pursuant to sections 1 to 11, inclusive, of this act. 331
409	409		Such assistance shall include: (1) Taking into account the nature of 332
410	410		processing and the information available to the processor, by 333
411	411		appropriate technical and organizational measures, insofar as is 334
412	412		reasonably practicable, to fulfill the controller's obligation to respond to 335
413	413		consumer rights requests, (2) taking into account the nature of 336
414	414		processing and the information available to the processor, by assisting 337
415	415		the controller in meeting the controller's obligations in relation to the 338
416	416		security of processing the personal data and in relation to the 339 Substitute Bill No. 893
417	417
418	418
419	419		LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
420		-	~~R03~~-SB.docx }
	420	+	R02-SB.docx }
421	421		12 of 20
422	422
423	423		notification of a breach of security of the system of the processor, in 340
424	424		order to meet the controller's obligations, and (3) providing necessary 341
425	425		information to enable the controller to conduct and document data 342
426	426		protection assessments. 343
427	427		(b) A contract between a controller and a processor shall govern the 344
428	428		processor's data processing procedures with respect to processing 345
429	429		performed on behalf of the controller. The contract shall be binding and 346
430	430		clearly set forth instructions for processing data, the nature and purpose 347
431	431		of processing, the type of data subject to processing, the duration of 348
432	432		processing and the rights and obligations of both parties. The contract 349
433	433		shall also include requirements that the processor shall: (1) Ensure that 350
434	434		each person processing personal data is subject to a duty of 351
435	435		confidentiality with respect to the data, (2) at the controller's direction, 352
436	436		delete or return all personal data to the controller as requested at the 353
437	437		end of the provision of services, unless retention of the personal data is 354
438	438		required by law, (3) upon the reasonable request of the controller, make 355
439	439		available to the controller all information in its possession necessary to 356
440	440		demonstrate the processor's compliance with the obligations in sections 357
441	441		1 to 11, inclusive, of this act, (4) engage any subcontractor pursuant to a 358
442	442		written contract that requires the subcontractor to meet the obligations 359
443	443		of the processor with respect to the personal data, and (5) allow, and 360
444	444		cooperate with, reasonable assessments by the controller or the 361
445	445		controller's designated assessor, or the processor may arrange for a 362
446	446		qualified and independent assessor to conduct an assessment of the 363
447	447		processor's policies and technical and organizational measures in 364
448	448		support of the obligations under sections 1 to 11, inclusive, of this act, 365
449	449		using an appropriate and accepted control standard or framework and 366
450	450		assessment procedure for such assessments. The processor shall provide 367
451	451		a report of such assessment to the controller upon request. 368
452	452		(c) Nothing in this section shall be construed to relieve a controller or 369
453	453		a processor from the liabilities imposed on it by virtue of its role in the 370
454	454		processing relationship as defined in sections 1 to 11, inclusive, of this 371
455	455		act. 372 Substitute Bill No. 893
456	456
457	457
458	458		LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
459		-	~~R03~~-SB.docx }
	459	+	R02-SB.docx }
460	460		13 of 20
461	461
462	462		(d) Determining whether a person is acting as a controller or 373
463	463		processor with respect to a specific processing of data is a fact-based 374
464	464		determination that depends upon the context in which personal data is 375
465	465		to be processed. A processor that continues to adhere to a controller's 376
466	466		instructions with respect to a specific processing of personal data 377
467	467		remains a processor. 378
468	468		Sec. 7. (NEW) (Effective January 1, 2023) (a) A controller shall conduct 379
469	469		and document a data protection assessment of each of the following 380
470	470		processing activities involving personal data: (1) The processing of 381
471	471		personal data for purposes of targeted advertising, (2) the sale of 382
472	472		personal data, (3) the processing of personal data for purposes of 383
473	473		profiling, where such profiling presents a reasonably foreseeable risk of 384
474	474		(A) unfair or deceptive treatment of, or unlawful disparate impact on, 385
475	475		consumers, (B) financial, physical or reputational injury to consumers, 386
476	476		(C) a physical or other intrusion upon the solitude or seclusion, or the 387
477	477		private affairs or concerns, of consumers, where such intrusion would 388
478	478		be offensive to a reasonable person, or (D) other substantial injury to 389
479	479		consumers, (4) the processing of sensitive data, and (5) any processing 390
480	480		activities involving personal data that present a heightened risk of harm 391
481	481		to consumers. 392
482	482		(b) Data protection assessments conducted pursuant to subsection (a) 393
483	483		of this section shall identify and weigh the benefits that may flow, 394
484	484		directly and indirectly, from the processing to the controller, the 395
485	485		consumer, other stakeholders and the public against the potential risks 396
486	486		to the rights of the consumer associated with such processing, as 397
487	487		mitigated by safeguards that can be employed by the controller to 398
488	488		reduce such risks. The use of de-identified data and the reasonable 399
489	489		expectations of consumers, as well as the context of the processing and 400
490	490		the relationship between the controller and the consumer whose 401
491	491		personal data will be processed, shall be factored into this assessment 402
492	492		by the controller. 403
493	493		(c) The Attorney General may require that a controller disclose any 404
494	494		data protection assessment that is relevant to an investigation 405 Substitute Bill No. 893
495	495
496	496
497	497		LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
498		-	~~R03~~-SB.docx }
	498	+	R02-SB.docx }
499	499		14 of 20
500	500
501	501		conducted by the Attorney General, and the controller shall make the 406
502	502		data protection assessment available to the Attorney General. The 407
503	503		Attorney General may evaluate the data protection assessment for 408
504	504		compliance with the responsibilities set forth in sections 1 to 11, 409
505	505		inclusive, of this act. Data protection assessments shall be confidential 410
506	506		and shall be exempt from disclosure under the Freedom of Information 411
507	507		Act, as defined in section 1-200 of the general statutes. The disclosure of 412
508	508		a data protection assessment pursuant to a request from the Attorney 413
509	509		General shall not constitute a waiver of attorney-client privilege or work 414
510	510		product protection with respect to the assessment and any information 415
511	511		contained in the assessment. 416
512	512		(d) A single data protection assessment may address a comparable 417
513	513		set of processing operations that include similar activities. 418
514	514		(e) Data protection assessments conducted by a controller for the 419
515	515		purpose of compliance with other laws or regulations may comply 420
516	516		under this section if the assessments have a reasonably comparable 421
517	517		scope and effect. 422
518	518		(f) Data protection assessment requirements shall apply to processing 423
519	519		activities created or generated after January 1, 2023, and are not 424
520	520		retroactive. 425
521	521		Sec. 8. (NEW) (Effective January 1, 2023) (a) Any controller in 426
522	522		possession of de-identified data shall: (1) Take reasonable measures to 427
523	523		ensure that the data cannot be associated with a natural person, (2) 428
524	524		publicly commit to maintaining and using de-identified data without 429
525	525		attempting to re-identify the data, and (3) contractually obligate any 430
526	526		recipients of the de-identified data to comply with all provisions of 431
527	527		sections 1 to 11, inclusive, of this act. 432
528	528		(b) Nothing in sections 1 to 11, inclusive, of this act shall be construed 433
529	529		to (1) require a controller or processor to re-identify de-identified data 434
530	530		or pseudonymous data, or (2) maintain data in identifiable form, or 435
531	531		collect, obtain, retain or access any data or technology, in order to be 436 Substitute Bill No. 893
532	532
533	533
534	534		LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
535		-	~~R03~~-SB.docx }
	535	+	R02-SB.docx }
536	536		15 of 20
537	537
538	538		capable of associating an authenticated consumer request with personal 437
539	539		data. 438
540	540		(c) Nothing in sections 1 to 11, inclusive, of this act shall be construed 439
541	541		to require a controller or processor to comply with an authenticated 440
542	542		consumer rights request, if all of the following are true, if the controller: 441
543	543		(1) Is not reasonably capable of associating the request with the personal 442
544	544		data or it would be unreasonably burdensome for the controller to 443
545	545		associate the request with the personal data, (2) does not use the 444
546	546		personal data to recognize or respond to the specific consumer who is 445
547	547		the subject of the personal data, or associate the personal data with other 446
548	548		personal data about the same specific consumer, and (3) does not sell 447
549	549		the personal data to any third party or otherwise voluntarily disclose 448
550	550		the personal data to any third party other than a processor, except as 449
551	551		otherwise permitted in this section. 450
552	552		(d) Consumer rights shall not apply to pseudonymous data in cases 451
553	553		where the controller is able to demonstrate any information necessary 452
554	554		to identify the consumer is kept separately and is subject to effective 453
555	555		technical and organizational controls that prevent the controller from 454
556	556		accessing such information. 455
557	557		(e) A controller that discloses pseudonymous data or de-identified 456
558	558		data shall exercise reasonable oversight to monitor compliance with any 457
559	559		contractual commitments to which the pseudonymous data or de-458
560	560		identified data is subject and shall take appropriate steps to address any 459
561	561		breaches of those contractual commitments. 460
562	562		Sec. 9. (NEW) (Effective January 1, 2023) (a) Nothing in sections 1 to 11, 461
563	563		inclusive, of this act shall be construed to restrict a controller's or 462
564	564		processor's ability to: (1) Comply with federal, state or municipal 463
565	565		ordinances or regulations, (2) comply with a civil, criminal or regulatory 464
566	566		inquiry, investigation, subpoena or summons by federal, state, 465
567	567		municipal or other governmental authorities, (3) cooperate with law-466
568	568		enforcement agencies concerning conduct or activity that the controller 467
569	569		or processor reasonably and in good faith believes may violate federal, 468 Substitute Bill No. 893
570	570
571	571
572	572		LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
573		-	~~R03~~-SB.docx }
	573	+	R02-SB.docx }
574	574		16 of 20
575	575
576	576		state or municipal ordinances or regulations, (4) investigate, establish, 469
577	577		exercise, prepare for or defend legal claims, (5) provide a product or 470
578	578		service specifically requested by a consumer, (6) perform a contract to 471
579	579		which a consumer is a party, including fulfilling the terms of a written 472
580	580		warranty, (7) take steps at the request of a consumer prior to entering 473
581	581		into a contract, (8) take immediate steps to protect an interest that is 474
582	582		essential for the life or physical safety of the consumer or of another 475
583	583		natural person, and where the processing cannot be manifestly based on 476
584	584		another legal basis, (9) prevent, detect, protect against or respond to 477
585	585		security incidents, identity theft, fraud, harassment, malicious or 478
586	586		deceptive activities or any illegal activity, preserve the integrity or 479
587	587		security of systems or investigate, report or prosecute those responsible 480
588	588		for any such action, (10) engage in public or peer-reviewed scientific or 481
589	589		statistical research in the public interest that adheres to all other 482
590	590		applicable ethics and privacy laws and is approved, monitored and 483
591	591		governed by an institutional review board, or similar independent 484
592	592		oversight entities that determine (A) if the deletion of the information is 485
593	593		likely to provide substantial benefits that do not exclusively accrue to 486
594	594		the controller, (B) the expected benefits of the research outweigh the 487
595	595		privacy risks, and (C) if the controller has implemented reasonable 488
596	596		safeguards to mitigate privacy risks associated with research, including 489
597	597		any risks associated with re-identification, or (11) assist another 490
598	598		controller, processor, or third party with any of the obligations under 491
599	599		sections 1 to 11, inclusive, of this act. 492
600	600		(b) The obligations imposed on controllers or processors under 493
601	601		sections 1 to 11, inclusive, of this act shall not restrict a controller's or 494
602	602		processor's ability to collect, use, or retain data to: (1) Conduct internal 495
603	603		research to develop, improve, or repair products, services, or 496
604	604		technology, (2) effectuate a product recall, (3) identify and repair 497
605	605		technical errors that impair existing or intended functionality, or (4) 498
606	606		perform internal operations that are reasonably aligned with the 499
607	607		expectations of the consumer or reasonably anticipated based on the 500
608	608		consumer's existing relationship with the controller or are otherwise 501
609	609		compatible with processing data in furtherance of the provision of a 502 Substitute Bill No. 893
610	610
611	611
612	612		LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
613		-	~~R03~~-SB.docx }
	613	+	R02-SB.docx }
614	614		17 of 20
615	615
616	616		product or service specifically requested by a consumer or the 503
617	617		performance of a contract to which the consumer is a party. 504
618	618		(c) The obligations imposed on controllers or processors under 505
619	619		sections 1 to 11, inclusive, of this act shall not apply where compliance 506
620	620		by the controller or processor with said sections would violate an 507
621	621		evidentiary privilege under the laws of this state. Nothing in sections 1 508
622	622		to 11, inclusive, of this act shall be construed to prevent a controller or 509
623	623		processor from providing personal data concerning a consumer to a 510
624	624		person covered by an evidentiary privilege under the laws of the state 511
625	625		as part of a privileged communication. 512
626	626		(d) A controller or processor that discloses personal data to a third-513
627	627		party controller or processor, in compliance with the requirements of 514
628	628		sections 1 to 11, inclusive, of this act, is not in violation of said sections 515
629	629		if the third-party controller or processor that receives and processes 516
630	630		such personal data is in violation of said sections, provided, at the time 517
631	631		of disclosing the personal data, the disclosing controller or processor did 518
632	632		not have actual knowledge that the recipient intended to commit a 519
633	633		violation of said sections. A third-party controller or processor receiving 520
634	634		personal data from a controller or processor in compliance with the 521
635	635		requirements of sections 1 to 11, inclusive, of this act is likewise not in 522
636	636		violation of said sections for the transgressions of the controller or 523
637	637		processor from which it receives such personal data. 524
638	638		(e) Nothing in sections 1 to 11, inclusive, of this act shall be construed 525
639	639		as an obligation imposed on controllers and processors that adversely 526
640	640		affects the rights or freedoms of any persons, such as exercising the right 527
641	641		of free speech pursuant to the First Amendment to the United States 528
642	642		Constitution, or applies to the processing of personal data by a person 529
643	643		in the course of a purely personal or household activity. 530
644	644		(f) Personal data processed by a controller pursuant to sections 1 to 531
645	645		11, inclusive, of this act shall not be processed for any purpose other 532
646	646		than those expressly listed in this section unless otherwise allowed by 533
647	647		sections 1 to 11, inclusive, of this act. Personal data processed by a 534 Substitute Bill No. 893
648	648
649	649
650	650		LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
651		-	~~R03~~-SB.docx }
	651	+	R02-SB.docx }
652	652		18 of 20
653	653
654	654		controller pursuant to this section may be processed to the extent that 535
655	655		such processing is: (1) Reasonably necessary and proportionate to the 536
656	656		purposes listed in this section, and (2) adequate, relevant and limited to 537
657	657		what is necessary in relation to the specific purposes listed in this 538
658	658		section. Personal data collected, used, or retained pursuant to subsection 539
659	659		(b) of this section shall, where applicable, take into account the nature 540
660	660		and purpose or purposes of such collection, use, or retention. Such data 541
661	661		shall be subject to reasonable administrative, technical, and physical 542
662	662		measures to protect the confidentiality, integrity, and accessibility of the 543
663	663		personal data and to reduce reasonably foreseeable risks of harm to 544
664	664		consumers relating to such collection, use, or retention of personal data. 545
665	665		(g) If a controller processes personal data pursuant to an exemption 546
666	666		in this section, the controller bears the burden of demonstrating that 547
667	667		such processing qualifies for the exemption and complies with the 548
668	668		requirements in subsection (f) of this section. 549
669	669		(h) Processing personal data for the purposes expressly identified in 550
670	670		this section shall not solely make an entity a controller with respect to 551
671	671		such processing. 552
672	672		Sec. 10. (NEW) (Effective January 1, 2023) (a) The Attorney General 553
673	673		shall have exclusive authority to enforce violations of sections 1 to 11, 554
674	674		inclusive, of this act. 555
675	675		(b) Prior to initiating any action under sections 1 to 11, inclusive, of 556
676	676		this act, the Attorney General shall provide a controller or processor not 557
677	677		less than thirty days' written notice identifying the specific provisions 558
678	678		of said sections the Attorney General, on behalf of a consumer, alleges 559
679	679		have been or are being violated. If, prior to the expiration of such time 560
680	680		period, the controller or processor cures the noticed violation and 561
681	681		provides the Attorney General an express written statement that the 562
682	682		alleged violations have been cured and that no further violations shall 563
683	683		occur, no action for statutory damages shall be initiated against the 564
684	684		controller or processor. 565 Substitute Bill No. 893
685	685
686	686
687	687		LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
688		-	~~R03~~-SB.docx }
	688	+	R02-SB.docx }
689	689		19 of 20
690	690
691	691		(c) If a controller or processor continues to violate sections 1 to 11, 566
692	692		inclusive, of this act in breach of an express written statement provided 567
693	693		to the consumer under this section, the Attorney General may initiate a 568
694	694		civil action in Superior Court and seek damages not exceeding seven 569
695	695		thousand five hundred dollars for each violation of sections 1 to 11, 570
696	696		inclusive, of this act. 571
697	697		(d) Nothing in sections 1 to 11, inclusive, of this act shall be construed 572
698	698		as providing the basis for, or be subject to, a private right of action for 573
699	699		violations of said sections or any other law. 574
700	700		Sec. 11. (NEW) (Effective January 1, 2023) (a) The Attorney General 575
701	701		shall have exclusive authority to enforce sections 1 to 10, inclusive, of 576
702	702		this act by bringing an action in the name of the state, or on behalf of 577
703	703		persons residing in this state. 578
704	704		(b) Any controller or processor that violates sections 1 to 10, inclusive, 579
705	705		of this act shall be liable for a civil penalty of not more than seven 580
706	706		thousand five hundred dollars for each violation. 581
707	707		(c) The Attorney General may recover reasonable expenses incurred 582
708	708		in investigating and preparing the case, including attorney fees, of any 583
709	709		action initiated under sections 1 to 10, inclusive, of this act. 584
710	710		This act shall take effect as follows and shall amend the following
711	711		sections:
712	712
713	713		Section 1 January 1, 2023 New section
714	714		Sec. 2 January 1, 2023 New section
715	715		Sec. 3 January 1, 2023 New section
716	716		Sec. 4 January 1, 2023 New section
717	717		Sec. 5 January 1, 2023 New section
718	718		Sec. 6 January 1, 2023 New section
719	719		Sec. 7 January 1, 2023 New section
720	720		Sec. 8 January 1, 2023 New section
721	721		Sec. 9 January 1, 2023 New section
722	722		Sec. 10 January 1, 2023 New section
723	723		Sec. 11 January 1, 2023 New section Substitute Bill No. 893
724	724
725	725
726	726		LCO {\\PRDFS1\SCOUSERS\FORZANOF\WS\2021SB-00893-
727		-	~~R03~~-SB.docx }
	727	+	R02-SB.docx }
728	728		20 of 20
729	729
730	730
731	731
732	732		GL Joint Favorable Subst.
733	733		JUD Joint Favorable
734		-	APP Joint Favorable
735	734