In a report from February of this year, the Connecticut Attorney General identified several proposed legislative changes to the Connecticut Data Privacy Act that would strengthen or clarify protections afforded to residents of the State.
Specifically, the report states:
The CTDPA contains a myriad of exemptions carving out entities from its requirements. Several states have passed comprehensive consumer data privacy laws without these entity-level exemptions. For example, while Connecticut’s law flatly exempts all nonprofits—despite the fact that many non-profits collect an extensive amount of sensitive personal data—other state privacy laws, such as in California, Colorado, and Delaware, apply to non-profits. Further, while Connecticut’s law creates blanket exemptions for entities covered by the federal Gramm-Leach-Bliley and Health Insurance Portability and Accountability Acts, irrespective of the data involved, California and Oregon’s laws are appropriately limited to data covered under these laws. The legislature should scale back the entity-level exemptions in the CTDPA. These sweeping exemptions not only put Connecticut residents at a disadvantage, but they further impact the OAG’s ability to uphold the CTDPA’s protections and join forces with our sister states in their efforts to enforce consumer data privacy laws against large national entities.
While these changes would need to be made pursuant to amendments to the current law, the clear message from the Attorney General is that the law should apply at the data level, and not provide broad exemptions for entities that process portions of their data sets under other privacy laws.
The proposal to roll back the entity level exemptions and move to data level exemptions only, if enacted, would be a significant compliance consideration for industries such as financial services, health care, and non-profit organizations.
As more and more states began to roll out privacy legislation that focus on data issues, such as data level exemptions, data minimization requirements, or data governance oversight–businesses should take a close look at their data practices overall. Doing a bit of legwork now to look at privacy compliance at the data level, may prove to be a significant benefit to the business–in the not too distant future.
Focused On Privacy 
Leave a comment