The Connecticut Data Privacy Act (or “CTDPA”) is going into effect on July 1, 2023, making Connecticut the fifth state to pass a comprehensive data privacy law that protects consumers. How will this new law impact your organization, and are there any obligations you should know?
On today’s episode of CyberSound, Jason, and Steve talk with Rob McWilliams, Data Privacy Consultant at Vancord, to educate listeners on what this law means. Read more on the CTDPA here.
The Connecticut Data Privacy Act (or “CTDPA”) is going into effect on July 1, 2023, making Connecticut the fifth state to pass a comprehensive data privacy law that protects consumers. How will this new law impact your organization, and are there any obligations you should know?
On today’s episode of CyberSound, Jason, and Steve talk with Rob McWilliams, Data Privacy Consultant at Vancord, to educate listeners on what this law means. Read more on the CTDPA here.
00:00
This is CyberSound. Your simplified and fundamentals-focused source for all things cybersecurity, with your hosts, Jason Pufahl and Steven Maresca.
Jason Pufahl 00:12
Welcome to CyberSound. I'm your host, Jason Pufahl, joined today by Steve Maresca and Rob McWilliams. Rob recently joined, talking a little bit about some data breach, data incident work. Joining again today to talk about the new Connecticut Data Privacy Law that's due to I think, due to go to effect July of 2023, if I recall.
Rob McWilliams 00:35
July, the first, 2023.
Jason Pufahl 00:36
July, the first. So, welcome, Rob. Thanks for joining again, I appreciate it.
Rob McWilliams 00:39
Not at all, thank you.
Jason Pufahl 00:41
So yeah, I mean, if you can, let's, let's start talking a little bit about this. I think Connecticut is the, what, the fifth state that now has an official data privacy law in place?
Rob McWilliams 00:51
Yes, I believe that is the count. So it comes after California, which so often leads the way and has done with comprehensive data privacy laws. It comes after Colorado, Virginia, and Utah. And then, so we're number five. I say we because we're here and close to Hartford. And it does take effect on July the 21st. Sorry, July the first, 2023.
Jason Pufahl 01:24
So, so what does it mean for everybody? Right, everybody in the state, I assume businesses primarily in the state. How does it impact them? And what do they have to start thinking about?
Rob McWilliams 01:32
Great question. It's come to be called the Connecticut Data Privacy Act. But the more long-winded title, the one that you'll find in the legal documents is an act concerning personal data privacy and online monitoring. And I think that online monitoring is fairly key, as we will see because this act is scoped very precisely, and it certainly is not going to apply to every business in Connecticut. It's not going to apply to the mom and pop pizza shop down the road, for example. So, there are two broad types of organization that it will apply to at a high level. One is businesses that do business in Connecticut. The other one are businesses that sell products or services to Connecticut residents. So you don't have to be incorporated in Connecticut or have a physical office in Connecticut. If you're outside the state, but you're selling to Connecticut consumers, this act will apply to you, too. And there's also a size threshold, and this is why I was talking about the mom and pop shop. You basically have to, your organization basically has to either handle the personal data of 100,000 consumers, and that excludes for the purpose of completing payment transactions. Or, you have to handle the personal data of 25,000 consumers and derive more than 25% of your revenue from sales of personal data. So to sort of interpret that, the first threshold means that small, even medium-sized businesses will probably not be caught by this act. 100,000 consumers, that's Connecticut consumers, not worldwide consumers, is quite a high number.
Steven Maresca 03:58
Is that volume on a yearly basis, overall time? How does that apply?
Rob McWilliams 04:03
It's over the previous in the previous year, so if in the year to date, you've handled the personal data of more than 100,000 Connecticut consumers, then the act and you do business in Connecticut, etc, then the act will hit you. The second one, the 25,000 consumers but deriving more than 25% of your revenues from sales of personal data is intended to bring under the law businesses that are very personal information centric, for whom personal information is in fact part of their business collecting.
Jason Pufahl 04:44
The 25% is an interesting number, I've been trying to think through because 25,000 actually doesn't seem that high for the consumers, but then and derived over 25% of gross revenue. That could be a totally different number ultimately.
Rob McWilliams 05:00
It could it's worth remembering, and we'll come to this, is the definition of a sale of personal data is very broad. Most of us will think of a sale as something that sometimes when something is handed over and cash is given in return. These these laws, including Connecticut's defined it much more broadly, it's basically sharing personal information for money or for some other valuable thing. So it will, if for example, you are a retailer, and you disclose the personal information of consumers who come to your website to other businesses, for some advantage, that's a sale.
Jason Pufahl 05:47
Okay. So, okay.
Rob McWilliams 05:52
Just to continue the theme of sort of the actual scope of the law, there's a whole graft of entities that this does not apply to. So state and local government entities, for example, so this does not concern K-12 schools. It doesn't, it doesn't bring in the DMV or anything like that. Nonprofits, not part of it. Higher education institutions, not part of it.
Jason Pufahl 06:25
Higher education, public and private, yeah?
Rob McWilliams 06:29
Yep. Financial institutions that are subject to the Gramm-Leach-Bliley Act, that's most of them. And organizations that are subject to HIPAA, covered entities and business associates. So that's a lot of organizations that will not be, and that's, and finally, perhaps the last big one is it doesn't cover personal data of people acting in any employment capacity. So if, basically, if you are a business to business organization, and you collect the personal data of your business contacts, the law doesn't cover that, it really does cover what we would call B2C, Business to Consumer stuff. So there's a lot of exclusions there. And as if that weren't enough, well, we've mentioned education, but but data that's covered by FERPA is excluded from,
Jason Pufahl 07:38
So but ultimately, it feels like this is intended to bridge the gap where there isn't an existing privacy law in place, right? So HIPAA exists to protect information. So they've excluded it from this, because there's already legislation in place for it. I mean, that's what it feels like you're outlining. So, I want to make it clear, it's not that they are looking to exclude businesses, but necessarily, probably more so cover those that have been excluded to date.
Rob McWilliams 08:07
I think that's a that's a pretty good way of putting it. And if you remember, at the beginning, I stressed that official name of the act, which is an act concerning personal data privacy and online monitoring. It's very focused on the online world, and the sort of digital trading of digital information, the digital economy, if you like, it's very focused on on that part. That said, it's going to hit, I don't want to make it sound as if there are, this applies to practically nobody. That's that's that's not the case. I think retail organizations, for example, will be, this will be a big deal for them. They're very increasingly, collecting and sharing personal data is a very big part of the retail business. The whole internet advertising ecosystem, online publishers, you know, anyone who publishes a website that attracts a lot of visitors, and then they monetize that data from that website will be covered it. Ad tech, data brokers. I think it could well bring in a lot of the recreation, entertainment, hospitality industries, and then the whole industries around personal services, apps, you know, games, dating, fitness, health, all of that stuff will be come under this. Education technology providers, even even if the educational institutions themselves are not directly affected by this law, organizations that sell technology services and solutions to them will and collect personal data as part of that.
Steven Maresca 10:01
So, I have a question on this because I think that I have an intuition that some organizations consider their customer base to be smaller than the thresholds that you referenced. But I do wonder if merely the act of performing advertising that is in any way monitoring, click throughs, or impressions made, might be sufficient to push them over that threshold?
Rob McWilliams 10:31
Absolutely correct. The, Calirofnia, for example, has a similar threshold. You have to collect the personal data of a certain number of people to reach the threshold for the California laws. But the point has been made, that simply having a website that has 100,000, or 50,000, whatever it is, unique visitors a year, takes you to that threshold.
Steven Maresca 11:00
So, so Rob, what, what rights are afforded your everyday average Connecticut consumer as part of this privacy law?
Rob McWilliams 11:08
Okay, that's great. That brings me right on to the obligations for those considerable number of businesses that will be covered by this law. The first thing is, is that the consumers, they're the people whose data you are collecting and using, have certain rights under the law. And these are now pretty standard across US and international privacy laws. You have the right to get confirmation from that business, about whether or not they collect personal information about you. And if they do, you have a right to access that data. Say, okay, show me the data that you collect about me, you have the right to correct that data, you have the right to have that data, that data deleted. Now, in some privacy laws, the only data that you can ask to have deleted is the data that you have provided to that organization, the Connecticut law goes further and allows you to request deletion of data that you have provided, but also data they've obtained about you from elsewhere. And then you have the right in some circumstances to what's called portability, which means that you can ask for the data in a standard format, so you can take it somewhere else, and move more easily from one business to another, one vendor to another. Finally, a very important right, is that you have the right to opt out of your data being used for targeted advertising, sale, and what is called profiling for automated decisions, this is going to be a big thing in the future, where so much of so many decisions that might affect us, including negatively, are made with our personal data by machines. And sometimes we don't even know that it's happening. You know, you ask for credit and you get declined. You apply for a job and you don't even get an interview. Sometimes that's done in a completely automated fashion without human intervention. This gives you the right to say I effectively want a human to be involved in this. The other very important part of the rights is effectively the right information. And that's where the famous privacy policy comes in. Now, privacy policy or as privacy people prefer to call them privacy notices, you know, they're kind of notorious for being incredibly difficult to read, and for not being read by consumers. But they are nevertheless important for organizations to put out there exactly what they do with your personal information. And this law has quite a long list of information that has to be in the privacy notice. So if you're a Connecticut business, or a business that sells into Connecticut, you have to have a privacy notice available to consumers. Basically describing what you do is the personal data that gets collected and it has to be in reasonably plain English. It can't be incomprehensible legalese. There are many other, quite a lot of other obligations, I'll just pick out a few at random. You have to, your organization will have to establish, implement and maintain reasonable security measures. You know, and obviously that depends on the kind of personal data you collect. If it's sensitive personal data, then your security measures will have to be better. The sensitive data at this point, I should say, includes, in all circumstances, the danger of somebody under 18 years of age, so there's stuff here in here for kids as well.
Jason Pufahl 15:28
You know, which is great. And I don't, is that in every, I don't know if you know, in the other four privacy laws, is there a minor clause like that?
Rob McWilliams 15:37
There's certainly different treatment for children in California, to the point that you you can't collect their personal information for sale, that broadly defined sale without the parents active consent in California. And obviously, we have at the federal level, we have COPPA. But that only applies to children under 13, so it was really small children. This is, as I mentioned, this includes under 18, so there's more protections there for kids, which is becoming a very hot topic.
Jason Pufahl 15:46
Yeah, and we've seen data held that was minors data that was held long enough to become non-minors data, then sold later, right by criminals. So so it's great to see some of these these things in an act like this.
Rob McWilliams 16:33
Yeah. Yeah. Without a doubt. You cannot, in fact, the general stipulation in the Connecticut law that you may not process sensitive data about a consumer without getting their consent. And that consent has to be something proactive, it can't be the famous, pre-checked box that we see so many places that if you don't check it, you're considered to have,
Steven Maresca 17:07
The End User License Agreement everyone breezes right past.
Rob McWilliams 17:12
Right, yeah, it can't be there.
Jason Pufahl 17:15
You don't read every one of those in totality?
Steven Maresca 17:19
That's how I get to sleep at night.
Rob McWilliams 17:24
And, of course, the, if a consumer submits a data rights request to you, you have to respond to it. You can't just decide not to. And there's a certain amount of wiggle room. But the general statement in the Connecticut law is without undue delay, but certainly within 45 days after receiving the request, you have to respond to it in some way.
Steven Maresca 17:51
So an adjacent subject, if there's a violation to be found, what is the responsibility of an organization? Is there a cure requirement? And what does that look like?
Rob McWilliams 18:03
Excellent points. Again, there is something I'll just keep it at a high level, there is a, the organization has a Right to Cure, meaning that the violation, if cured, will not, they were not being forced against for it. But that Rights Cure is going to expire quite quickly in the act. I think it's a,
Steven Maresca 18:29
It's a grace period for implementation? I see.
Rob McWilliams 18:31
It is, it's exactly that, and so it's a way of helping businesses get used to having the act, but it's not going to last forever.
Jason Pufahl 18:42
So, I mean, so I have the luxury while you're talking with Steve to look. So it's actually 60 days, but Right to Cure that expires December 31 of 24. So, there is a period of time where if there's a violation that's identified, you know, and it's assumed to be addressable by the Attorney General, they'll give you that 60 days to deal with it. But if it's significant enough, or egregious enough, they may actually just simply waive that. And and you don't have those 60 days. So there is there is a Right to Cure period in there.
Rob McWilliams 19:14
Okay, good. So I was directionally correct.
Jason Pufahl 19:16
Absolutely. So, we've got this act going into effect 2023. It sounds like it addresses gaps that existed across a whole variety of other sort of privacy laws that existed already. It's nice to see Connecticut, kind of on the forefront of this. Maybe we reach a point where there's 50 of these, just like there are some of the breach notification requirements, but ultimately, probably a federal law right like, like GDPR and some others, but it'll be interesting to see this go into place. I think there probably won't be, I would assume immediate fallout, but certainly in some of the places where that, I don't know if you use the term exactly, right to be forgotten, but the ability to sort of transport your data and have your data deleted, that that'll become cumbersome and onerous for companies that have, maybe set it aside a little bit with GDPR, where now have to really start thinking about it for us. But, Rob, I appreciate you joining again, I appreciate you, you know spending some time educating everybody on this data privacy act. Of course, if anybody has any questions, feel free to reach out to us. We'll answer whatever questions we can, probably get a little clearer post, July of 23. And as always, we hope you got value out of this podcast, learned a little bit of something, and appreciate you listening. Thank you.
Rob McWilliams 20:43
Thank you, Jason.
20:44
We'd love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn or on Twitter at Vancordsecurity. And remember, stay vigilant, stay resilient. This has been CyberSound.