Connecticut privacy bill becomes law
May 9, 2022
Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.
Connecticut Privacy Bill Becomes Law
Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring became law May 4 and will go into effect July 1, 2023, making Connecticut the 5th U.S. state to enact a comprehensive privacy law after California, Virginia, Colorado and Utah.
SB 6, the bill implementing the Act, was passed by the state Senate and House in late April and became law automatically after 5 days with no objections from the Governor.
WHY IT MATTERS
Although the Connecticut privacy law consists almost entirely of elements borrowed from other U.S. state laws or the GDPR, it adds complexity to privacy compliance by mixing such elements together in unique ways.
For example, like other U.S. state laws, the Connecticut law requires opt-in consent only in certain circumstances, such as when processing data revealing a health condition or religious beliefs, but the Act borrows an additional requirement from the GDPR to offer a mechanism to revoke consent that is at least as easy as the mechanism to provide it.
As new laws are adopted, these complexities force companies to choose between adopting separate processes for each jurisdiction or a single process that folds in the requirements of each new law.
CPPA Holds Stakeholder Sessions to Prepare for Draft CPRA Regulations
The California Privacy Protection Agency (CPPA), which is tasked with issuing regulations under the upcoming California Privacy Rights Act, held stakeholder sessions May 4-6 to gather industry input on such topics as consumer opt-out rights, dark patterns, consumer rights to delete, correct, and know, and the right to limit use of sensitive information, before drafting the regulations.
WHY IT MATTERS
Feedback relevant to the digital advertising industry included remarks from the Network Advertising Initiative on regulations around opt-out preference signals, specifically suggesting that regulations on that topic should avoid development of prescriptive technological standards, provide an Agency review process for any new specifications, clarify that opt-out signals apply to a single browser or device and don’t require collection of additional data or tying pseudonymous identifiers to known consumers, and specify how a business can prompt a user to override the signal.
UK Queen’s Speech to Include Announcement of Data Protection Reform
According to reportsfrom Sky News, the UK Government will announce in the May 10 Queen’s Speech a new data reform bill. The bill will reportedly be published in the Summer as part of a wider package of data protection reforms.
The UK government will also reportedly be publishing, in the coming weeks, its response to the data protection consultation conducted last autumn.
WHY IT MATTERS
These developments are consistent with the policy document issued by the UK government in late January 2022, which said that the government would be publishing its response to the consultation in Spring 2022 ahead of introducing legislation on reforms to the UK’s data protection regime.
That document identified plans for a new “pro-growth data regime” that would “help to drive growth, innovation and competition across the country and enhance the UK’s global reputation as a hub for responsible data-driven businesses, trusted by consumers to deliver high standards of data protection”, but it did not provide specific detail on data protection reforms.
The consultation cited impact on audience measurement data and the number of cookie pop-ups on websites as issues to resolve, however, so the UK government’s response will likely address such issues.
UK ICO Releases AI Data Protection Toolkit
The UK Information Commissioner’s Office (ICO) published an AI and data protection risk toolkit to provide practical support to organizations in assessing and reducing risks to individual rights and freedoms from AI systems.
The toolkit is a fill-in-the-blank spreadsheet that aids organizations identifying and documenting a risk assessment and practical steps to comply with legal requirements and ICO guidance at each stage of the AI development lifecycle.
WHY IT MATTERS
Although use of the ICO’s AI toolkit is not required (and is not intended as a replacement for formal impact assessments), the ICO stressed that documenting an organization’s assessment of risk and steps taken to mitigate risk can help the organization demonstrate compliance with UK data protection law.
Canada DPA Issues Recommendations for Federal Privacy Law
The Office of the Privacy Commissioner of Canada (OPC) issued key recommendations for a new federal private sector privacy law to enable digital innovation within a legal framework that recognizes privacy as a fundamental human right.
Specifically, the OPC recommends a privacy law that enables responsible innovation, adopts a rights-based framework, increases corporate accountability, ensures interoperability of laws, adopts quick and effective remedies, and gives the OPC tools to adopt a risk-based approach while being transparent.
WHY IT MATTERS
Canada’s current federal privacy law for the private sector, the Personal Information Protection and Electronic Documents Act (PIPEDA), became law in 2000 and has been amended on occasion since then, most significantly with the addition of breach notification obligations in 2015, but recent years have seen a push for a more significant overhaul.
The last attempt at an overhaul, Bill C-11, proposing the Digital Charter Implementation Act, died in 2021. Quebec then passed Bill 64 in September 2021 (to come into force in September 2023), which was applauded by the OPC and shows a lot of similarities with the OPC’s current recommendations.
Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.
A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.
Latest Blog Posts
The U.S. Department of Justice announced a $115,054 settlement...
The consultation, which ran for 10 weeks ending in...
Privacy for America, a coalition that includes several ad...
Latest White Papers
How to review your vendor list to mitigate compliance...
Keep in touch
Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.