Connecticut The law applies to entities that either control and/or process personal data of 100,000 consumers or more per year, or control and/or process personal data of 25,000 consumers or more per year if that entity derives more than 25% of its gross revenue from selling personal data. The Connecticut law gives consumers the right to know whether a business collects data about them, as well as to request corrections to or deletion of their personal data controlled by the business. The law also gives consumers the right to opt out of data collection and processing for the purposes of targeted advertising, sale, or automated decision-making based on data profiling—all opt-outs that are similar to provisions in other states’ comprehensive data privacy laws. The law creates affirmative obligations for covered businesses to limit data processing to what is “reasonably necessary” for their purposes, provide a way for consumers to revoke their consent to data processing, and protect consumers’ data with adequate cybersecurity practices. There is no private right of action. The law is enforced by the Connecticut Attorney General. The Connecticut Office of Attorney General released its first Enforcement Report on February 1, 2024. The report highlighted four areas of focus including privacy policies, sensitive data, teens’ data, and data brokers. The Connecticut statute became effective July 1, 2023. Utah The definitions included in the Utah Consumer Privacy Act (UCPA) are similar to those in Colorado and Virginia. The law applies to businesses that are either a “processor” or a “controller” of personal data—borrowing terminology from the European Union’s General Data Protection Regulation (“GDPR”). Unlike either the GDPR or the Colorado and Virginia laws, however, fewer businesses are covered by the UCPA even if they otherwise would qualify as a “controller” and/ or “processor.” Only businesses that have an annual revenue of $25
128
Made with FlippingBook - Online Brochure Maker