Bill Summary – FastDemocracy

General Law Committee
                           JOINT FAVORABLE REPORT
    Bill No.:    SB-893
        Title:   AN ACT CONCERNING CONSUMER PRIVACY.
 Vote Date:      3/23/2021
Vote Action:     Joint Favorable Substitute
   PH Date:      2/25/2021
    File No.:     360
Disclaimer: The following JOINT FAVORABLE Report is prepared for the benefit of the
members of the General Assembly, solely for purposes of information, summarization and
explanation and does not represent the intent of the General Assembly or either chamber
thereof for any purpose.
SPONSORS OF BILL:
General Law Committee
REASONS FOR BILL:
The purpose of this bill is to establish a framework for controlling and processing personal
data. As technology advances and businesses continue to use that technology to collect
date, a citizen may have less control over where their personal information may be used. This
bill modernizes the states consumer privacy protection laws to address this widespread
personal data collection. To combat this, the bill does 3 major things. The first is the
requirement to notify citizens of the planned collection of any personal data. The second is
the right to delete their personal information that is collected by a company. The third is to
equip consumers with a private right to action and the ability to take legal action if they so see
fit.
JF LANGUAGE:
Makes minor technical changes to enhance the bill.
RESPONSE FROM ADMINISTRATION/AGENCY:
William Tong, Attorney General, State of Connecticut, supports the bill. We do have
some concerns from an enforcement standpoint. As drafted enforcement and investigative
authority falls with the Office of the Attorney General. We suggest that CUTPA be included in
the bill to give us a wider array of options in determining appropriate penalties. The 30 day
period for curing an alleged violation does not incentivize business to comply until a notice
has been provided. The sweeping exemptions in the bill dilute the effect of the law. Any
exemptions should be specific to the information regulated by the law not the entities as a
whole. We would recommend removal of subsection, 9(d) as it is not a requirement for
liability under CUTPA. The opt-out model in this bill places the burden on the consumer
rather than the controller. This would prevent consumers from opting out of selling their dater
and would dilute the effect of the law.
NATURE AND SOURCES OF SUPPORT:
Bob Duff, Senate Majority Leader, State of Connecticut submitted testimony supporting
the bill. This bill modernizes our consumer privacy protection laws to address the business
practice of widespread personal data collection. Companies have virtually no bounds and
can sell consumer information to the highest bidder. When the companies do not properly
protect the information it could fall into wrong hands. There have been numerous data
breaches in just the last few months. National privacy legislation may be years away and it is
up to us to protect the citizens of Connecticut. The bill arms consumers with three crucial
rights.
    1. Notification of the planned collection of any personal information.
    2. The right to delete their personal information gathered by a company.
    3. The right granted by this legislation to equip consumers with a private right to action
        and the ability to pursue legal recourse.
NATURE AND SOURCES OF OPPOSITION:
Kelly McConney Moore, American Civil Liberties Union of Connecticut submitted
testimony in support of the bill. This bill goes further to protect the privacy of Connecticut
residents by requiring transparency, flexibility, affirmative consumer opting in, limiting the
purposes of shared date, requiring purging of date, preventing coercively conditioning
services, requires notification, mandated cybersecurity measures for private and government
units and robust enforcement mechanisms.
Ed Mierzwinski, U.S. PIRG and ConnPIRG supports the bill. Strong consumer privacy
laws are much needed and the need to opt-out of a sale should be stronger. The bill does
not give consumers a private right of action to defend themselves but does allows a data
controller to conduct its own data protection assessments. These are only reviewed by the
Attorney General but not public disclosure.
Tom Swan, Executive Director, Connecticut Citizen Action Group supports the bill. This
is an extremely important and challenging law to craft. The Pew Charitable Trust showed
that over 60% of Americans believe their data is collected and 80% feel they have no control
over the collected date.
John Olsen, Director, Internet Association submitted testimony supporting the bill. The bill
includes important consumer rights and the support of the attorney general to enforce
provisions of this bill.
Yale Dems, Richard Cardoso and William Garcia submitted testimony in support of the bill.
                                                                         Page 2 of 5 SB-893
Tom Foulkes, Senior Director, The Software Alliance supports the bill. The bill supports a
comprehensive national framework that provides consumers with meaningful rights to their
data.
Gregory Dean, FINRA generally supports the bill. There needs to be an exemption for a not-
for-profit entity that regulates broker-dealers. FINRA is already overseen by the Securities
and Exchange Commission and execute their regulatory responsibilities.
Alliance for Automotive Innovation submitted testimony. We support the bill with a few
concerns. Our members already voluntarily exceed many of the obligations addressed in this
bill.
NATURE AND SOURCES OF OPPOSITION:
Tim Phelan, President, Connecticut Retail Merchants Association opposes the bill.
Protecting consumer privacy is one of the highest priorities of any retail business. Retailers
use customer data to provide personalized experiences for a positive shopping experience
for their customers. Retailers invest in technology and spend ears developing methods to
comply with state, federal and global data protection regulations. The bill brings unintended
consequences that place significant burdens on retailers and the language in Section 4 would
have a dramatic, negative impact on the way retailers interact with their customers in regards
to loyalty cards and programs. A uniform national privacy standard is need.
John Blair, Connecticut Business and Industry Association testified against the bill. The
proposals are premature and if implemented would create substantial costs to our members.
There are significant economic benefits to data sharing. The cost to members is inevitably
significant and we have included estimates of initial compliance costs. CBIA requests
allowing consideration and passage of the federal legislation before taking any state action.
America's Health Insurance Plans does not support the bill. We appreciate the bill
exempts those who are subject to Gramm-Leach-Billy Act and Health Information Portability
and Accountability but Connecticut already has robust laws and rules on the maintenance of
consumer information. There are significant federal laws that impact and dominate the
treatment of consumer information. Please consider these existing and comprehensive
frameworks for health insurance providers.
The Credit Union League of Connecticut expressed concerns with the bill. Credit Unions
are not-for-profit financial cooperative business designed to support families and individuals
with financial education. Defending against cyberattacks is regulated for credit unions. The
cost of these regulations would wipe out 100% of profits and send a credit union into financial
trouble. Customers will suffer the effects in increased costs directly or indirectly.
Connecticut Association of Health Plans shares concerns with this bill. Compliance with
the Health Insurance Portability and Accountability Act of 1996 (HIPPA) already protects
consumers. However well intended these efforts to protect personal information may result in
unintended consumer confusion and misinterpretation of such efforts with overlapping state
and federal laws.
                                                                          Page 3 of 5 SB-893
Elizabeth Gara, Connecticut Water Works Association has concerns with the bill. This bill
will subject companies to requirements that will impose additional compliance cost on
companies including water utilities.
Lisa McCabe, CTIA, appreciated the time and effort but respectfully encourage a federal
approach to the privacy issue. State laws make it difficult and expensive for business to
comply. This bill seeks to create a cause of action and penalties for violations. CTIA oppose
inclusion of a private right of action.
Michael Ryan, President, Connecticut Broadcasters Association, the bill provides
considerable details but administration costs and fines remain. We understand the desire to
prevent the unwanted sale and dissemination of consumers' personal data but we believe
unified national guidelines for data collection will be preferable to a patchwork of laws from
multitude of jurisdictions.
American Council of Life Insurers does not support this bill. The current state and federal
regulatory framework for safeguarding consumers' personal information be harmonized with
legislation enacted to avoid and unnecessary conflict or overlapping.
The National Association of Mutual Insurance Companies testified against the bill. We
urge subsequent study be done before any action is taken. Existing laws already address
privacy protections for insurance companies. The Federal Fair Credit Reporting Act
addresses how to handle consumer reports and GLBA allows for fictional financial institution
regulators to implement privacy standards. Under existing laws insurance companies have
federal and state compliance obligations. Overbroad or rushed measures may be expensive.
TECHNET opposes the bill. As the national bipartisan network of technology CEO's and
senior executives that promotes the growth of the economy on a 50 state level there needs to
be a federal standard. Fundamental to any state privacy regime are: building around
consumers' trust, consumer consent, new privacy laws, specific requirements on data
collection, limited privacy laws, need research to establish the role of de-identification, private
rights of action, bans, prohibitions or moratoriums on specific technologies should be
avoided, privacy laws should not limit consumer access and should not be already regulated
by existing federal privacy laws.
Connecticut Hospital Association submitted testimony opposing the bill. The bill puts at
risk legitimate date that are important to healthcare and healthcare advancement. Our three
key areas of concern are:
    1. Excludes some healthcare use cases and it is difficult to understand the parameters of
        the exceptions, does not exempt the importation or acquisition of data inside a
        healthcare continuum or state government. This interferes with Google Health or Apple
        Health or national insurance companies and others. If HIPPA allows these types of
        acquisitions then state law should also.
    2. There is confusion around what healthcare entities are allowed to do with their own
        data. Many terms are defined differently than in HIPPA. This confusion creates an
        inability to address treatment issues.
    3. The bill does not take into account state laws specifically lines 177-179 there is an
        exemption for patient safety work products but is not listed as exempt.
                                                                             Page 4 of 5 SB-893
Reported by: Pamela Bianca   March 29, 2021
                                              Page 5 of 5 SB-893