General Law Committee
JOINT FAVORABLE REPORT
Bill No.: SB-6
AN ACT CONCERNING PERSONAL DATA PRIVACY AND ONLINE
Title: MONITORING.
Vote Date: 3/15/2022
Vote Action: Joint Favorable Substitute
PH Date: 3/3/2022
File No.:
Disclaimer: The following JOINT FAVORABLE Report is prepared for the benefit of the
members of the General Assembly, solely for purposes of information, summarization and
explanation and does not represent the intent of the General Assembly or either chamber
thereof for any purpose.
SPONSORS OF BILL:
General Law Committee
Co-Sponsors:
Sen. Martin M. Looney, 11th Dist. Sen. Rick Lopes, 6th Dist.
Sen. Bob Duff, 25th Dist. Sen. James J. Maroney, 14th Dist.
Sen. Saud Anwar, 3rd Dist. Sen. Douglas McCrory, 2nd Dist.
Sen. Jorge Cabrera, 17th Dist. Sen. Patricia Billie Miller, 27th Dist.
Sen. Steve Cassano, 4th Dist. Sen. Marilyn V. Moore, 22nd Dist.
Sen. Christine Cohen, 12th Dist. Sen. Derek Slap, 5th Dist.
Sen. Mary Daugherty Abrams, 13th Dist. Sen. Gary A. Winfield, 10th Dist.
Sen. Mae Flexer, 29th Dist. Rep. Lucy Dathan, 142nd Dist.
Sen. John W. Fonfara, 1st Dist. Rep. Mitch Bolinsky, 106th Dist.
Sen. Will Haskell, 26th Dist. Rep. Michael A. Winkler, 56th Dist.
Sen. Julie Kushner, 24th Dist. Sen. Dennis A. Bradley, 23rd Dist.
Sen. Matthew L. Lesser, 9th Dist. Rep. Gary A. Turco, 27th Dist.
REASONS FOR BILL:
The digital world is perpetually growing, more and more people are utilizing the internet to
schedule appointments, shop, and input information. With this being true, it is more important
than ever to protect consumers' personal information. This bill will help to create a basis that
will help to control and process personal data, will give a list of responsibilities along with
privacy protection standards for data controllers and processors, and allow consumers to
change, delete, and gain access to personal data. Consumers will also be given the choice to
not have personal data processed for the purpose of targeting advertisements. Controllers
are required to limit the data they gather as well as not process data that is unnecessary nor
any data that does not associate with their intentions. Consent must be given to process a
consumer's data and create actions that will help to protect it. This bill seeks to give power
back to consumers by creating rights and limiting the collection of personal data to what is
adequate, relevant, and reasonably necessary. It seeks to protect the people of Connecticut
and set an example for the rest of the country by filling a void and establishing key consumer
rights and protections.
PROPOSED SUBSTITUE LANGUAGE:
Changes were made in section 3 of the bill in order to address concerns around HIPPA-
adjacent information and the Gramm-Leach-Bliley Act for hospitals and financial institutions.
These changes are seen from lines 169-179 and this language change reflects the input of
the healthcare and financial industries.
Section 6 (1)(B) was amended to change the dates surrounding consumer opt out or opt in
preferences, an area of concern for many who support the bill with modifications. These
changes can be found lines 402-427.
Section 12 was removed from the bill.
RESPONSE FROM ADMINISTRATION/AGENCY:
William Tong, Attorney General, State of Connecticut
Mr. Tong, the State of Connecticut Attorney General, supports the bill. The Office of the
Attorney General ("Office") believes this bill contains privacy protections that are crucial in an
era of increasing reliance on technology. This bill that has benefitted of input of various
stakeholders, which has aided in creating a structure that gives the best tools to be fair and
thorough in this work. This bill enables the Office to appropriately investigate alleged violators
and make use of a wider ray of redress options including penalties and injunctive relief. The
Office also believes that the sunset of the 30-day cure period is needed to ensure meaningful
enforcement of the law as it provides time for businesses to adjust. The Office does have
concerns about sweeping exemptions that could serve to dilute the effect of the law. They
believe exemptions should be tied to the information such laws are designed to protect, not
entities. Despite this concern Attorney General Tong supports the bill.
Vicki Veltri, Executive Director, Connecticut Office of Health Strategy
Vicki Veltri, on behalf of the Connecticut Office of Health Strategy (OHS), supports the bill
with modifications. OHS has administrative oversight of Connie, formally known as the
Statewide Health Information Exchange (HEI). Connie is a program rooted in statute that
mandates all health care providers capable of connecting to statewide HIE do so. The bill is
designed to protect consumer personal information from unwanted sales and dissemination.
OHS notes that Connie does not sell personal information of consumers. OHS has provided
detailed information about concerns surrounding the exemptions section
NATURE AND SOURCES OF SUPPORT:
Bruce Adams, President & CEO, Credit Union League of Connecticut
Page 2 of 12 SB-6
Mr. Adams, on behalf of Connecticut's 90 credit unions, supports the bill with modifications.
Credit unions are not-for-profit cooperatives that are controlled and owned by their members.
As they are already highly regulated, they believe they should be exempt from the
requirements of this legislation because of the preexisting protections in the federal Gramm-
Leach-Bliley Act. This legislation as written will create lower interest rates on savings, higher
interest rates on loans, reduction in service to members, and reduced investment in the
community. This bill has an important goal in protecting the consumer against cyber-attacks
and data breaches, Connecticut's credit unions look forward to working with the committee to
draft common sense legislation.
John D. Blair, Associate Counsel, CT Business and Industry Association
Mr. Blair supports the bill with modifications. The Connecticut Business and Industry
Association (CBIA) represents companies across the state, ninety-five percent of their
member companies are small businesses with less than 100 employees. As the country
emerges from the pandemic, CBIA has encouraged legislation that helps keep costs down for
small businesses. If this legislation is overly aggressive or not drafted carefully, there are
legitimate concerns about the negative financial impact on small businesses. This impact has
been seen on small businesses in other states that have passed privacy laws. They believe
that a federal act would be the best remedy as multi-state organizations must comply with
different sets of rules depending where they are doing business. Being uniform with other
states that has passed laws that work well is another option to avoid differing rules. CBIA also
advocates for open data sharing, arguing it has become the lifeblood of the global economy.
Bristol Hospital
Bristol Hospital supports the bill with modifications, and they offer potential language changes
to address their concerns. The bill tries to balance important consumer protections with the
need to avoid interfering with legitimate data uses. The bill does this through exemptions.
However, Bristol Hospital believes the exemptions fall short for healthcare. The current entity-
level exemption for healthcare entities lists only hospitals as exempt, which immediately
disregards most pediatric practices and physician offices, surgery centers, and many nursing
homes, as well as other healthcare providers. The draft bill contains an exemption for "public
health", as defined in federal law as exclusively relating to activities only when a public health
authority is involved. This exemption does not expressly cover population health and
community health activities of providers or others outside of government, even though
population health and community health have long been recognized as necessary to
addressing healthcare disparities. This bill should also provide an express exemption
covering Connecticut's Patient Safety Organization law. They hope the bill can also include
501(c)(6) non-profit entities, and other similar entities. The law should provide a clear,
understandable, and express exemption for third parties that preform data storage and
colocation services, but that do not directly use data. The final concern of Bristol Hospital
expressed was that the Office of the Attorney General, as swiftly as possible, set up and
operate a unit to offer timely technical assistance to answer questions that businesses have
as they prepare for implementation of the new law.
Dena M. Castricon, DMA Law, LLC
Dena M. Castricon supports the bill. As a privacy and healthcare attorney with nearly 20
years' experience and two certifications in privacy from the International Association of
Privacy Professionals, Mrs. Castricon was a participant in the informal working group created
by Senator Maroney. The bill before the committee is the best version of bill to date and
Page 3 of 12 SB-6
evidences a balanced approach to consumer privacy while harmonizing well with existing
consumer privacy legislation. This commonsense legislation is designed to protect consumer
data privacy and promote a culture where data privacy is valued and respected by all.
Connecticut Trial Lawyers Association
Connecticut Trial Lawyers Association (CTLA) supports the bill with modifications. They
believe that the bill should be amended to delete Section 11 and replace it with a private right
of action for violations of its provisions. They offer suggested language that is from Consumer
Reports Model State Privacy Act and recommend inclusion of the language in the final
version of the bill. As the bill currently stands, the Attorney General is the sole authority to
enforce its provisions.
Lucy Dathan, Representative, State of Connecticut House of Representatives
Representative Dathan supports the bill. In the digital age, utilizing the internet has become
increasingly common. Unfortunately, this has led to entities tracking user data and selling it
for profit without the consent of the user. Representative Dathan believes that it is a
consumer's right to make the decisions what it done with their data, and an entity should not
be allowed to track and sell data without the approval of the consumer.
Bob Duff, Senate Majority Leader, State of Connecticut
Senator Duff supports the bill. With the past 50 years seeing technological advances altering
our society in ways past generations could not imagine, with internet serving as a part of daily
life. As society advances with technology, government must act to meet the new threats that
accompany innovation. Therefore, Connecticut has a dire need for data privacy legislation.
Companies compile details like names and birthdays, religious beliefs, or political
preferences. Alarmingly, companies are even storing biometric data including fingerprints and
retina scans, often being collected and stored without the consumer's knowledge or
understanding. This collection of data is done in an attempt to make a profit at the cost of
consumer privacy. Furthermore, the consumer data that is being stored is often inadequately
protected, putting the consumer data at risk. There are frequent hacking attempts on this type
of data due to the lucrative nature of consumer information. Senator Duff believes consumers
should have the right to know went their personal data could be at risk of cyberattack and be
given the tools to protect themselves and their information. This legislation is long overdue,
and while the United States Congress has failed to act, Connecticut has the chance to be
among the leading states in consumer and internet privacy, paving the path for other states to
follow.
Nora Duncan, State Director, AARP Connecticut
Nora Duncan, representing AARP and their 600,000 members in Connecticut, supports the
bill and offers recommendations to strengthen the legislation. AARP has a clear data privacy
policy in support of consumer choice and control, privacy by design, and transparency and
accountability. Miss Duncan highlights aspects of the bill that align with AARP policy including
that it: imposes data minimization requirements; prohibits processing data in violation of anti-
discrimination laws; and provides consumers with the right to access, correct, delete, and
export to a usable format their personal information. AARP provided proposed amended
language that they believe will strengthen the bill.
Eric George, President, Insurance Association of Connecticut
Page 4 of 12 SB-6
Mr. George, on behalf of the Insurance Association of Connecticut (IAC), supports the bill
with modifications. The insurance industry strongly believes in privacy protections for
consumers. Both consumers and companies need privacy requirements that are: consistent
and equivalent across state lines, provide equal protections for all consumers regarding
where they are located, support growth and innovation, and provide legal transparency.
Differing privacy standards are likely to lead to consumer confusion and differing consumer
rights and protections, obstructing the flow of information and impeding interstate commerce.
They strongly recommend that the current state and federal framework for consumers'
personal information by synced with the bill in order to avoid conflicts. Therefore, they request
language be added to the bill containing a clear, entity-level, federal Gram Leach Bliley Act
exemption.
Ernie Gray, Founder, Findhelp
Ernie Gray supports the bill with modifications. Findhelp urges language establishing specific
safeguards for HIPPA-adjacent data produced through the access and use or social services
through closed-look referral management systems be included in the bill. This data deserves
further consideration and should be protected with the highest level of care given its sensitive
nature. Social service providers are typically small community-based organizations that do
not typically "covered entities" under HIPPAs federal law. This means that they are not
guided by the same policies and protections placed on traditional healthcare providers.
Findhelp supports the effort to establish safeguards for consumer data but urges adoption of
additional protections and parameters overseeing the development and operations of closed
loop referral management systems.
Liz Gustafson, MSW, State Director, Pro-Choice Connecticut
Liz Gustafson, on behalf of Pro-Choice Connecticut, supports the bill with modifications. They
urge adoption of language aimed at protecting HIPPA-adjacent data that left unregulated, will
have a negative effect on consumer behavior in accessing and using crucial social services.
Privacy is a non-negotiable component of exercising bodily autonomy and reproductive
freedom. Thus, Pro-Choice Connecticut urges adoption of the bill with the language
protecting HIPPA-adjacent data.
Scott Hobson, MPA, Assistant Vice President of Government Relations, Big I
Connecticut
Mr. Hobson, on behalf of Big I Connecticut, supports the bill with modifications. The way the
bill is drafted, there is an exemption for nonpublic personal information collected, processed,
sold, or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA). Big I Connecticut submits
that this exemption be broadened to exempt entities subject to the GBLA. An entity level
GBLA exemption is a reasonable approach to alleviating confusion and compliance
challenges without compromising the security of consumer data.
Andrew A. Kingman, General Counsel, State Privacy and Security Coalition
Mr. Kingman on behalf of The State Privacy and Security Coalition (SPSC) supports the bill
with modifications. Five suggestions are highlighted as the most important issues to address:
right to cure amendments, fully alight the bill with the Children's Online Privacy Protection Act
(COPPA) and align the age requirements with other state laws, remove third party opt-out in
order to reduce consumer vulnerability, further clarify the definition of "profiling", and ensure
that proprietary information has strong protections. These amendments are not the only
changes they see as necessary, but they are the most important issues. The amendments
Page 5 of 12 SB-6
are offered in the spirit of keeping consumers safe and in control of their data, ensuring that
controllers and processors are not disproportionately at risk of enforcement, and of greater
alignment with federal law.
Maureen Mahoney, Senior Policy Analyst, Consumer Reports
Maureen Mahoney, on behalf of Consumer Reports, supports the bill with modifications. Two
recommendations were offered to better ensure consumer privacy. First, limit exemptions for
pseudonymous data. Second, broaden opt-out rights to include all data sharing and ensure
targeted advertising is adequately covered. They support several key provisions in the bill
including non-discrimination, authorized agent rights, prohibition on dark patterns, data
security requirements, and sunset on the right to cure.
Bruce Morris, Director of Government Relations, TicketNetwork, Inc.
Mr. Morris, on behalf of TicketNetwork, supports the bill. TicketNetwork is a leading resale
marketplace that facilitates transactions between third-party event ticket buyers and sellers.
Overall, they support the bill as it falls in like with the laws of California, Virginia, and
Colorado to ensure strong privacy protections for consumers. However, they caution the
legislature that any divergence from the framework that has been established by states that
have already passed similarly privacy legislation will be complex. In fact, in some cases it will
make operations impossible for businesses like TicketNetwork. Legislation that is passed
must be compatible with the existing state laws. This will not only benefit businesses, but also
consumers who will be confident knowing that they will receive consistent protections
regardless