Conn. AG Backs Privacy Bill With Changes; Industry Opposes Edits
Connecticut’s attorney general supported a comprehensive privacy bill, with caveats including on enforcement. The legislature’s Joint Committee on General Law heard testimony on SB-893 at a webcast hearing Thursday. The New England Cable & Telecommunications Association (NECTA) supports the bill, which mirrors Virginia's, as long as no further changes are made, said Davis Wright privacy attorney Nancy Libin.
Virginia legislators passed a privacy bill last week that awaits the governor’s signature (see 2102250030). Other states with pending privacy bills include Florida, Minnesota, New York, Oklahoma, Utah and Washington.
Connecticut’s law should be interoperable with other state laws, including by aligning definitions, said committee co-Chair Sen. James Maroney (D). Customers should be Connecticut's primary concern, Maroney said, also seeking balance to ensure businesses can operate. Some want to wait for a federal law, but Congress hasn’t acted and other states are stepping in, he said. With the proposed law effective Jan. 1, 2023, there could be time for a working group and possibly further changes, he said.
The legislation correctly vests enforcement in the AG office, and lawmakers should tie investigative authority to the Connecticut Unfair Trade Practices Act, said Chief Counsel Nicole Lake for AG William Tong (D). That law lets the office investigate violations without first suing and gives the office more discretion on penalties, including seeking injunctive relief, she said. Exemptions are “a little too sweeping,” said Lake, recommending carve-outs based on what information is held rather than the type of entity. The plan's “right to cure” provision would hamper the AG’s ability to enforce, and the office would prefer an opt-in rather than opt-out approach, she added.
A state law would be complementary to any future national law, letting Connecticut respond to problems that might be small-scale nationally yet have a big impact locally, said Michele Lucan of the AG’s Privacy and Data Security Department. SB-893 looks flexible enough to accommodate other laws, though further tweaking can make it more so, Lucan said. It’s good to align with other states on the customer-number thresholds used to decide what businesses must comply, but don’t make it so high that it dilutes protections, she warned.
Connecticut’s bill is like Virginia’s when it was first drafted, but Virginia lawmakers made changes during the legislative process along similar lines to what the Connecticut AG office seeks, Lake said.
NECTA thinks SB-893 could be “undone” by even small changes, said Libin. It largely takes the “right approach” by mirroring Virginia’s bill and balancing consumer and business needs, she said. Looking to Virginia is better than looking to California, “which is not a model for success,” and online privacy is an interstate and federal issue best left to Congress, she said. Companies are optimistic the Joe Biden administration, supported by a Democratic-led Congress, can pass a privacy bill, she said. “Federal privacy legislation is more needed now than ever” due to California passing a law and other states considering their own bills, a problematic possible “patchwork” for businesses, she said.
The American Civil Liberties Union supports SB-893, though it “could go further to protect” consumer privacy, said ACLU-Connecticut interim Senior Policy Counsel Kelly McConney Moore in written testimony.