Connecticut has joined the growing number of states that have enacted comprehensive general privacy laws. California, Colorado, Utah and Virginia now have such laws. The Connecticut law applies to personal information obtained about “consumers”, meaning individual residents of Connecticut. A “consumer” does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual’s role with the company, partnership, sole proprietorship, nonprofit or government agency. However, as with other U.S. state privacy laws, residents of Connecticut as to whom personal information is collected outside of a commercial or employment context would still be covered by the law. The law becomes effective on July 1, 2023.
The law applies apply to persons (individuals and entities) that conduct business in Connecticut or that produce products or services that are targeted to residents of Connecticut and that during the preceding calendar year: (1) controlled or processed the personal data of not less than one hundred thousand consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) controlled or processed the personal data of not less than twenty-five thousand consumers and derived more than twenty-five per cent of their gross revenue [presumably not limited to Connecticut generated revenue] from the sale of personal data. Among other specified exclusions, the law does not apply to nonprofit organizations.
Nevada also has a somewhat more limited privacy law that protects personal information of a “consumer” – that is, a person who seeks or acquires, by purchase or lease, any good, service, money or credit for personal, family or household purposes from the Internet website or online service of an operator. An “operator” is a person who: (a) owns or operates an Internet website or online service for commercial purposes; (b) collects and maintains covered information (i.e., certain types of personally identifiable information about a consumer collected by an operator through an Internet website or online service and maintained by the operator in an accessible form, as specified in the statute) from consumers who reside in Nevada and use or visit the Internet website or online service; and (c) purposefully directs its activities toward Nevada, consummates some transaction with Nevada or with a resident thereof, purposefully avails itself of the privilege of conducting activities in Nevada, or otherwise engages in any activity that constitutes sufficient nexus with Nevada to satisfy the requirements of the United States Constitution. There are certain limitations on the obligations of operators located in Nevada if they meet certain criteria.
As more and more laws come into effect, it is important for businesses and other organizations to become aware of them, understand their provisions, and where applicable, comply with them.