Concord Privacy News: 5/13/25
Business Community Unites Against Proposed Changes to Connecticut Data Privacy Law
The U.S. Chamber of Commerce has joined numerous trade organizations and local chambers in opposing Senate Bill 1356, which would significantly overhaul Connecticut's Data Privacy Act (CTDPA). In a May 8 letter to Governor Ned Lamont, Chamber officials urged him to veto the bill if it reaches his desk.
Sweeping Changes Proposed
SB 1356, which recently advanced through the General Law Committee on a 16-5 vote, would dramatically alter the CTDPA by:
- Lowering compliance thresholds from 100,000 consumers to 50,000 consumers (and from 25,000 to 12,500 consumers for businesses deriving over 25% of revenue from selling personal data)
- Adding a strict data minimization requirement limiting data collection to only what's necessary for specifically requested services
- Expanding definitions of sensitive data to include precise geolocation, religious beliefs, and union membership
- Requiring data broker registration with the Department of Consumer Protection
- Prohibiting the sale of consumer health data without explicit consent
- Implementing stricter protections for data from consumers under 18
Small Business Concerns
"SB 1356 would drastically change Connecticut's data minimization standard and effectively prohibit the collection of data beyond providing or maintaining a product or service specifically requested by a consumer," said Michael Blanco, the U.S. Chamber's director of state and local policy. "This would significantly inhibit innovation."
Business advocates warn the reduced thresholds could disproportionately burden small enterprises. The U.S. Chamber argued that "the reduced threshold could subject companies like food trucks and coffee shops that conduct only 96 unique transactions a day to complex data minimization standards."
Background on CTDPA
Adopted in 2022, the original CTDPA was crafted as a compromise with the business community, establishing one of the first comprehensive consumer data privacy frameworks in the country. The law has since been cited nationwide as model legislation and adopted by other states.
According to the Attorney General's Office, businesses covered under the current act must honor universal opt-out preference signals from Connecticut residents beginning January 1, 2025.
The bill now awaits action in the state Senate, with business advocates warning the changes would put Connecticut small businesses at a competitive disadvantage compared to those in states with less stringent requirements.
Other Privacy News of Note
Google to Pay Texas $1.4 Billion in Data Privacy Settlement
Google agreed to pay nearly $1.4 billion to the state of Texas to settle allegations of violating the data privacy rights of state residents, Texas Attorney General Ken Paxton said Friday. Paxton sued Google in 2022 for allegedly unlawfully tracking and collecting users’ private data. The attorney general said the settlement, which covers allegations in two separate lawsuits against the search engine and app giant, dwarfed all past settlements by other states with Google for similar data privacy violations. Read more.
California Weakens AI and Privacy Rules, Giving Tech Giants More Leeway
California’s first-in-the-nation privacy agency is retreating from an attempt to regulate artificial intelligence and other forms of computer automation. The California Privacy Protection Agency was under pressure to back away from rules it drafted. Business groups, lawmakers, and Gov. Gavin Newsom said they would be costly to businesses, potentially stifle innovation, and usurp the authority of the legislature, where proposed AI regulations have proliferated. In a unanimous vote last week, the agency’s board watered down the rules, which impose safeguards on AI-like systems. Read more.
