If approved by the House of Representatives and signed into law by Gov. Ned Lamont, it would culminate a five-year effort by lawmakers including Senate Majority Leader Bob Duff, D-Norwalk.
"Over time we have seen how important data privacy is for all of us," Duff said at the end of the three-hour debate. "We have a crisis of privacy in our country. There is no expectation of privacy anymore and something is wrong with that. There is a crisis of privacy that we must overcome to give people a modicum of confidence. I think this is one of the biggest issues in this country for decades."
It would allow for consumers to see what kind of personal data is tracked by Internet carriers and processors; allow for that information to be corrected or deleted; and allow consumers to opt out of advertising that often follows them around the web. It would also raise the age for youths to opt-in for data-sale eligibility from the current 13 years of age to 16.
By January 1, 2025, Internet carriers and data managers would have to create global privacy controls. The bill was massively amended this week amid bipartisan concerns on what entities would be liable for data breaches, protecting restaurants and retailers from responsibility for straight business transactions.
"This is fast-changing and we're going to have to keep up with it," said state Sen. James Maroney, D-Milford, co-chairman of the legislative General Law Committee who led the issue over the last year, brought the bill to the floor and described it as a hybrid that used similar laws in Virginia and California as templates.
One of the goals is to stop identity theft, which in 2020 affected 6,281 state residents who paid an average $1,100 per incidents, plus hundreds of hours of effort in fighting back.
By the time a child is 18, they have made 70,000 social media posts.
"Unfortunately, we cannot change any of this," Maroney said. "The genie is out of the bottle. It will be nearly impossible to put it back in. What we're doing today is simply saying that Connecticut residents have the right to know what data is being collected about them, how it is being used, and to ask companies to tell companies not to sell their data. Further, we establish responsibilities for companies that track the data of Connecticut residents, to limit the data they collect; to take care to protect that data so we don't have as many victims of identity theft."
During an extensive collegial back-and-forth with veteran Sen. Kevin Witkos, R-Canton, a top Republican on the General Law Committee who co-sponsored the bill, Maroney outlined the details of the legislation. "This is a very in-depth bill and you don't realize how much it impacts you on a daily basis and in some cases an hourly basis until you dive into it and become familiar," Witkos said.
Businesses required to participate include companies that possess the data of 100,000 state residents excluding processes solely for purchases. Small convenience stores would not be included because they are also not collecting personal data. Businesses that collect data online and have the data of 100,000 residents in the previous calendar year are included, as well as companies that monetize data that represents at least 25 percent of their income comes from sales.
Senate President Pro Tempore Martin Looney, D-New Haven, said the legislation is one of the most-important bills in this legislative session, which ends at midnight on May 4, "It is something that we need to recognize that without it we will continue down a path that will erode any sense of security and privacy that individuals might have," Looney said. "This bill is going to be one of the stronger ones," he said, adding that Consumer Reports supports the bill.
©2022 the San Antonio Express-News, Distributed by Tribune Content Agency, LLC.