Issue link: https://nebusinessmedia.uberflip.com/i/1471059
25 HARTFORDBUSINESS.COM | June 20, 2022 Russell Anderson is a business and technology attorney with the Connecticut law firm Pullman & Comley PHOTO | CONTRIBUTED companies operating in Connecticut and other states with existing privacy laws, said Anderson, and their leaders have largely brought their operations up to date to be compliant with the existing array of state statutes. "For many national companies, the Connecticut law is like adding another asterisk," said William Roberts, a partner in the Hartford office of Day Pitney LLP. "Many big companies subject to the Connecticut law are already subject to similar laws in other states." But CDPA is the first privacy law of its type passed in New England, Roberts noted. Regional businesses and those that operate only in- state should start evaluating the law's thresholds, he said. Under that umbrella are businesses that sell goods or services directly to consumers through their websites, social media and mobile application platforms or other online marketing tools, he said. How many Connecticut-based businesses will be impacted is uncertain, said Linn Freedman, chair of the data privacy and cybersecurity team at Robinson+Cole, a national law firm with offices in Hartford. "Connecticut-based companies need to take a look at the law and determine whether or not it applies to them," she said. "And if it NMLS #402928 When you partner with Chelsea Groton, you get the loan * AND customized support! *Subject to credit approval. chelseagroton.com/growthatbusiness or call 860-448-4295 doesn't, they need to document that and keep watching the laws." Freedman also noted a potentially narrow group of businesses may fall under the law's scope because of its many exemptions. The law doesn't apply to nonprofits, state and local governments, higher education institutions, financial and healthcare institutions, among others. It also exempts 16 categories of data including specific information regulated by the Health Insurance Portability and Accountability Act, Fair Credit Reporting Act, and specific employee and job applicant data, among other categories. Big investment to comply Legal experts agree companies can begin to take steps to prepare for the new law before its implementation deadline next summer. For example, the law essentially demands that companies devote sufficient resources to ensuring the privacy and security of consumer data. "There's a lot of detail behind it," said Freedman. A first step for businesses is to look at all their data governance policies and procedures both internally and outwardly facing, said Lombardi. "They'll need to ensure those comply with the rules in Connecticut — and potentially other jurisdictions — and can be operational between now and the compliance deadlines." Businesses, for example, are required to conduct and document a data protection assessment, essentially mapping what personal data is collected, its characteristics and potential security exposures with their third- party vendors. Businesses may also need to reduce those data flows to meet the law's data minimization requirements to include only information that is "adequate, relevant and reasonably necessary." That's a review process that can take up to six weeks for small businesses to many months for larger ones, said Ziplow. "Lots of companies have third-party contracts and don't know where that data is going and who is selling what," he said. While contracts with third parties will need to be reviewed and potentially rewritten to address the law's data security protections, businesses may also need to refine existing information systems or consider outsourcing functions required to meet their obligations to respond to consumer requests regarding data access, deletion, portability and correction as well as set up new privacy dashboards accessible online or through mobile apps. Upfront costs could be significant, including the need to hire an employee devoted to data privacy issues, for businesses to comply with the new law, legal experts agree. "Complying with the law is going to take time, energy and potentially a big investment," said Anderson. Linn Freedman Rebuilding State Pier, reimagining our future A New Day for New London To learn more visit revolution-wind.com