Legislation adding Connecticut to the growing number of states enacting data privacy regulations moved out of the General Law Committee Tuesday with modest bipartisan support despite lingering concerns about its impact on smaller businesses.
The committee voted to advance the proposal, which is generally designed to give consumers more transparency and control of their personal data collected by companies on the Internet. If passed by the broader legislature, Connecticut would follow California, Colorado, and Virginia, which have all made different efforts to regulate the complicated new industry.
Senate Democrats have made the bill a priority this year, after a similar proposal faltered late last session. On Tuesday, its main proponent, Sen. James Maroney, D-Norwalk, was homebound due to a positive COVID-19 test, but during a hybrid meeting split between Zoom and the Legislative Office Building Maroney cautioned against inaction on the issue.
“Much is made of the cost of compliance but we don’t speak enough about the cost of not doing anything,” Maroney said. “If you look at the cost to consumers of identity theft, in 2020, the cost to consumers across the country was $720 billion.”
Concerns over the cost of compliance were largely directed at Connecticut’s small and mid-sized businesses, who several lawmakers worried would get caught in the legislation’s net. Any company that controls or processes the data of at least 65,000 consumers would fall under the bill’s jurisdiction requiring it to take steps to protect that data and make it accessible to the consumer.
Retailers, grocery stores and restaurants have raised concerns that things like loyalty programs or menu apps may force their businesses under the bill’s umbrella. Rep. David Rutigliano, a Republican and restaurant owner from Trumbull, echoed some of those concerns Tuesday. Rutigliano voted against the proposal but said he would support it if it were drafted more narrowly.
“[The bill] seems to capture some businesses unintentionally or intentionally that maybe aren’t peddling in data,” Rutigliano said, pointing to various apps used by restaurants and stores. “I would support the bill if it narrowed its focus to people who trade in this commodity. If they buy it, they sell it, or they use it in any fashion to monetize it, they should probably be subject to the bill.”
Maroney argued that unprotected data can stir up problems for consumers regardless of whether the company that retains the data profits from it.
“Even though a restaurant may not be selling the data, what happens if you don’t protect that data and your customer’s credit card gets stolen?” Maroney said.
Rep. Holly Cheeseman, R-East Lyme, worried about store loyalty programs, in which consumers voluntarily agree to have their shopping habits tracked in exchange for deals or gas points.
“This is an admirable goal, I am confident we can reach a point where we can protect the data of our residents but also do it in a way that we get it right,” Cheeseman said. “California is on the second iteration of their bill. I think this is an important enough topic that we do aim to get it right.”
Maroney said he would continue to discuss ways to protect customer loyalty programs as the bill makes its way through the legislative process.
Although the bill passed the committee largely on Democratic votes, it did receive support from some Republicans including Rep. Timothy Ackert, R-Coventry, and Sen. John Kissel, R-Enfield.
“This is not an easy bill to get one’s arms around and I’d like to breathe some more life into it and see where it goes from here,” Kissel said.