Companies have eight days left to stop collecting personal info they don’t need from us and to start giving us more access to it — or else they’ll have to answer to Michele Lucan.
Lucan (pictured above) heads the state attorney general’s office’s privacy section. She and her boss, Attorney General William Tong, traveled 10 floors above Chapel Street to the Greater New Haven Chamber of Commerce Wednesday morning to coach two dozen local business people on how to start following the new rules when the Connecticut Data Privacy Act takes effect July 1.
Lucan’s division is in charge of enforcing the new law, which gives consumers new “baseline” rights to their online data. Companies must enable them to access their data, fix mistakes, have it deleted, and easily opt out of having it sold or receiving targeted ads. Companies can’t punish consumers for exercising those rights.
And they must make the rules easy for consumers to see and pursue.
The new law, the fifth such data privacy measure passed by a state legislature, covers for-profit companies doing business in Connecticut that process personal data of at least 100,000 consumers; or, if they derive over 25 percent of gross revenue from selling personal data, of at least 25,000 consumers. The list of companies ranges from retailers like Home Depot to social media companies like Facebook and banks and other financial services companies. Nonprofit businesses like health care institutions already must follow some of the same rules under other laws.
Click here to read more about the nitty-gritty of the law. Click on the above video to ride an elevator with Tong and hear his overview of the law as he rushed from the Chamber meeting to another scheduled event.
“The state means it when it grants theses rights to people,” Tong warned those gathered in the Chamber conference room. “It’s not enough to put on your website some long disclosure that nobody’s going to read, that even I can’t understand. You figure out how to make it understandable and accessible.”
Tong and Lucan offered to help businesses do that. They urged them to contact the office with any questions about how to comply with the law, even if they’re worried they may already be breaking it. A “cure” provision inserted in the law (about which Tong and Lucan did not sound pleased) requires the state to inform companies if they’re violating the law during the first 18 months and give them 60 days to fix the problem.
“Call us. That’s the best way to head off a problem. Come in with hands open,” Tong urged the group. “You will be held accountable. But we will work with you,” especially on the first offense.
And quit collecting Social Security numbers you don’t need, Lucan said. “Take a hard look at what you’re collecting,” because the law requires data harvesters to “minimize” what they gather.
“A lot of companies are collecting a whole lot of data that they don’t really need,” Lucan said.
Tong emphasized that this law marks a first stage in upcoming efforts to protect data privacy, meaning more companies should expect to have to follow more rules in the future about how they handle people’s personal information.
Some in the audience said they want to understand the law better because they work with larger companies that collect enough data to be covered. Others, like CFO Joan Walker of Unapen (at left in above photo), advise affected clients.
K. Mark Davis’s consulting engineers firm, Westcott and Mapes, doesn’t fall under the law. “I’ve got seven guys,” he said. But Davis (at right in above) left the meeting inspired nonetheless to reexamine how it stores and protects clients’ information from potential breaches. “What are we gathering?” he asked rhetorically. He got Tong’s and Lucan’s message that it’s time for all employers to take a fresh look.