Communications Director, Connecticut Hospital Association
110 Barnes Road, Wallingford, CT
rall@chime.org, 203-265-7611
DAILY NEWS CLIP: November 6, 2025
Hartford Business Journal – Thursday, November 6, 2025
By Alan M. Winchester
Alan M. Winchester is the leader of Harris Beach Murtha’s cybersecurity protection and response practice group.
Connecticut is joining forces with six other states to ensure their privacy laws are followed and the personal information of individuals is protected.
This could have major consequences for businesses that do not comply.
For those new to privacy law, the United States lacks a comprehensive and exclusive set of laws governing how businesses may use personal information. Instead, each state crafts its own set of laws to apply to its residents, regardless of where the company holding that information is incorporated, or where the information is located.
The attorneys general of Connecticut, California, Colorado, Delaware, Indiana, New Jersey and Oregon have created the Consortium of Privacy Regulators and promise aggressive enforcement of privacy laws. It is expected many companies will adopt a practice that satisfies the strictest of privacy laws, thereby ensuring compliance in all states.
The consortium’s first area of focus is on how companies sell or share personally identifiable information (PII) with other businesses. Most states require an opt-out provision governing the sale or sharing of personal information. Data subjects who don’t want to have their PII sold are directed to communicate that via email.
Practically, few do this because it is a lot of work.
Colorado, Connecticut and Delaware, however, have an opt-in requirement, where data subjects must affirmatively consent to the selling or sharing of sensitive personal information.
Many companies rely on their privacy policies to obtain this consent when their customer first signs up for their services. They might also include an explanation banner at the time they collect the information.
Companies face challenges with PII laws
But many organizations do not initially intend to sell or share personal information, so they do not seek consent at the time of collection. If they eventually realize the value of the information and change their mind, it is impermissible to sell or share.
And, many smaller or midsize organizations rely on service providers to manage their websites and customer-facing applications. This could lead to a disconnect between how the organization understands its website to be configured and how the service providers believe it should be configured, especially if vendors are located in states with less strict laws.
This leads to noncompliance.
Still, other companies sell or share PII without realizing it.
For example, the marketing departments of many organizations use Meta pixels or Google Analytics to track website traffic. This service is free, but in exchange, it passes information back to Google and Meta about the data subjects and their website interactions.
Totally unaware, many companies share sensitive information because their pixels or beacons aren’t properly configured. And, the user hasn’t consented to, nor knows, PII is being collected and shared.
To address this, some organizations are creating a universal opt-out mechanism that allows data subjects to signal or communicate privacy preferences. One common type of opt-out mechanism is the global privacy control, which is embedded in some browsers or available as an extension for browsers such as Chrome.
Some states, including Connecticut, require businesses to listen to the global privacy control signal from customers’ browsers and obey their PII wishes, or face enforcement.
If your business collects PII from U.S. residents, there is a good chance some of that information is protected by a state’s universal opt-out mechanism law. Carefully review what PII you collect and how you honor the requests of data subjects regarding their PII.
Also, discuss with your technology vendors what information is being automatically captured by your websites or applications and shared with providers such as Google or Meta.
The cost of noncompliance can be millions of dollars.