What is a Privacy Policy?
What is a privacy policy?
Create a tailored Privacy Policy, Terms & more in under 5 minutes.
The Connecticut Data Privacy Act (CTDPA) is a state law that protects Connecticut residents’ personal data privacy rights. Effective July 1, 2023, it requires businesses to safeguard consumer data and gives residents control over their personal information, including rights to access, correct, delete, and opt out of data sales. The law applies to companies that either do business in Connecticut or target Connecticut residents with their products or services.
The CTDPA, signed into law on May 10, 2022, empowers Connecticut residents by affording them greater control over their personal data. It defines a consumer as a state resident acting on their behalf, excluding commercial or employment contexts. This distinction aligns Connecticut’s approach with states like California, although the California Consumer Privacy Act (CPRA) extends protections to employees.
Businesses operating in or targeting Connecticut residents must follow the CTDPA if, in the previous year, they:
1. Material Scope: The law covers all personal data that can identify an individual, except for de-identified data or publicly available information. However, certain types of data are exempt:
2. Territorial Scope: The law applies to businesses in Connecticut or offering goods/services to Connecticut residents if, in the preceding year, they:
3. CTDPA Exemptions: It’s crucial to understand that not every organization in Connecticut falls under the CTDPA. The law explicitly excludes:
Additionally, there are exemptions for personal data handled by other privacy laws, such as the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Airline Deregulation Act.
Personal data processed solely for payment transactions is also exempt from the CTDPA. This exemption recognizes that businesses like restaurants and cafes handle personal data differently from digital advertising companies and should not be subject to the same regulations.
The CTDPA provides consumers with a wide range of rights. Specifically, consumers have the right to appeal denials of requests by controllers and to opt out of targeted advertising or the sale of personal data. Similar to other comprehensive privacy laws, the CTDPA grants consumers the following rights:
Similar to other state privacy laws, the CTDPA allows consumers to appoint an authorized agent to exercise their opt-out rights. Controllers have 45 days to respond to consumer requests, which can be extended by another 45 days if necessary due to request complexity or volume.
The CTDPA aims to ensure that businesses safeguard and maintain the accuracy of Connecticut consumer data. Controllers, which encompass individuals and entities determining how personal data is processed, are obligated to:
Under the CTDPA, extra protections are required for sensitive data, such as racial or ethnic origin, health records, and biometric information. Businesses must secure explicit opt-in consent before processing this type of information, strengthening privacy safeguards.
The Connecticut Attorney General (AG) holds sole responsibility for enforcing the law. From July 1, 2023, to December 31, 2024, the AG must first issue a notice of violation to the controller if there’s a chance to rectify the issue before taking any enforcement action. If the controller doesn’t fix the violation within 60 days, the AG may proceed with enforcement.
Additionally, starting February 1, 2024, the AG must provide a report to the General Assembly, outlining the number and nature of violations, as well as the number of violations resolved during the 60-day cure period.
From January 1, 2025, the AG may consider various factors when deciding whether to give a controller or processor a chance to fix an alleged violation, including:
The Connecticut Attorney General can enforce violations and impose fines of up to $5,000 per violation. They can also issue orders to prevent future violations, require restitution to victims, and demand disgorgement of profits obtained unlawfully. A notable aspect of the CTDPA is its phased implementation. Between July 1, 2023, and December 31, 2024, the Attorney General will notify violators and provide a 60-day cure period to fix the violation, allowing businesses to adapt to the regulations.
Starting January 1, 2025, this 60-day cure period won’t be automatically granted. Instead, the Attorney General will assess whether to offer it based on factors like the number of violations and the size of the business. Beginning in 2025, businesses must also enable consumers to opt out of targeted advertising or the sale of personal data using universal opt-out tools like the Global Privacy Control.
Here are tips for businesses to comply with the law:
The CTDPA shares similar consumer rights, obligations for data controllers and processors, and exemptions with privacy laws in California, Colorado, Virginia, and Utah. It aligns more closely with Colorado’s CPA than Virginia’s VCDPA, adopting similar data portability requirements and sunset provisions. Unlike the CCPA and UCPA, the CTDPA doesn’t grant consumers a private right of action. It’s stricter than the UCPA, which was more business-friendly. Under the CTDPA, companies must respect browser privacy signals like the Global Privacy Control and provide clear website opt-out links.
Starting January 1, 2025, the AG won’t need to issue a notice and opportunity to cure violations under the CTDPA, similar to Colorado’s cure period. We advise companies to assess their coverage under the CTDPA and develop a compliance plan before its effective date on July 1, 2023.
The Connecticut Data Privacy Act signifies the state’s dedication to protecting consumer rights amidst the global focus on data privacy. Its robust approach to regulating data practices sets a new standard in Connecticut, urging businesses to take proactive steps to comply with the law and manage risks efficiently.
GetTerms can simplify the complicated task of compliance and allow you to get back to business by addressing multiple items on your compliance checklist, including a cookie policy tailored to your business needs and generating cookie consent banners, we can help. Please take advantage of our services today. Create an account and get started in 5 minutes.