The Connecticut Data Privacy Act (CTDPA): Explained

CTDPA Overview

The CTDPA, signed into law on May 10, 2022, empowers Connecticut residents by affording them greater control over their personal data. It defines a consumer as a state resident acting on their behalf, excluding commercial or employment contexts. This distinction aligns Connecticut’s approach with states like California, although the California Consumer Privacy Act (CPRA) extends protections to employees.

Who Must Comply

Businesses operating in or targeting Connecticut residents must follow the CTDPA if, in the previous year, they:

• Processed personal data of 100,000 or more consumers.
• Processed personal data of at least 25,000 consumers and made over 25% of revenue from data sales. Notably, unlike some state laws, the CTDPA does not include revenue criteria in its requirements.

1. Material Scope: The law covers all personal data that can identify an individual, except for de-identified data or publicly available information. However, certain types of data are exempt:

• • Medical data is regulated under HIPAA, including personal information for patient identification and data for research or public health services.
  • Data under GLBA or FCRA regulations.
  • Driver data under the Driver’s Privacy Protection Act.
  • Data under FERPA regulations.
  • Employment or emergency contact information.
  • Airline data is governed by the Airline Deregulation Act.

2. Territorial Scope: The law applies to businesses in Connecticut or offering goods/services to Connecticut residents if, in the preceding year, they:

• • Controlled or processed personal data of at least 100,000 consumers, excluding data processed solely for payment transactions.
  • Controlled or processed personal data of 25,000 consumers, with 25% or more revenue from selling that data.

3. CTDPA Exemptions: It’s crucial to understand that not every organization in Connecticut falls under the CTDPA. The law explicitly excludes:

• • State agencies.
  • Nonprofit organizations.
  • Higher education institutions.
  • National securities associations registered under the Securities Exchange Act of 1934.
  • Financial institutions are regulated by the Gramm-Leach-Bliley Act.
  • Entities covered by HIPAA.

Additionally, there are exemptions for personal data handled by other privacy laws, such as the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Airline Deregulation Act.

Personal data processed solely for payment transactions is also exempt from the CTDPA. This exemption recognizes that businesses like restaurants and cafes handle personal data differently from digital advertising companies and should not be subject to the same regulations.

CTDPA Consumer Rights

The CTDPA provides consumers with a wide range of rights. Specifically, consumers have the right to appeal denials of requests by controllers and to opt out of targeted advertising or the sale of personal data. Similar to other comprehensive privacy laws, the CTDPA grants consumers the following rights:

• Access: Consumers can confirm if a controller is processing their personal data and access such data, except for trade secrets.
• Correction: Consumers can correct inaccuracies in their personal data, with some limitations.
• Deletion: Consumers can request the deletion of personal data provided by or about them.
• Data portability: Consumers can obtain a portable copy of their personal data if technically feasible, without revealing trade secrets.
• Opt-out of certain data processing: Consumers can opt out of personal data processing for targeted advertising, sale of personal data, or profiling for automated decisions with legal consequences.

Similar to other state privacy laws, the CTDPA allows consumers to appoint an authorized agent to exercise their opt-out rights. Controllers have 45 days to respond to consumer requests, which can be extended by another 45 days if necessary due to request complexity or volume.

What Controllers Are Required To Do

The CTDPA aims to ensure that businesses safeguard and maintain the accuracy of Connecticut consumer data. Controllers, which encompass individuals and entities determining how personal data is processed, are obligated to:

1. Limit personal data collection to what’s necessary for the intended purpose, avoiding unnecessary data gathering.
2. Establish and uphold security measures to protect data confidentiality, integrity, and accessibility.
3. Obtain consent, especially for targeted advertising or concerning children, complying with COPPA. The CTDPA follows an opt-out approach, allowing data processing unless consumers opt out.
4. Offer an easy method for consumers to withdraw consent, stopping data processing within 15 days of receiving the request.
5. Provide a clear and accessible privacy notice outlining the types of personal data processed, its purpose, how consumers can exercise their rights, data sharing with third parties, and contact information.
6. Conduct and document data protection assessments for processing activities posing heightened risks to consumers, including:
   • Personal data processing for targeted advertising.
   • Personal data sale, encompassing monetary transactions or other valuable exchanges.
   • Personal data processing for profiling.
   • Processing of sensitive data.

Sensitive Data and Consent

Under the CTDPA, extra protections are required for sensitive data, such as racial or ethnic origin, health records, and biometric information. Businesses must secure explicit opt-in consent before processing this type of information, strengthening privacy safeguards.

Regulatory Authority and Enforcement

The Connecticut Attorney General (AG) holds sole responsibility for enforcing the law. From July 1, 2023, to December 31, 2024, the AG must first issue a notice of violation to the controller if there’s a chance to rectify the issue before taking any enforcement action. If the controller doesn’t fix the violation within 60 days, the AG may proceed with enforcement.

Additionally, starting February 1, 2024, the AG must provide a report to the General Assembly, outlining the number and nature of violations, as well as the number of violations resolved during the 60-day cure period.

From January 1, 2025, the AG may consider various factors when deciding whether to give a controller or processor a chance to fix an alleged violation, including:

• Number of violations
• Size and complexity of the controller or processor
• Nature and extent of their processing activities
• Likelihood of public harm
• Safety concerns
• Whether the violation was likely due to human or technical error.

CTDPA Enforcement and Penalties

The Connecticut Attorney General can enforce violations and impose fines of up to $5,000 per violation. They can also issue orders to prevent future violations, require restitution to victims, and demand disgorgement of profits obtained unlawfully. A notable aspect of the CTDPA is its phased implementation. Between July 1, 2023, and December 31, 2024, the Attorney General will notify violators and provide a 60-day cure period to fix the violation, allowing businesses to adapt to the regulations.

Starting January 1, 2025, this 60-day cure period won’t be automatically granted. Instead, the Attorney General will assess whether to offer it based on factors like the number of violations and the size of the business. Beginning in 2025, businesses must also enable consumers to opt out of targeted advertising or the sale of personal data using universal opt-out tools like the Global Privacy Control.

Compliance Tips

Here are tips for businesses to comply with the law:

1. Streamline and automate DSR (Data Subject Rights) fulfillment to expedite consumer verification, link personal data to its owner, and promptly fulfill requests.
2. Regularly conduct data protection impact assessments to prevent significant harm to consumers from personal data processing.
3. Prepare pre-built privacy notice templates based on applicable jurisdictional laws.
4. Indicate opt-out options on the official website for consumers who want to withhold their personal information sharing or disclosure rights.

Key Takeaways

The CTDPA shares similar consumer rights, obligations for data controllers and processors, and exemptions with privacy laws in California, Colorado, Virginia, and Utah. It aligns more closely with Colorado’s CPA than Virginia’s VCDPA, adopting similar data portability requirements and sunset provisions. Unlike the CCPA and UCPA, the CTDPA doesn’t grant consumers a private right of action. It’s stricter than the UCPA, which was more business-friendly. Under the CTDPA, companies must respect browser privacy signals like the Global Privacy Control and provide clear website opt-out links.

Starting January 1, 2025, the AG won’t need to issue a notice and opportunity to cure violations under the CTDPA, similar to Colorado’s cure period. We advise companies to assess their coverage under the CTDPA and develop a compliance plan before its effective date on July 1, 2023.

Wrapping Up

The Connecticut Data Privacy Act signifies the state’s dedication to protecting consumer rights amidst the global focus on data privacy. Its robust approach to regulating data practices sets a new standard in Connecticut, urging businesses to take proactive steps to comply with the law and manage risks efficiently.

GetTerms can simplify the complicated task of compliance and allow you to get back to business by addressing multiple items on your compliance checklist, including a cookie policy tailored to your business needs and generating cookie consent banners, we can help. Please take advantage of our services today. Create an account and get started in 5 minutes.