Updated: Jun 1
On 10 May 2022, Connecticut’s Governor, Ned Lamont, signed the bill for an Act Concerning Personal Data Privacy and Online Monitoring. The act will be known as the Connecticut Data Privacy Act or CTDPA and will come into effect on 1 July 2023.
The CTDPA gives Connecticut residents specified rights over personal data and establishes responsibilities and privacy protection standards for organizations that collect and process consumer data. The law also aims to protect the privacy of Connecticut residents at the individual and household levels.
While the U.S. is still far from enacting a federal data protection law, there are several state-level data privacy regulations for safeguarding personal information. In the league, California was the first to pass a data protection law with its California Consumer Protection Action (CCPA), followed by Virginia, which has the Virginia Consumer Data Protection Act (VCDPA).
Connecticut’s data privacy law, in many ways, differs from the existing rules and has some ‘intentional’ similarities. The CTDPA largely follows the European data protection model. It references the General Data Protection Act (GDPR) and makes certain exemptions not provided by the existing U.S. data protection laws.
What is the Connecticut data privacy act?
The CTDPA is a comprehensive data privacy law for safeguarding consumer data protection rights while favoring businesses simultaneously.
An Overview of the key provisions of the CTDPA
The CTDPA does not have a monetary threshold for businesses to qualify for compliance.
The law emphasizes protecting minors’ data. Parents or caretakers of children under 13 can exercise data privacy rights on their behalf.
It takes a strong stance on biometric data and the use of dark patterns to evoke consumer consent for data collection and processing.
To whom does the Connecticut data privacy act apply?
It focuses on organizations that collect or process the personal information of Connecticut individuals or households and fall under the following criteria:
Control personal or sensitive personal information of at least 100,000 consumers; or
Derives over 25% of gross revenue from the sale of personal data while controlling the information of at least 25,000 consumers.
Explanation of the threshold for compliance
Unlike the existing data protection laws, such as the CCPA or the European Union's GDPR, the CTDPA does not have a monetary threshold for businesses.
The decision not to include a monetary threshold was likely made to ensure that all businesses that collect or process the personal information of Connecticut residents fit under the same standard of data protection.
The CDPA applies to all businesses, regardless of their size, that collect the personal information of Connecticut residents. Even small companies with limited resources must comply with the CDPA's requirements.
Additionally, the lack of a monetary threshold may be intended to prevent businesses from trespassing on the law by falsely projecting their revenue below a certain threshold. Connecticut has the smallest population among the states with a data privacy law. So, while developing the law, Senator James Maroney (and team) emphasized that the impact of considering parameters the same as the CCPA, CPRA, or VCDPA would also be devastating for many small and medium-scale businesses.
Explanation of how the Connecticut data privacy act defines personal data and sensitive data
The CTDPA defines "personal information" as any information linked to identifying an individual. The definition excludes publicly available information, such as the information shared and made ‘public’ on data-sharing platforms such as LinkedIn or Facebook.
Some examples of personal data the CTDPA addresses include home address, driver’s license or state identification number, passport information, financial account number, login credentials, payment card information, social security number, driver's license number, or biometric data.
CTDPA does not apply to the data protected under the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), the Fair Credit Act, and the Family Educational Rights and Privacy Act (FERPA).
State and local governments are exempt from the CTDPA.
National securities associations registered under the Securities Exchange Act.
Higher Education Institutions.
What are the requirements under the Connecticut data privacy act?
Data controllers and processors (businesses and third-party service providers) must comply with specific CTDPA provisions and preserve Connecticut residents' privacy rights.
The following obligations are placed on businesses under the act:
Notice and disclosure requirements
Under the CTDPA, businesses must provide consumers with notice regarding the types of personal data processed and the purpose(s) for processing. It also addresses whether and why the data controllers share personal data with third parties and information about how consumers can exercise their various data privacy rights.
Consumer rights to access and delete personal data
Opt-out rights for the sale of personal data.
Under the CTDPA, consumers have the right to opt out of selling personal data to third-party service providers. For marketing or advertising, businesses must allow consumers to revoke consent to selling personal information to third parties, including data brokers or other companies.
Connecticut residents can typically request the business through a designated opt-out link or by contacting the company directly to exercise the opt-out rights.
The CTDPA requires businesses to provide a clear and universal opt-out mechanism that allows for withdrawing from data processing and selling consent across various websites and platforms owned by a company.
There are some exceptions to these opt-out rights. For example, businesses may not be required to delete personal information if it is necessary for specific specified purposes, such as to complete a transaction or comply with legal obligations.
Security and data protection standards
The CTDPA requires data controllers to establish, implement and streamline technical and physical data security practices within the organization to protect the confidentiality of personal information. The law states that data processors (third parties) are responsible for assisting the data controllers in fulfilling the CTDPA obligations related to the security of personal data.
Discussion of the consequences for non-compliance
The Attorney General has the authority to impose penalties for CTDPA violations. Businesses get a 45-day window to address consumer privacy rights requests, such as responding to an access or data deletion request.
In addition, the attorney general can also impose acts of relief, such as discontinuing privacy-violating practices. Businesses that violate individual privacy rights may also be liable to provide compensation and bear a penalty of $5,000 per violation.
How can businesses comply with the Connecticut data privacy act?
After CTDPA enforcement, businesses that will be given a notice for alleged privacy violations will receive a 60-day cure period to fix the damage caused by the breach (s). The cure period lasts from 1st July 2023 to 21st December 2024. After this, companies failing to cure the violations may be penalized.
After the cure period, the CTDPA will enter the ‘sunset’ period wherein companies won’t be able to access the ‘right to cure,’ starting 1st January 2025.
The Attorney General will address options determining the severity of privacy violations caused. Decisions against privacy violations will be based on the following:
Number of Violations
The size and complexity of the data processor or controller.
The severity of damage caused to an individual or household.
The nature and extent of the data processing activities
Whether the violation was caused due to human or technical error(s)
CTDPA comparison to other privacy laws:
The following illustration gives an overview of consumer rights, as provided by various data protection laws:
Suggestions for businesses to ensure compliance with the act:
Conducting a data inventory and mapping personal data
Identifying the types of personal data being collected and processed:
Businesses must create a data inventory to identify the types of personal data they collect, process, store, and share or sell. This includes sensitive personal information as well as personally identifiable information. By identifying these types of data, businesses can ensure that they have appropriate data protection measures to safeguard the information.
Understanding data flows and Assessing risks:
Data mapping can help businesses understand how personal data moves throughout their organization and identify areas where data protection measures can be improved. This includes identifying data processors, such as third-party vendors with access to personal data, and evaluating their data protection practices. By understanding what personal data is being processed and how it is used, businesses can assess its associated risks and prioritize data protection efforts accordingly.
Implementing policies and procedures for handling personal data
Data Protection Officer:
Organizations must appoint a data protection officer (DPO) to oversee compliance with the CTDPA. The DPO acts as a point of contact for individuals regarding their data.
Companies (data controllers) must obtain explicit and informed consent from individuals before collecting, using, or disclosing their data to third parties.
Organizations must collect only the minimum amount of personal data necessary for the purpose for which it is being used.
The CTDPA requires data controllers (businesses) and processors (third-party vendors) to implement appropriate technical and organizational security measures, such as authorization of access to consumer data.
Data Breach Notification:
Organizations must notify affected individuals and the Connecticut Attorney General's office in case of a data breach that could result in potential harm. Providing notices and disclosures to consumers
Providing consumers with the latest updates on privacy policies, data collection, and processing methods will help businesses maintain compliance with the CTDPA.
Establishing a process for responding to consumer requests
The Attorney general must submit a list of privacy violations and their cure status to the General Assembly of Connecticut before 1st February 2024. Businesses must prepare for what happens next. Implementing comprehensive consent and preference management solutions will be the greatest asset for businesses.
Effective consent and preference management helps ensure the Global Privacy Control protocol within the organization and throughout the third-party processing partners.
The Connecticut Data Protection Act is right around the corner, and soon it will govern how businesses and third-party vendors collect and process consumer data. Complying with the CTDPA and protecting consumer privacy will allow businesses to empathize with the data privacy requirements of 3.6 million Connecticut residents.
With the advent of the new data privacy law, Connecticut citizens will have greater control over their personal information. Businesses that want to continue collecting valuable customer information must ensure effective consent management and CTDPA compliance.