Connecticut has recently joined the growing number of US states that have established a dedicated comprehensive data privacy law to help safeguard consumers’ data rights. This new Personal Data Privacy and Online Monitoring Act (CTDPA) provides several guidelines to inform data processing activities for organizations operating within Connecticut. While the CPRA is the most stringent in the nation, alongside the Colorado privacy law and Virginia’s privacy laws, how do Connecticut’s regulations differ from other state laws? Are their laws stricter or similar to Utah privacy law?
Below, we’ll dive into the Connecticut privacy law, how it applies to your business, and how it affects your data processing activities.
When is the Connecticut Data Privacy Law Effective?
Effective July 1, 2023, organizations doing business in Connecticut and that trigger the compliance threshold must comply with the Connecticut privacy law’s regulations. This means you have a few months to prepare for compliance and adjust your business practices accordingly.
Applicability of the Connecticut Privacy Law
The guidelines of the Connecticut Data Privacy Act are somewhat similar (albeit less stringent) to those of the European Union’s General Data Protection Regulation (GDPR) or California’s privacy regulations—the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA).
Any organization that conducts business in Connecticut or offers goods or services to customers living in the state must comply with the Connecticut privacy law if:
- You control or process the personal data of 100,000 or more consumers each year, except when data is collected to complete payment transactions.
- You controlled or processed the personal data of 25,000 or more consumers and obtained over 25 percent of your gross revenue from the sale of personal data.
Covered Personal Information as Stipulated by the CTDPA
The CTDPA defines personal information covered under the law as “any information that is linked or reasonably linkable to an identified or identifiable individual.” De-identified and public information are exempt from this definition.
Categories of “sensitive data” require a data protection assessment prior to the processing under the CTDPA. These include:
- Racial and ethnic origin data
- Information about religious beliefs
- Health data that can determine past, current, or future medical condition
- Data about an individual’s sex life or sexual orientation
- Citizenship, immigration, and naturalization status
- Genetic or biometric identifiers
- Personal data collected from children
- Precise geolocation data
Privacy Rights Listed Under the Connecticut Privacy Law
The Connecticut privacy law lists five major rights to help safeguard consumer data privacy:
- Right to access – Consumers have the right to confirm whether the controller is processing any personal data they collect. If the entity confirms the data will be used for processing activities, consumers may exercise their right to request access to this data.
- Right to correct – A consumer can request a controller to correct any inaccuracies in their data during processing.
- Right to delete – A consumer also has the right to request the deletion of their personal data once it has been provided to or obtained by the controller.
- Right to data portability – Consumers can request that controllers provide their personal data in a portable, readily usable format should they wish.
- Right to opt-out – The Connecticut privacy law also provides consumers the right to opt-out of data processing if their data will be:
- Used for targeted advertising to the consumer
- Sold to third-party entities
- Involved in automated decisions with legal risks to the consumer
Under the CTDPA’s provisions, consumers are protected when they exercise their consumer rights. The role of a controller or processor is to respect and safeguard these consumer rights by exercising certain business obligations.
Rights Response Timelines
Businesses responding to privacy requests must be mindful of several operational timelines:
- Response: 45 days
- Response extension: 45 days
- Process opt-outs: 15 days
- Completion confirmation: without undue delay
- Response to appeal of denied request: 60 days
- Deletion of sensitive data: 12 hours
What Are Your Business Obligations Under the Connecticut Privacy Law?
The Connecticut privacy law outlines several obligations which must be followed by businesses that meet the criteria specified above to safeguard consumer data privacy:
- Privacy notices – A data controller must provide an easily accessible privacy notice listing:
- Personal data categories processed by the controller
- Business purposes for processing consumers’ personal data
- Processes by which consumers can exercise their privacy rights
- Types of personal data shared with third parties, if any
- Categories of third parties with which the controller shares consumer data
- An active email address that consumers can use to contact the controller
- Third-Party contracts – If consumers’ personal data is processed by entities other than the controller, those data processing activities must be governed by a vendor contract. The Connecticut privacy law requires these contracts to:
- Ensure data confidentiality
- Remain subject to the consumer’s rights listed within the law
- Allow independent compliance assessments respective to the law’s stipulations
- Data protection assessments – The Connecticut privacy law requires controllers to conduct data protection assessments (synonymous with privacy impact assessments (PIAs)) if the activities used to process data may pose risks to the consumer, such as:
- Targeted advertising to consumers
- The sale of consumers’ personal data
- Profiling of consumers
- Any outcome that may heighten the risk to their privacy or livelihood
If your business collects or processes the personal data of Connecticut consumers, you are considered a controller. As such, the Connecticut privacy law requires compliance in meeting the above business obligations and safeguarding consumer data privacy.
Special Topics Covered by the Connecticut Privacy Law
Beyond specific business obligations required when complying with the Connecticut privacy law, organizations are also required to pay special attention to the following:
- Children’s data – When collecting or processing the personal data of a child, data processing activities must comply with the Children’s Online Privacy Protection Act of 1998 (COPPA) regulations. Consumer consent must be obtained from a parent or legal guardian in all instances.
- Respect for consent – Under the Connecticut data privacy law, consent is defined as any agreement in which a consumer explicitly allows a controller to process their personal data. Consent is always required to process sensitive data that belongs to consumers or children if the entity is subject to the CTDPA.
- Authorized agents – Consumers looking to opt out of data processing activities can do so by authorizing another party to exercise privacy rights on their behalf. Controllers must then respect the authorized agent’s authority per the Connecticut privacy law’s stipulations.
- Data sales and monetization – The Connecticut privacy law defines sales of personal data as any exchange of data between controllers and third-party processors in which there is monetary gain. The law requires consumers to opt-out of any sales of their personal data. However, sales of personal data do not include disclosures of personal data to:
- Third parties to provide goods or services to consumers
- Affiliates of the controller
- Third parties, as instructed by the consumer
- The general public, if the consumer has previously done so
- Targeted advertising – The Connecticut privacy law describes targeted advertising as any which is driven by data obtained from consumers to infer their interests and preferences. Controllers must not process consumers’ personal data for targeted advertising purposes without consent. For such purposes, controllers must disclose these intentions to allow consumers to exercise their privacy rights.
- Profiling – Controllers are required to conduct a data protection assessment if data are processed for purposes like profiling, which poses risks to consumers’ privacy rights.
CTDPA Exemptions & Limitations
Certain organizations may be exempt from compliance with the privacy regulations of the CTDPA due to the types of data or transactions they handle.
These organizations include:
- State and local government bodies
- Nonprofit organizations
- Higher education institutions
- Certain national securities associations
- Financial institutions subject to the Gramm-Leach-Bliley Act regulations
- HIPAA-defined covered entities and their business associates
Certain types of data may also be exempt from the Connecticut privacy law requirements, such as data regulated by the following:
- Patient Safety and Quality Improvement Act (PSQIA)
- Fair Credit Reporting Act (FCRA)
- Driver’s Privacy Protection Act (DPPA)
- Family Educational Rights and Privacy Act (FERPA)
- Farm Credit Act (FCA)
- Airline Deregulation Act (ADA)
Considering the broad categories of data exempt from the Connecticut privacy law regulations, it is best to consult with a data privacy partner on which exemptions will apply to your organization’s unique needs.
When it comes to enforcement, the CTDPA is overseen by the Connecticut Attorney General. Between July 1, 2023, and December 31, 2024, the Attorney General can provide notice to a business found in violation of the privacy law if a cure is possible.
A business issued a Connecticut privacy law violation can cure it within 60 days, similar to the regulations of the Colorado Privacy Act. Failure to cure an alleged violation within this period can result in further legal action.
On or after January 1, 2025, the Attorney General can decide whether to provide the opportunity to cure the violation based on the:
- Number of violations issued to a business
- Complexity of the business handling consumers’ personal data
- Nature of data processing activities
- Likelihood of potential injury related to public data processing activities
- Safety of consumers whose data is processed
- Source of the violation—whether it was by a human or technical error
However, the Connecticut privacy law does not currently have a private right of action.
Ensure Your CTDPA Compliance with DataGrail
As Connecticut and other states continue to enact consumer data privacy laws, it will become increasingly difficult for US businesses to operate without establishing compliant policies and implementing dedicated technologies.
The best way to strengthen your business’s adherence to the CTDPA and other state-level consumer data laws is to invest in a data privacy platform like DataGrail’s. With capabilities that include a Live Data Map to gain extensive, up-to-date visibility of your data locations, you can gain confidence in the privacy safeguards you implement.
Our platform can also help you keep track of your compliance with regulations like the Connecticut privacy law and beyond.
Explore out our data privacy platform.
United States Code. Title 15, Chapter 19—Children’s Online Privacy Protection. https://uscode.house.gov/view.xhtml?req=granuleid%3AUSC-prelim-title15-chapter91&saved=%7CZ3JhbnVsZWlkOlVTQy1wcmVsaW0tdGl0bGUxNS1zZWN0aW9uNjUwMQ%3D%3D%7C%7C%7C0%7Cfalse%7Cprelim&edition=prelim
State of Connecticut. Public Act No. 22-15 – An Act Concerning Personal Data Privacy and Online Monitoring. https://www.cga.ct.gov/2022/ACT/PA/PDF/2022PA-00015-R00SB-00006-PA.PDF