Connecticut
Connecticut Data Privacy Act (CTDPA)
| Passed | May 10, 2022 |
| Effective Date | July 1, 2023 |
| Who it applies to |
Businesses (1) that control or process personal data of 100,000 or more Connecticut consumers (excluding solely for completing a payment transaction); or (2) control or process personal data of at least 25,000 consumers and derive more than 25% of their gross revenue from the sale of personal data. Exempt entities include nonprofits, government agencies, higher education institutions, and financial institutions subject to the Gramm-Leach-Bliley Act (GLBA). |
| Penalties | Up to $5,000 per violation |
What’s notable about it:
Connecticut has already amended CTDPA, introducing new rules on health and children’s privacy that arguably make it the strictest privacy law in the US for companies that amount of “consumer health data”. Unlike other states, It doesn’t have a revenue threshold: if a company processes a single person’s consumer health data, they are subject to Connecticut’s law. Assuming a business doesn’t control or process more than 100K CT residents’ personal data, nor process any consumer health data, they are not affected by the law.
“Consumer health data” means “any personal data that a controller uses to identify a consumer's physical or mental health condition or diagnosis, and includes, but is not limited to, gender-affirming health data and reproductive or sexual health data.”