The Connecticut Data Privacy Act (CTDPA) was signed into law on May 10, by Connecticut Governor Ned Lamont, making Connecticut the fifth state to enact a consumer privacy law. The CTDPA is set to take effect on July 1, 2023, and features general data protection requirements and obligations similar to those in other states, and a few noteworthy variations that, among other things, implement greater protections for children’s data and sensitive data (including biometric data).
Who is Covered?
Similar to other state privacy statutes, the CTDPA applies to entities either conducting business in Connecticut or that have products or services that are targeted to residents of Connecticut and that during the preceding calendar year have done either of the following:
- Controlled or processed the personal data of 100,000 or more Connecticut residents (consumers).
- Controlled or processed the personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.
Notably, the CTDPA removes from the calculation of the 100,000 consumers any personal data that is controlled or processed solely to complete a payment transaction.
Obligations of Covered Entities
For entities meeting the above criteria, several obligations align with requirements under other recently enacted data protection laws. These obligations include:
- Implementing administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data controlled or processed in accordance with the CTDPA.
- Limiting the personal data collected, used, and processed to that which is adequate, relevant, and reasonably necessary.
- Providing reasonably accessible and clear privacy notices that disclose particular information.
- Conducting and documenting a data protection assessment for each processing activity that presents a “heightened risk of harm to a consumer.”
Like other state data protection laws, the CTDPA provides consumers certain rights regarding personal data that covered entities have collected and used, including:
- The right to know whether a controller is processing the consumer’s personal data.
- The right to access personal data processed by a controller.
- The right to receive a copy of the consumer’s personal data processed by the controller.
- The right to request deletion of personal data provided by or obtained about the consumer.
- The right to request a correction of inaccurate personal data.
- The right to opt-out of sales of personal data, use of personal data for targeted advertising, and use of personal data for profiling in furtherance of solely automated decisions that produce legal or other significant effects concerning the consumer.
Covered businesses under the CTDPA are required to establish one or more secure means for consumers to submit such requests and must respond to such consumer rights requests no later than 45 days after a request has been made (subject to the controller’s right to extend the response period for one additional 45-day period).
Beyond these standard requirements, the CTDPA includes the following notable provisions:
- Similar to Colorado and Virginia, Connecticut consumers have the right to opt-out of: (1) the sale of their personal data, (2) use of personal data for targeted advertising, and (3) profiling based upon a consumer’s personal data. In addition, also like Colorado, the CTDPA provides that as of January 1, 2025, covered entities must recognize opt-out signals sent by a platform, technology, or mechanism to the data controller indicating a consumer’s intent to opt-out of such processing.
- Similarly, the CTDPA requires controllers to obtain consent to process sensitive data (which includes biometric data) and personal data of a minor (between the ages 13 and 18) for targeted advertising, and the CTDPA also requires controllers to obtain parental consent for collection of personal data from a known child. Covered businesses relying on such consents to process the data must also provide a consumer-friendly mechanism for consumers to revoke this consent.
- As of the effective date of the CTDPA, the act provides covered businesses a right to cure potential violations upon notice from the Connecticut Attorney General (AG), but this guaranteed cure period will sunset on December 31, 2024. After that, the AG may determine, at his or her discretion, whether to grant covered entities that are violating the CTDPA an opportunity to cure such violation or not.
Under the CTDPA, the Connecticut AG has exclusive authority to enforce violations of the act, but the AG is not authorized to engage in rulemaking. Instead, the CTDPA provides that a working group will be convened to study and make recommendations to the Connecticut General Assembly on various topics concerning data privacy. While entities await any potential revised or additional obligations from such working group recommendations, covered businesses have slightly over a year to implement measures to comply with the CTDPA, as currently enacted, before the July 1, 2023, effective date.
If you have any questions or need assistance related to this topic or other data privacy matters, please contact the authors.