Connecticut Data Privacy Act (CTDPA) will go into effect on July 1, 2023. The law is similar to the privacy laws passed by California (CCPA), Colorado (CPA), Virginia (VCDPA), Michigan (MPDPA), and Utah. It mostly resembles the California Consumer Privacy Act, the Colorado Privacy Act, and the Virginia Consumer Data Protection Act, with many of the law’s provisions falling between these laws. However, there are some distinctions, that should be followed for compliance with the law.
Utah’s privacy law is more business-friendly and has more differences from the CTDPA.
What is the Connecticut Data Privacy Act (CTDPA)?
Connecticut data privacy act is a privacy legislation of the US state of Connecticut that requires businesses and organizations to protect the personal data of Connecticut residents from unauthorized access and disclosure. The CTDPA applies to any business that collects, stores, or uses the personal data of Connecticut residents, regardless of whether the business is located in Connecticut or elsewhere.
Connecticut residents called consumers, have these main rights under the CTDPA:
- Right to access. Consumers have the right to “confirm whether or not a controller is processing the consumer’s personal data and access such personal data.” However, unlike other US laws, it is an exception to this right where “such confirmation or access would require the controller to reveal a trade secret.”
- Right to correct. Consumers have the right to correct inaccuracies in their personal data, regarding the nature and the purposes of the personal data.
- Right to delete. Consumers have the right to delete the personal data provided by them or obtained about them.
- Right to data portability. Consumers have the right to obtain a copy of the consumer's personal data in a usable format and to the extent technically feasible.
- Right to opt-out. Consumers have the right to opt-out of the processing of personal data for the purposes of targeted advertising, the sale of personal data, and profiling in decisions that produce legal or other significant effects concerning the consumer. Consumers must give explicit consent for using and processing personal data, which must be a freely given, specific, informed, and unambiguous agreement.
Entities that collect and process personal data, called controllers, are required to respond to consumer requests no later than 45 days after receipt of the request.
Who Has to Comply with the Connecticut Data Privacy Act?
Applicability of the CTDPA
The law applies to entities that conduct business in Connecticut or produce products or services targeted to Connecticut residents, in the preceding calendar year, that either:
- Controlled or processed the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing payment transactions; or
- Controlled or processed the personal data of at least 25,000 consumers and derived over 25% of their gross revenue from the sale of personal data.
Important to note that the law excludes personal data processed solely for payment transactions. Thus, entities that process debit or credit cards only to the extent necessary to complete a purchase will be exempted from the law.
The Connecticut law does not have an annual revenue threshold for imposing the law’s obligations, as it is under the CCPA.
Exemptions to the Connecticut Data Privacy Act compliance
Not all entities that are doing business in Connecticut or are processing the data of Connecticut residents need to comply with the CTDPA, as noted above. The following organizations are exempt from the law, irrespective of whether the data collected and processed would otherwise be subject to the law:
- State and local governments.
- Nonprofit organizations.
- Higher education institutions.
- National securities associations registered under the Securities Exchange Act of 1934.
- Financial institutions that are data subject to the Gramm-Leach-Bliley Act.
- Covered entities and business associates as defined by the Health Insurance Portability and Accountability Act.
Obligations for entities under the CTDPA
An entity that can be covered by the CTDPA could be a “controller” of personal data, to whom the personal data belongs; or a “processor” that manages the personal data like collection, use, storage, disclosure, analysis, deletion, or modification on behalf of a controller. Controllers are responsible for receiving, authenticating, and complying with reasonable consumer personal data requests and setting up appeal processes for requests they deny, if any.
The CTDPA defines the following requirements for data controllers:
Limits on data collection. Controllers are required to “limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.”
Limits on use. Once the data has been collected, the law prohibits controllers from processing personal data for “purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed.”
Data security. Controllers are required to “establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.”
Consent requirements. The law requires controllers to get consent for processing sensitive personal data, including information about race or ethnicity, religion, health conditions, sex life or orientation, citizenship or immigration status, genetic or biometric data, children’s data, and precise geolocation data. Sensitive personal data also includes personal data collected from an individual that is under 13 years old, in which case the data must be processed in accordance with the Children’s Online Privacy Protection Act. The law restricts targeting and advertising for children between the ages of 13 – 16 years. A consumer’s consent must be freely given, specific, informed, and unambiguous.
Consent revocation. Controllers should provide consent revocation means for the processing of personal data. Once revoked, the controller must stop processing the data as soon as practically possible, but within 15 days after receiving the revocation.
Nondiscrimination. Controllers are prohibited from discriminating consumers if they exercise any of their rights. Discriminating means “denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer.”
Privacy notice. The law requires controllers to provide consumers with a “reasonably accessible, clear and meaningful privacy notice.” The privacy notice should include:
- the categories of personal data the controller processes and their processing purposes;
- how consumers may exercise their rights and an appeal;
- the categories of personal data the controller shares with third parties if any;
- the categories of those third parties, if any, with which the controller shares personal data;
- an active email address or another online mechanism for the consumer to contact the controller.
If personal data is sold to third parties or processed for targeted advertising, controllers are required to “clearly and conspicuously disclose such processing” and provide options for consumers to opt-out of such actions.
Response to consumer requests. Controllers are obligated to respond to a consumer’s request “without undue delay,” but no later than 45 days after receiving the request. The term could be extended for an additional 45 days when reasonably necessary. Controllers must also establish a conspicuously available appeal process for consumers to appeal a controller’s refusal to act on a request within a reasonable time. If the appeal is denied, the controller must provide the consumer with an online mechanism to contact and submit a complaint to the attorney general.
Data processing contracts. The data controller must sign a contract with the data processor for the data processing performed by the processor on behalf of the controller. Such contracts must “clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of the processing and the rights and obligations of both parties.”
Data protection assessments. For each data processing activity, that presents a heightened risk of harm to consumers, controllers must conduct and document a data protection assessment. Such heightened risk of harm activities includes processing data for the purposes of targeted advertising, selling personal data, processing sensitive data, or processing personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of substantial injury to consumers.
Different privacy laws need different cookie banners, depending on the location of a consumer. Different privacy laws could be complied with using a function of geo-targeting, the method of delivering different Cookie Banners and different privacy notices to consumers based on their geographic locations. Website visitors will be presented with the right banners, which are required for privacy laws compliance.
Enforcement of the CTDPA
There is no right of action against the infringement for private users or consumers. Instead, the Attorney General has exclusive authority to enforce violations. Prior to initiating an action, the Attorney General must notify the controller of its violation. The CTDPA then gives a controller 60 days to cure the violation, which is twice longer than the 30-day cure periods granted under the CCPA, VCDPA, and Utah’s privacy law.
December 31, 2024, is the last date of the enforcement grace period. Beginning from January 1, 2025, businesses are required to have controls in place to collect consent and respond to consumer opt-out requests.
If not compliant, entities may face civil penalties of up to $5,000 per intentional violation. The Attorney General may also seek injunctive relief and civil penalties under Connecticut's Deceptive Trade Practices Act. The Attorney General also has exclusive enforcement authority with violations constituting unfair trade practices under the Connecticut Unfair Trade Practices Act.
Frequently Asked Questions
To whom does the Connecticut Data Privacy Act (CTDPA) apply to?
The CTDPA applies to entities that conduct business in Connecticut or produce products or services targeted to Connecticut residents and that, during the previous calendar year, controlled or processed the personal data of at least 100,000 consumers; or controlled or processed the personal data of at least 25,000 and got over 25% of gross revenue from the sale of personal data.
When does the Connecticut Data Privacy Act take effect?
What is personal data under the Connecticut Data Privacy Act (CTDPA)?
Personal data is any information that can be linked to an identifiable individual, excluding publicly available information. Personal data could include full name, maiden name, or alias, a home address, a driver’s license, state identification, or social security number, passport information, a financial account number, login credentials, payment card information, online identifiers, like IP addresses, cookie identifiers, or browser fingerprinting, email, and other data. CookieScript can help you to comply with the CTDPA.
What is sensitive personal data under the Connecticut Data Privacy Act (CTDPA)?
Does the Connecticut Data Privacy Act protect the personal data of children and teens?
Yes. If the personal data of a child is being processed by a controller, the child’s parent or legal guardian could exercise rights on the child’s behalf. Personal data collected from an individual that is under 13 years old, is considered sensitive data and must be processed in accordance with the Children’s Online Privacy Protection Act. The law also restricts targeting and advertising for children between the ages of 13 – 16 years.
What rights do Connecticut consumers have under the CTDPA?