On May 10, 2022, Connecticut enacted a comprehensive data privacy law, making it the fifth state to reach this monumental milestone. Connecticut’s new privacy law went into effect on July 1, 2023. The law, which is similar to the privacy laws passed by California, Colorado, Virginia, and Utah, gives Connecticut consumers control regarding the personal data collected about them by companies that do business in the state. Broadly speaking, the bill’s requirements fall somewhere between the Colorado and Virginia privacy laws, with a few notable distinctions.
What is the Eligibility Threshold for the Act?
The Connecticut Privacy Act applies to businesses that operate in Connecticut or who produce merchandise or services targeted to Connecticut residents and that control or process the personal data of:
- at least 100,000 consumers during the past calendar year; or
- 25,000 or more consumers and derived over 25% of gross revenue from the sale of personal data over the last calendar year.
Notably, the CTDPA does not require a minimum of annual revenue and is imposed only by the number of consumers of which a business processes personal data.
What is Personal Data?
Under the Connecticut privacy law, personal data includes information that is linked or reasonably linkable to an identified or identifiable individual. Unidentifiable data or publicly available information is not considered personal data under the law.
What are the Parameters of the “Sale of Personal Data”?
The “sale of personal data” is defined as “the exchange of personal data for monetary or another valuable purpose by the controller to another party.” Unlike Virginia and Utah where a sale is defined as an exchange for strictly monetary purposes, the law adopts a broader definition that considers an exchange of data for “other valuable consideration” to also constitute a sale. This is similar to Colorado’s privacy law and California’s CCPA.
What is the Difference Between Controllers and Processors?
The Connecticut Data Privacy Law imposes obligations upon “controllers” and “processors” of consumer data.
“Controllers” determine the “purpose and means” of processing personal data.
“Processors” handle data “on behalf of” a controller.
What are Controller Obligations Under the CTDPA?
Under the CTDPA, controllers are obligated to:
- Notification of purpose: Notify consumers regarding the types of personal data the controller processes, the purpose for processing the data, whether they share personal data with third parties, and clear information on how consumers can exercise their right to privacy over their personal data.
- Data minimization: Limit the collection of personal data to the minimum amount that is relevant and reasonably necessary for the specific purpose for which the data is processed
- Obtain consumers’ consent before processing their sensitive data.
- Respond to requests to exercise consumer rights granted under the CTDPA.
- Data protection assessments: Conduct assessments before processing personal data in a manner that presents a heightened risk of harm to consumers. This includes processing personal data for targeted advertising, sale, or profiling, and processing sensitive data.
- Use reasonable safeguards to secure personal data from unwarranted access.
- Not discriminate against consumers who exercise their privacy rights under the new law or process personal data in a manner that would otherwise result in unlawful discrimination.
What Rights can Connecticut Residents Excercise Under the CTDPA?
Connecticut consumer protection laws provide residents with the following rights:
- The right to access personal data that a controller has collected about them.
- The right to correct inaccuracies in their personal data.
- The right to delete their personal data, including personal data that a controller collected through third parties.
- The right to obtain a copy of their personal data in a portable and readily usable format that allows them to transfer the data to another controller with ease.
- The right to opt out of:
- the sale of their personal data
- the processing of personal data for targeted advertising; and
- profiling that may have a legal or another significant impact
A controller’s privacy notice must clearly describe how consumers may exercise their rights under the CTDPA. Among other methods, a controller must provide an easily accessible link on its website through which consumers can opt out of targeted advertising or the sale of their data. Soon, consumers will also be able to opt out through universal opt-out mechanisms.
What are Universal Opt-Out Mechanisms?
Universal opt-out mechanisms are designed to provide users the flexibility to choose to opt out of the processing of personal data across several websites at once, as opposed to necessitating the submission of separate opt-out requests through the websites of each controller. Controllers must acknowledge universal opt-out mechanisms as valid consumer requests under the CTDPA as of January 1, 2025.
What are Some Important Dates That Apply to CTDPA Compliance?
- July 1, 2023 – The CTPDA becomes effective. The recommended target date for full compliance.
- December 31, 2024 – The last date of the enforcement grace period (be sure to cure any remaining alleged violations by then).
- January 1, 2025 – Businesses are required to have controls in place to collect consent and respond to consumer opt-out requests. The Connecticut Attorney General, at their discretion, may offer opportunities to cure alleged violations.
Who is Responsible for the Enforcement of the Act?
The attorney general has the exclusive responsibility to enforce penalties on entities or individuals that violate the CTDPA
Civil penalties may amount to fines up to $5,000 per violation, according to the Connecticut Unfair Trade Practices Act. In addition to civil penalties, the Attorney General can also seek other fines in specific cases.
Centraleyes State Privacy Tracker
Keeping track of the ever-changing legal landscape is a challenge. That’s why the Centraleyes team of analysts tracks the latest state data privacy laws with 24/7/365 coverage. Book a demo today and see why companies rely on Centraleyes’s platform to stay up to date on rapidly changing state privacy laws.
Check out our other articles on pertinent laws like California’s CPRA, Colorado’s CPA, Utah’s UCPA, and Virginia’s VCDPA.