December 16, 2022

Connecticut Data Privacy Act (CTDPA): What You Need To Know

The CTDPA will have far-reaching consequences for businesses that collect, process, or store the personal data of Connecticut residents. This blog post will explore the CTDPA in detail and discuss its implications when companies conduct business. We will also provide tips on how businesses can comply with the CTDPA.

On May 10, 2022, Connecticut Governor Ned Lamont signed the Connecticut Data Privacy Act (CTDPA) into law. The law takes effect July 1, 2023 and provides Connecticut residents acting as consumers in individual or household contexts more control over the consumer’s personal data. The law does not apply to individuals acting in employment or commercial contexts.

The CTDPA will have far-reaching consequences for businesses that collect, process, or store the personal data of Connecticut residents. This blog post will explore the CTDPA in detail and discuss its implications when companies conduct business. We will also provide tips on how businesses can comply with the CTDPA.

What is the CTDPA?

The CTDPA, also called “An Act Concerning Personal Data Privacy and Online Monitoring,” is the fifth state privacy legislation among the US states that require businesses to take reasonable steps to protect the personal data of Connecticut residents from unauthorized access and disclosure.

The CTDPA has many similarities with other state privacy laws (California, Virginia, Colorado, and Utah) that have been passed into consumer privacy laws, but is most similar to the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CPA), which are more consumer-oriented than the more business-friendly Utah Consumer Privacy Act (UCPA). The CTDPA is comparable to the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

The applicability of the CTDPA extends to any business that collects, stores, or uses such personal data of Connecticut residents, regardless of whether the business is located in Connecticut or elsewhere.

The CTDPA requires businesses to implement reasonable security measures to protect the personal data of Connecticut residents from unauthorized access and disclosure. Businesses must also take reasonable steps to ensure that the personal data they collect is accurate and up-to-date. In addition, businesses must provide individuals with notice of their right to access and correct inaccuracies with their personal data.

The CTDPA is an act concerning imposing penalties on businesses that violate its provisions, including fines of up to $500,000 for each violation. The Attorney General may also bring civil actions against businesses that violate the CTDPA.

What does the CTDPA do?

The Connecticut Data Privacy Act creates a state data privacy and protection framework that sets out specific requirements for businesses handling the personal data of Connecticut residents. The CTDPA is modeled after the European Union’s General Data Protection Regulation (GDPR) and expands on the state’s existing data security law.

The CTDPA applies to any business that processes the personal data of Connecticut residents, regardless of whether the business is located inside or outside of the state. The law broadly defines “personal data” to include any information that can be used to identify an individual, including names, addresses, email addresses, birthdates, Social Security numbers, driver’s license numbers, biometric data, and more.

Under the CTDPA, businesses must take reasonable steps to protect personal data from unauthorized access, use, disclosure, or destruction. They must also provide customers with clear and concise information about their rights under the law and ensure that they can easily exercise them.

Businesses that violate the CTDPA can be subject to civil penalties of up to $750 per violation. The law also gives individuals the right to sue businesses for damages if they suffer harm due to a violation of the CTDPA.

Personal data and consumer rights under the CTDPA

The CTDPA's broad personal data definition includes any information linked or reasonably linkable to an identified or identifiable individual. It does not include de-identified data or publicly available information. The CTDPA defines a sale of personal data as the exchange of personal data for monetary or other valuable consideration by the controller to a third party.

The CTDPA grants consumers rights to:

  • Confirm whether a controller is processing their personal data unless the confirmation would require the controller to reveal a trade secret.
  • Access their personal data unless it requires the controller to reveal a trade secret.
  • Request deletion of the personal data provided by or obtained about the consumer.
  • Obtain a copy of the personal data that they previously provided to the controller in a format that is:
    undefinedundefined
  • Opt out of having their personal data processed for purposes of:
    - targeted advertising;
    - the sale of personal data; or
    - profiling to further solely automated decisions and decision-making that produce legal or similarly significant effects concerning the consumer.

The CTDPA requires data controllers to:

  • Provide consumers with a reasonably accessible, clear, and meaningful privacy notice stating:
    - the categories of personal data the controller processes and their processing purposes;
    - how consumers may exercise their rights;
    - the categories of personal data the controller shares with third parties and the categories of those third parties if any; and
    - an active email address or another online mechanism that the consumer can use to contact the controller.
  • Limit personal data collection to what is adequate, relevant, and reasonably necessary for the disclosed processing purposes.
  • Limit personal data processing to what is reasonably necessary for or compatible with the disclosed processing purposes unless the controller obtains consumer consent.
  • Process consumers' sensitive data only after providing them with clear notice and an opportunity to opt out or meet the requirements of the federal Children's Online Privacy Protection Act and its implementing regulations for data concerning children under 13. The CTDPA defines sensitive data as:
    - personal data that reveals an individual's race or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status;
    - genetic or biometric data, if the processing is for identification purposes, excluding physical or digital photographs, video or audio recordings, or data generated from them unless the data is generated to identify a specific individual;
    - personal data collected from a known child; or
    - precise geolocation data.
  • Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers.
  • Offer an effective mechanism for a consumer to revoke their consent that is at least as easy as the mechanism the consumer used to give consent. The controller must stop processing the data within 15 days of receiving the revocation request.
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to its volume and nature.
  • Respond to consumers' requests to exercise their rights within 45 days, subject to some exclusions and extension opportunities.
  • Not discriminate against consumers for exercising their CTDPA rights, although controllers may offer consumers a different price, quality, or selection if they opt out of targeted advertising or the offer is related to their voluntary participation in a loyalty, rewards, or similar program.
  • Conduct data protection assessments and provide them to the attorney general on request for processing activities created or generated after July 1, 2023 that present a heightened risk of harm to a consumer, including:
    - processing personal data for targeted advertising purposes;
    - selling personal data;
    - processing personal data for profiling purposes under certain circumstances; and
    - processing sensitive data.
  • By January 1, 2025, provide consumers with an opt-out request option of any processing of their personal data for targeted advertising or personal data sales. The opt-out preference signal must be sent to the controller, with the consumer's consent, by a platform, technology, or mechanism indicating the consumer's intent to opt out of the processing or sale.

The CTDPA requires entities processing data on behalf of controllers to assist the controllers in meeting their obligations under the law.

How does the CTDPA protect consumers?

The Connecticut Data Privacy Act (CTDPA) is a new law that provides consumers greater protection against data breaches. The CTDPA requires businesses to take reasonable steps to protect consumer data from unauthorized access, use, or disclosure. In addition, the CTDPA imposes strict penalties for businesses that fail to protect consumer data adequately.

Under the CTDPA, businesses must take reasonable steps to safeguard consumer data from unauthorized access, use, or disclosure. Businesses that fail to take reasonable security measures will be subject to strict penalties. The CTDPA also requires businesses to notify consumers of any data breach within 60 days of discovering the breach.

The CTDPA is a comprehensive data privacy law that will provide consumers with greater protection against data breaches. Businesses that collect, use, or store consumer data must take reasonable steps to protect the data from unauthorized access, use, or disclosure. In addition, businesses that experience a data breach must notify consumers within 60 days of discovering the breach. The CTDPA is important in protecting consumers' personal information and ensuring businesses take responsibility for safeguarding this information.

Who does CTDPA apply to?

The CTDPA applies to individuals and entities that do business in Connecticut or produce products or services that target Connecticut residents and, during the preceding calendar year, controlled or processed data of either:

  • 100,000 or more consumers, excluding personal data controlled or processed solely for completing a payment transaction.
  • 25,000 or more consumers and derived more than 25% of their gross revenue from selling personal data.

Are There Any Exceptions to the CTDPA?

The CTDPA generally applies to any business that collects, uses, or discloses the personal data of Connecticut residents. However, there are a few exceptions to the law.

The CTDPA does not apply to:

  • Data collection, processing, sale, or disclosure activity regulated by certain laws, including:
    - the Children's Online Privacy Protection Act of 1998;
    - the Health Insurance Portability and Accountability Act (HIPAA);
    - the Health Care Quality Improvement Act of 1986;
    - the Fair Credit Reporting Act;
    - the Driver's Privacy Protection Act of 1994; and
    - the Airline Deregulation Act
  • Any Connecticut body, authority, board, bureau, commission, district, agency, or political subdivision.
  • Federally tax-exempt nonprofit organizations.
  • Institutions of higher education.
  • National securities associations registered under the Securities Exchange Act of 1934.
  • Financial institutions or data subject to Title V of the Gramm-Leach-Bliley Act.
  • Covered entities or business associates as defined in HIPAA regulations.

CTDPA and the Office of the Attorney General

The CTDPA provides the Connecticut Attorney General exclusive enforcement authority and does not include a private right of action. From July 1, 2023 to December 31, 2024, before initiating any action for a violation, the Attorney General must issue a notice of violation to the controller if they determine a possible solution. If the controller fails to resolve the violation within 60 days of receiving notice, the Attorney General may bring an action. Beginning January 1, 2025, the Attorney General has discretion as to providing the opportunity to cure an alleged violation, taking into consideration the following:

  • The number of violations.
  • The controller's or processor's size and complexity
  • The nature and extent of the processing activities.
  • The substantial likelihood of injury to the public.
  • The safety of individuals or property.
  • Whether the alleged violation was likely caused by human or technical error.

The Attorney General may also seek injunctive relief and civil penalties under Connecticut's Deceptive Trade Practices Act. The Attorney General also has exclusive enforcement authority, with violations constituting unfair trade practices under the Connecticut Unfair Trade Practices Act (CUTPA).

How Does the CTDPA Compare to Other State Data Privacy Laws?

The CTDPA requires businesses to take reasonable steps to protect the personal data of state residents from unauthorized access, destruction, use, modification, or disclosure. The law also requires businesses to notify individuals when their personal data has been breached. The CTDPA applies to any business that collects, stores, or processes the personal data of state residents, regardless of whether the business is located in Connecticut.

The CTDPA is similar to other state data privacy laws in several respects. First, like other state laws, the CTDPA requires businesses to take reasonable steps to protect the personal data of state residents from unauthorized access, destruction, use, modification, or disclosure. Second, the CTDPA requires businesses to notify individuals when their personal data has been breached. However, the CTDPA differs from other state laws in several important respects.

First, the CTDPA applies to any business that collects, stores, or processes the personal data of state residents, regardless of whether the business is located in Connecticut. This means that businesses located outside of Connecticut may be subject to the law if they collect or store the personal data of Connecticut residents. Second, while other state laws generally exempt businesses subject to federal regulation from their provisions (such as HIPAA-regulated entities), the CTDPA does not contain any such exemption. This means that businesses that are subject to federal regulation (such as HIPAA-regulated entities) may still be subject.

Conclusion

The Connecticut Data Privacy Act is a groundbreaking new law establishing strict rules around how companies can collect, use, and share personal data. The CTDPA is the first state law of its kind and sets a strong precedent for other states to follow suit. The CTDPA will help protect consumers’ privacy rights and give them more control over their personal data. We urge all companies doing business in Connecticut to comply with the CTDPA so that we can better protect our residents’ privacy rights.

Schedule a call to learn more