Complete Guide to CTDPA Cookie Compliance: Ensuring Privacy and Compliance

The Connecticut Data Protection Act has been passed to equip Connecticut consumers with tools to protect their online privacy.

Online tracking and profiling have long served businesses that wanted to provide personalized experiences and better functionality to users, but the data has occasionally been abused, requiring regulatory intervention in the use of cookies.

The new laws on data privacy that we have seen passed in recent years in the United States do not generally limit the use of personal information, but they have changed how consumers can take agency over their online privacy and exercise consumer rights.

Does CTDPA Apply to Your Business?

The Connecticut Data Privacy Act (CTDPA) applies to individuals and organizations that conduct business in Connecticut or those that offer products or services aimed at its residents and have met the following criteria over the preceding calendar year:

1. They process data of a minimum of 100,000 consumers, excluding instances where personal data was managed or processed exclusively for finalizing a payment transaction.
2. They process data of at least 25,000 consumers and have earned more than 25% of their gross revenue from the sale of personal data.

Nonprofits and government agencies are excluded from the applicability criteria.

If you meet these criteria, the CTDPA cookie consent requirements apply to your business.

What Does CTDPA Apply To?

CTDPA applies to the personal data of identifiable individuals. Any piece of information that could directly or indirectly identify a person is considered personal data.

There are a few exemptions, however, including publicly available information or information protected by industry-specific laws such as the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA), and others.

Do I Need to Obtain Consent to Comply with Connecticut Data Privacy Act?

You don't need to obtain consumers' cookie consent for the processing of personal information according to the Connecticut Data Privacy Act unless your processing falls under the exceptions set in the law.

Although the CTDPA implements the opt-out principle, meaning that you can process personal data as long as the consumer does not oppose it, you need an explicit opt-in in some cases.

These cases include:

• Processing sensitive data
• Processing children's data
• Processing data for purposes that are incompatible or unrelated to the processing purposes disclosed to the consumer at the moment of collection.
  

What is CTDPA Cookie Consent?

CTDPA consent is defined as "a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer."

Freely given means that the consumer has the freedom to exercise their choice to consent.

Specific means that the consent is specific to the processing it has been given for. For example, consent given for the processing of sensitive data for a specific purpose does not grant permission for the data to be processed for any other purpose.

Informed consent means that the consumer is fully aware of what they are giving consent to. This emphasizes the importance of a privacy policy and privacy notice, typically presented through a cookie banner.

Unambiguous means that the user must take an affirmative action to provide consent. Mere browsing of the website or remaining silent on the consent request does not imply consent.

Additionally, CTDPA specifies that consent does not include:

• Acceptance of general or broad terms of use or similar documents that contain descriptions of personal data processing along with other unrelated information. This includes bundling consent with terms of service.
• Actions such as hovering over, muting, pausing, or closing a piece of content. Closing the cookie banner, for example, does not equate to consent.
• Consent obtained through the use of dark patterns, which are manipulative design techniques aimed at influencing user behavior.

Furthermore, consumers must be provided with a mechanism to revoke consent, and this withdrawal process should be as easy as giving consent. For example, if a user consented to the processing by clicking an "ACCEPT COOKIES" button on a cookie banner, they should be able to withdraw their consent by clicking a "WITHDRAW CONSENT" button.

Now that you understand what giving CTDPA consent means, we will delve into each requirement and how to obtain consumer consent for the collection and processing of such data.

CTDPA Cookie Consent for Processing Sensitive Data

CTDPA explicitly prohibits the processing of sensitive data of Connecticut residents without prior consent.

Sensitive data includes:

• Data on racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship or immigration status.
• Biometric data for the purpose of uniquely identifying an individual.
• Personal data collected from a known child.
• Precise geolocation data.

If you need to use cookies to collect precise geolocation data, for example, you need to ask consumers if they agree to the use of cookies. The use of cookies must not occur before obtaining their consent.

CTDPA Cookie Consent for Processing Children’s Data

The processing of personal data of a known child under 13 years of age is only legal with parental consent.

The same limitation applies to the processing of personal data of a known child between 13 and 16 years of age when the data is processed for targeted advertising purposes or sold to third parties.

The CTDPA follows the consent methods described in the Children's Online Privacy Protection Act (COPPA), which means that consent can be obtained through various means, including:

• A consent form signed by the parent or guardian and returned via postal mail, fax, or electronic scan.
• Requesting a credit card or other online payment method for verification purposes, with a nominal charge that is refunded or not charged.
• Utilizing a video conference call or similar technology to visually confirm the parent's identity.
• Accepting a government-issued identification, such as a driver's license or passport, accompanied by a signed consent form.
  

CTDPA Consumer Consent for Processing Data for New or Unnecessary Purposes

Suppose you have collected a user's website behavior data for analytics purposes through Google Analytics, and now you want to process the same categories of personal data for remarketing and advertising purposes. In that case, you need to obtain consent from consumers.

CTDPA explicitly states that data controllers must not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.

CTDPA requires you to provide consumers with a meaningful privacy notice during data collection, where you must disclose the purposes of data processing activities and the categories of consumers' personal data that you process. From that point forward, you can process the disclosed categories of personal information for the disclosed processing purposes.

For example, if you have informed your consumers that you process their website browsing data for statistical purposes, you cannot use it for remarketing without obtaining their consent. Doing so would be a violation of the CTDPA.

What If I Don't Obtain CTDPA Cookie Consent?

Failure to obtain CTDPA cookie consent when required to do so can result in penalties.

The Connecticut Attorney General is responsible for enforcing the law, and unlike in California, Connecticut consumers do not have a private right of action.

Between July 1, 2023, and December 31, 2024, before initiating any legal proceedings for a breach, the Attorney General will issue a notice of violation to the data controller if they believe a remedy for the violation exists. This notice allows the controller to rectify the violation. If the controller fails to remedy the violation within 60 days of receiving this notice, the Attorney General is authorized to take legal action.

From January 1, 2025, onward, the Attorney General has the option to offer a cure period or impose a penalty immediately. The decision depends on factors such as:

• the number of violations,
• the size and complexity of the operations,
• the nature and extent of data processing activities,
• the likelihood of harm to the public,
• the potential risk to individuals' safety or property, and
• whether the violation resulted from human error or technical glitches.

The Connecticut Attorney General can also seek injunctive relief and impose civil penalties under Connecticut's Deceptive Trade Practices Act. The Attorney General's enforcement authority is exclusive, with any violations being treated as unfair trade practices under the Connecticut Unfair Trade Practices Act (CUTPA).

Other Consent-Related Duties Arising from the CTDPA

Opting for processing activities that require obtaining consent entails several additional obligations, including:

• Honoring consumer requests: Connecticut consumers have rights to know, access data, data portability, correct inaccuracies in their data, erasure, nondiscrimination, and more. Data controllers must respect and fulfill these requests from data subjects.
• Conducting data protection assessments: These assessments identify the risks associated with data processing activities, particularly those related to sensitive data. Data protection assessments are required only when there is a heightened risk of harm to data subjects, such as with the processing of sensitive information.
• Managing and storing consent: To demonstrate compliance with consent requirements, it is necessary to securely store records of obtained consent.
• Honoring opt-out preference signals: Starting from January 1, 2025, data controllers must comply with opt-out preferences, such as the Global Privacy Controls (GPC), specifically regarding the sale of personal data or processing for targeted advertising purposes.
  

How Does CTDPA Compare with Other Data Privacy Laws in Terms of Consent?

Connecticut is the fifth U.S. state to enact consumer privacy legislation, following the principles set out in other state privacy laws such as the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Utah Consumer Privacy Act (UCPA), and Colorado Privacy Act (CPA).

These privacy regulations generally adhere to the opt-out principle, except in specific circumstances where consent is required.

These requirements differ from those outlined in the GDPR of the European Union, where businesses are generally required to obtain consent for most data processing activities.

How to Comply with CTDPA Cookie Consent Requirements?

If you want to easily obtain CTDPA cookie consent, using a cookie management platform (CMP) is a smart idea. CMPs are helpful for businesses of all sizes.

These platforms streamline the process of obtaining consumer consent in accordance with data protection rules, as they have legal requirements embedded in their software. Here's why using a CMP is beneficial:

1. Keeping up with laws: Using a CMP ensures compliance with the latest legal requirements for collecting permissions. You don't have to constantly track legal updates, saving you time and effort and reducing the risk of non-compliance.
2. Handling bugs and software problems: CMPs handle the technical aspects, including dealing with bugs and software problems. This ensures smooth operation without issues.
3. Easy to use: CMPs are user-friendly and easy to set up. For example, Secure Privacy's cookie consent management solution only requires adding a few lines of code to your website or app to start collecting and managing consent according to the CTDPA or any other data protection law worldwide. Some CMPs even provide templates specifically designed for collecting user permissions in Connecticut.
4. Affordable for all businesses: CMPs typically offer different pricing plans, making them affordable for businesses of all sizes. Prices can start at $100 per year, ensuring compliance without straining your budget.