Articles

The Connecticut Data Privacy Act (CTDPA): What You Need to Know

Written by Matt Davis, CIPM (IAPP) | June 13, 2023

Effective July 1, 2023, the Connecticut Data Privacy Act (CTDPA) brings Connecticut in line with a growing cadre of U.S. states. In lieu of a federal data privacy law, more and more states are creating their own data privacy laws. While that’s great for consumers, businesses are getting the short end of the stick—now, they have to learn about the requirements of a dozen-plus different laws rather than one comprehensive law. 

Don’t worry; you don’t have to dig deep into pages of legalese just to understand what your obligations are under Connecticut privacy law. We’ll dig into the nuts and bolts of the CTDPA in this article in a simple, digestible way, and we’ll outline how to become compliant in the ever-changing data privacy landscape. 

What is the Connecticut Data Privacy Act? 

Signed May 10, 2022, the CTDPA gives Connecticut residents more control over their personal data. For the purposes of the act, a consumer is defined as a resident of the state acting on their own behalf—not in a commercial or employment context. That’s in contrast to states like California, which gives employees data privacy protection under the CPRA.  

The regulation includes many of the same provisions of the data privacy acts in other states, but most closely resembles those in Colorado (CPA) and Virginia (CDPA). 

Like other data privacy laws, it gives consumers the right to:  

  • Access data.  
  • Correct inaccuracies.  
  • Delete personal data.  
  • Obtain a copy of their data in a format that allows them to transmit it to another controller.  
  • Opt out of the sale and processing of data.  

Who Does the CTDPA Apply To? 

The act applies to those who conduct business in the state or who produce products or services targeted to Connecticut residents and who, during the previous year:  

  • Controlled or processed personal data of 100,000 or more consumers, excluding solely for completing a payment transaction; or 
  • Controlled or processed personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.  

One notable absence from this threshold criteria relative to other state privacy laws is the absence of a revenue criteria. As an example, one of the triggers for being subject to the CPRA is having a had $25 million in gross revenue in the preceding calendar year. No such threshold exists with the CTDPA, making it one of the more consumer-friendly state privacy laws. 

Connecticut Data Privacy Act Exemptions 

It’s important to note that the CTDPA does not apply to every organization operating in Connecticut. The law explicitly excludes: 

  • State agencies. 
  • Nonprofit organizations. 
  • Higher education institutions. 
  • National securities associations registered under the Securities Exchange Act of 1934. 
  • Financial institutions and data subject to the Gramm-Leach-Bliley Act. 
  • Covered entities or business associates subject to the Health Insurance Portability and Accountability Act (HIPAA).   

In addition, there are a number of exemptions for personal data maintained in compliance with other privacy laws, such as the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Airline Deregulation Act. 

Personal data processed solely for payment transactions is also exempt from the CTDPA. The idea here is that businesses like restaurants, cafes, and the like don’t really process personal data in the same way as, say, digital advertising companies and shouldn’t be regulated in the same way. 

Connecticut Data Privacy Act Regulations 

The CTDPA was established to ensure businesses protect and ensure the accuracy of Connecticut consumer data.  

Controllers, which include the individuals and entities that determine the purpose and means of processing personal data, are required to: 

  • Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purpose for which it is processed. In other words, you can’t collect more data than you need to accomplish your goal. 
  • Create and maintain security practices that protect the confidentiality, integrity and accessibility of data. 
  • Obtain consent, including if the collection is for targeted advertising, or in the case of a child, comply with the Children’s Online Privacy Protection Act (COPPA). Like other U.S. privacy laws, the CTDPA is an opt-out law; that means that in most cases, you can process consumers’ data so long as they are informed and have not yet opted out (see our blog on opt in vs opt out). There are exceptions, however, which we’ll dive into below. 
  • Provide a way for consumers to revoke consent “that is at least as easy as the mechanism by which the consumer provided the consumer’s consent,” and cease processing data as soon as practicable (but no later than 15 days after receipt of the request). 
  • Provide a privacy notice that is reasonably accessible, clear, and meaningful, and that includes: categories of personal data processed, the purpose for processing personal data, how consumers can exercise their rights, what data is shared with third parties and their categories, and a way to contact the controller. 
  • Conduct and document a data protection assessment for each of the controller’s processing activities that presents a heightened risk of harm to a consumer. This includes:
  1. The processing of personal data for targeted advertising.

  2. The sale of personal data, where “sale” is defined as involving a monetary transaction or “other valuable considerations.” This second item is important; it means that even exchanging data for services is regulated.

  3. The processing of personal data for profiling.

  4. The processing of sensitive data.  

The Connecticut Data Privacy Law and Sensitive Data 

As is the case with most other state privacy laws, some data is considered more sensitive than others, and requires additional protection.  

The Connecticut privacy law defines sensitive data as personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health conditions or diagnosis, sex life, sexual orientation or citizenship or immigration status, as well as genetic or biometric data used to identify an individual; children’s information; or precise geolocation data.  

When sensitive information is being collected, the CTDPA requires consumers to opt in first. That means businesses cannot collect and process this data without the consumer giving their explicit consent first. Some state laws, like Virginia’s data privacy law, treat sensitive data in the same way. Others, like Utah’s data privacy law, don’t require opt-in consent for sensitive data. 

In addition, the law prohibits the use of “dark patterns”—or a user interface designed to subvert or impair a consumer’s decision making—to obtain consent.  

CTDPA Enforcement and Penalties for Violations  

The Connecticut Attorney General has the authority to enforce violations and may issue fines of up to $5,000 per violation. Additionally, the Attorney General can issue orders to offenders to prevent them from violating the law, force them to pay restitution to victims, and order disgorgement (which essentially means giving up any profit they accrued from illegal activity). 

One unique feature of the CTDPA is its phased approach to its rollout. As time goes on, businesses will slowly have to become compliant with different aspects of the law. 

From the Connecticut data privacy law's effective date of July 1, 2023, through December 31, 2024, the Attorney General will issue a notice of violation to a controller, who will have 60 days to cure the violation.   

This period of time is meant to give businesses the chance to adjust to the regulation. After January 1, 2025, the Attorney General’s office will no longer offer this 60-day cure period by default. Instead, the Attorney General will evaluate whether a cure period should be offered based on the number of violations, size and complexity of controller or processor, and other factors.   

At the start of 2025, the law will also require businesses to allow consumers to opt out of targeted advertising or the sale of personal data through universal opt-out mechanisms, like the Global Privacy Control. 

Complying with the CTDPA 

The CTDPA is the fifth comprehensive data privacy law, but it’s far from the last. Recently, several other states have passed privacy bills, including Indiana, Iowa, Tennessee, and Montana, with many more states working toward the passage of introduced bills. 

If you work at a business that serves markets in multiple states, maintaining compliance with this patchwork of state data privacy laws can be tricky.  

Maintaining compliance starts with awareness. Make sure you’re keeping track of laws that may impact your company as they make their way through state legislatures. Subscribing to Oasno’s newsletter is a great place to start. 

When a new law is passed (but before it takes effect), it’s best to review the text with your legal counsel. They can help you determine if you’re in compliance, and if not, what steps to take.  

Finally, consider a Consent Management Platform (CMP), like Osano, which removes the data compliance burden from your team. With customizable consent management, data subject access request automation, and vendor management tools, CMPs are designed to help you get and maintain compliance in an ever-changing data privacy landscape.