Effective July 1, 2023, the Connecticut Data Privacy Act (CTDPA) brings Connecticut in line with a growing cadre of U.S. states. In lieu of a federal data privacy law, more and more states are creating their own data privacy laws. While that’s great for consumers, businesses are getting the short end of the stick—now, they have to learn about the requirements of a dozen-plus different laws rather than one comprehensive law.
Don’t worry; you don’t have to dig deep into pages of legalese just to understand what your obligations are under Connecticut privacy law. We’ll dig into the nuts and bolts of the CTDPA in this article in a simple, digestible way, and we’ll outline how to become compliant in the ever-changing data privacy landscape.
Signed May 10, 2022, the CTDPA gives Connecticut residents more control over their personal data. For the purposes of the act, a consumer is defined as a resident of the state acting on their own behalf—not in a commercial or employment context. That’s in contrast to states like California, which gives employees data privacy protection under the CPRA.
The regulation includes many of the same provisions of the data privacy acts in other states, but most closely resembles those in Colorado (CPA) and Virginia (CDPA).
Like other data privacy laws, it gives consumers the right to:
The act applies to those who conduct business in the state or who produce products or services targeted to Connecticut residents and who, during the previous year:
One notable absence from this threshold criteria relative to other state privacy laws is the absence of a revenue criteria. As an example, one of the triggers for being subject to the CPRA is having a had $25 million in gross revenue in the preceding calendar year. No such threshold exists with the CTDPA, making it one of the more consumer-friendly state privacy laws.
It’s important to note that the CTDPA does not apply to every organization operating in Connecticut. The law explicitly excludes:
In addition, there are a number of exemptions for personal data maintained in compliance with other privacy laws, such as the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Airline Deregulation Act.
Personal data processed solely for payment transactions is also exempt from the CTDPA. The idea here is that businesses like restaurants, cafes, and the like don’t really process personal data in the same way as, say, digital advertising companies and shouldn’t be regulated in the same way.
The CTDPA was established to ensure businesses protect and ensure the accuracy of Connecticut consumer data.
Controllers, which include the individuals and entities that determine the purpose and means of processing personal data, are required to:
The processing of personal data for targeted advertising.
The sale of personal data, where “sale” is defined as involving a monetary transaction or “other valuable considerations.” This second item is important; it means that even exchanging data for services is regulated.
The processing of personal data for profiling.
The processing of sensitive data.
As is the case with most other state privacy laws, some data is considered more sensitive than others, and requires additional protection.
The Connecticut privacy law defines sensitive data as personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health conditions or diagnosis, sex life, sexual orientation or citizenship or immigration status, as well as genetic or biometric data used to identify an individual; children’s information; or precise geolocation data.
When sensitive information is being collected, the CTDPA requires consumers to opt in first. That means businesses cannot collect and process this data without the consumer giving their explicit consent first. Some state laws, like Virginia’s data privacy law, treat sensitive data in the same way. Others, like Utah’s data privacy law, don’t require opt-in consent for sensitive data.
In addition, the law prohibits the use of “dark patterns”—or a user interface designed to subvert or impair a consumer’s decision making—to obtain consent.
The Connecticut Attorney General has the authority to enforce violations and may issue fines of up to $5,000 per violation. Additionally, the Attorney General can issue orders to offenders to prevent them from violating the law, force them to pay restitution to victims, and order disgorgement (which essentially means giving up any profit they accrued from illegal activity).
One unique feature of the CTDPA is its phased approach to its rollout. As time goes on, businesses will slowly have to become compliant with different aspects of the law.
From the Connecticut data privacy law's effective date of July 1, 2023, through December 31, 2024, the Attorney General will issue a notice of violation to a controller, who will have 60 days to cure the violation.
This period of time is meant to give businesses the chance to adjust to the regulation. After January 1, 2025, the Attorney General’s office will no longer offer this 60-day cure period by default. Instead, the Attorney General will evaluate whether a cure period should be offered based on the number of violations, size and complexity of controller or processor, and other factors.
At the start of 2025, the law will also require businesses to allow consumers to opt out of targeted advertising or the sale of personal data through universal opt-out mechanisms, like the Global Privacy Control.
The CTDPA is the fifth comprehensive data privacy law, but it’s far from the last. Recently, several other states have passed privacy bills, including Indiana, Iowa, Tennessee, and Montana, with many more states working toward the passage of introduced bills.
If you work at a business that serves markets in multiple states, maintaining compliance with this patchwork of state data privacy laws can be tricky.
Maintaining compliance starts with awareness. Make sure you’re keeping track of laws that may impact your company as they make their way through state legislatures. Subscribing to Oasno’s newsletter is a great place to start.
When a new law is passed (but before it takes effect), it’s best to review the text with your legal counsel. They can help you determine if you’re in compliance, and if not, what steps to take.
Finally, consider a Consent Management Platform (CMP), like Osano, which removes the data compliance burden from your team. With customizable consent management, data subject access request automation, and vendor management tools, CMPs are designed to help you get and maintain compliance in an ever-changing data privacy landscape.