Connecticut Data Privacy Act (CTDPA)

Connecticut Data Privacy Act (CTDPA) - Mandatly Inc.

Gov. Ned Lamont, D-Conn, signed the Connecticut Data Privacy Act into law on May 10, 2022 making Connecticut the 5th state after California, Virginia, Colorado and Utah to enact a comprehensive consumer privacy act. The law will be in effect from July 1, 2023. CTDPA is drawn heavily from the Colorado’s CPA and Virginia’s CDPA. Many provisions of this law are similar to or fall between the CPA and CDPA, but the few notable distinctions must be taken care of.

CTDPA Applicability

The law applies to entities that

Conduct business in Connecticut or produce products or services targeted to Connecticut residents and that during the preceding calendar year, either:

  • Controlled or processed the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing payment transactions.
  • Controlled or processed the personal data of at least 25,000 consumers and derived over 25% of their gross revenue from the sale of personal data.

CTDPA Important terms

CONSUMER

“Consumer” means an individual who is a resident of the state acting in an individual or household context and does not include an individual acting in an employment or commercial context.

SALE OF PERSONAL DATA

“Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.

PERSONAL DATA

“Personal data” means information that is linked or reasonably linkable to an identified individual or an identifiable individual. It does not include de-identified data or publicly available information.

CONSENT

“Consent” means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer.

It does not include hovering over, muting, pausing, or closing a given piece of content, or agreement obtained using dark patterns.

Consumer rights Under CTDPA

Right to Access

A consumer has the right to know whether a controller is processing the consumer’s personal data and access that data.

Right to Correct

It is the consumer’s right to correct any inaccuracies in the consumer’s personal data, considering the nature of that data and its purpose of processing.

Right to Deletion

A consumer has the right to ask for the deletion of their personal data that the consumer provided to the controller.

Right to Data Portability

A consumer has the right to obtain a copy of the consumer’s personal data, that the consumer previously provided to the controller, in a format that is portable, readily usable and allows the consumer to transmit the data to another controller without impediment, where the processing is carried out by automated means.

Right to Opt-Out

A consumer has the right to opt out of the processing of the consumer’s personal data for the purpose of targeted advertising, the sale of personal data or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

Obligations of Controllers

Data Minimization

Controllers must only collect the personal data that is adequate, relevant, and reasonably necessary considering the purposes for which their data is processed as disclosed to the consumer.

Purpose Specification

Controllers should not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.

Transparency

A controller shall provide consumers with reasonably accessible, clear, and meaningful privacy notice that includes:

  • The categories and purpose of personal data processed by the controller;
  • How consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision about the consumer’s request;
  • The categories of personal data that the controller shares with third parties, if any;
  • The categories of third parties, if any, with which the controller shares personal data; and
  • An active electronic mail address that the consumer may use to contact the controller.

Security

The controller must establish, implement, maintain and update reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity and accessibility relevant to the volume and nature of the personal data at issue.

Opt-in Consent

Controllers should not process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with Children’s Online Privacy Protection Act.Additionally, controllers are required to “provide an effective mechanism” for consumers to revoke consent that is at least as easy as the mechanism used to provide it.

Non-Discrimination

A controller may not discriminate against a consumer for exercising a right by denying a good or service to the consumer or charging the consumer a different price.

Data protection assessments

Controllers are required to perform and document Data Protection Impact Assessments for each processing activity “that presents a heightened risk of harm” to consumers.

Enforcement

The private right of action is not provided under CTDPA following the steps of other data privacy of US. It offers a 60 days cure period to the Controllers. If the controller fails to cure the violation within 60 days of receiving notice, the attorney general may bring an action. Entities may face civil penalties up to $5,000 per willful violation.

Conclusion

Businesses already complying with these state privacy laws such as California’s CCPA and CPRA, Virginia’s CDPA, Colorado’s CPA, etc. (and/or the GDPR) should be well-positioned for compliance with the CTDPA requirements, including Connecticut’s consent requirement and the data privacy assessments required for certain processing.

Download free resource on California CCPA, Virginia CDPA, Colorado CPA and CPRA. - Mandatly Inc.

Related Blogs

Cookie Consent Solutions for GDPR & CCPA Compliance20240708043627

Cookie Consent Solutions for GDPR & CCPA Compliance

The Role of Cookie Consent Solutions in GDPR and CCPA ComplianceIn today's digital landscape, data privacy regulations like t...
GDPR Compliance Made Easy: Tips for Updating Your Privacy Policy20240524035956

GDPR Compliance Made Easy: Tips for Updating Your Privacy Policy

GDPR Compliance Made Easy: Tips for Updating Your Privacy PolicyIntroductionIn an era where data privacy is paramount, ensuri...
Navigating GDPR Compliance: A Comprehensive Guide to Cookie Policies20240513042210

Navigating GDPR Compliance: A Comprehensive Guide to Cookie Policies

Navigating GDPR Compliance: A Comprehensive Guide to Cookie PoliciesIn an era marked by increasing concerns over data privacy...
Data Mapping Requirement for CPRA & CCPA Compliance20240501045009

Data Mapping Requirement for CPRA & CCPA Compliance

Data Mapping Requirement for CPRA & CCPA ComplianceWhat are the CPRA Data Mapping Requirements?The California Consumer Pr...
The Role of Employee Training in GDPR Compliance and Data Security20240205100131

The Role of Employee Training in GDPR Compliance and Data Security

The Role of Employee Training in GDPR Compliance and Data SecurityOverview: GDPR Training For EmployeesIn today's rapidly evo...
Explore the Link Between Cybersecurity and GDPR Compliance20240201044003

Explore the Link Between Cybersecurity and GDPR Compliance

The Intersection of GDPR & CybersecurityWhat is GDPR?Enforced since May 2018, GDPR is a comprehensive set of regulations ...
International Data Transfers: Understanding Legal Frameworks20240125043450

International Data Transfers: Understanding Legal Frameworks

Cross Border Data Transfer & Legal FrameworkA Legal Framework For Data ProtectionBefore delving into the legal mechanisms...
EU-U.S. Data Privacy & GDPR: A Symbiotic Bond20240110045117

EU-U.S. Data Privacy & GDPR: A Symbiotic Bond

The GDPR and the EU-US Data Privacy Framework: A Symbiotic RelationshipEU-US Data Privacy Shield FrameworkThe EU US Data Priv...
PIA Software: Streamlining Privacy Impact Assessments20231229045248

PIA Software: Streamlining Privacy Impact Assessments

Conducting Privacy Impact Assessments with PIA Software: Benefits and Best PracticesAbout Privacy Impact AnalysisIn today's d...
Getting Started with Privacy Impact Assessment (PIA) Software20231221064257

Getting Started with Privacy Impact Assessment (PIA) Software

Getting Started with PIA Software: Step-by-Step Implementation GuideIntroductionPrivacy Impact Assessment (PIA) software has ...
LGPD Compliance: Checklist & Best Practices20231109071852

LGPD Compliance: Checklist & Best Practices

Preparing for LGPD: Compliance Checklist and Best PracticesOverview Of LGPDThe LGPD, or Brazil's General Data Protection Law,...
Brazilian Data Protection Law (LGPD)20231030043222

Brazilian Data Protection Law (LGPD)

Data Subject Rights Under LGPD Access, Rectification, and ErasureIntroductionThe LGPD, or the Brazilian General Data Protecti...
Brazils’ LGPD Compliance Guide You Must Read20231025062215

Brazils’ LGPD Compliance Guide You Must Read

Everything You Need to Know About Brazil LGPD: Penalty For Non-Compliance of LGPDWhat is Brazil’s LGPD?The LGPD, or Lei Geral...
Key GDPR Compliance Privacy Software Features20230906043009

Key GDPR Compliance Privacy Software Features

5 Key Features to Look for in Privacy Management Software for GDPR ComplianceAbout The Features Of GDPR Management Compliance...
Virginia Consumer Data Protection Act – All about CDPA20230104044820

Virginia Consumer Data Protection Act – All about CDPA

Virginia Consumer Data Protection Act – All about CDPAWhat is VCPDA?The Virginia Consumer Data Protection Act CDPA is a...
Difference between CDPA, CCPA, CPRA and CPA20210722111718

Difference between CDPA, CCPA, CPRA and CPA

Difference between CDPA, CCPA, CPRA and CPAUnderstanding CDPA, CPA, CCPA & CPRAOn March 2, 2021, Governor Ralph Northam s...
Colorado Privacy Act (CPA)20210713052349

Colorado Privacy Act (CPA)

Colorado Privacy Act (CPA)Colorado is officially the third U.S state to adopt privacy legislation, after California and Virgi...
CDPA, CCPA and CPRA : Key Difference & Similarities20210705113837

CDPA, CCPA and CPRA : Key Difference & Similarities

CDPA, CCPA and CPRA : Key DifferencesAll About California’s CDPA, CPRA VS CCPAOn March 2, 2021, Governor Ralph Northam signed...