Connecticut Data Privacy Act (CTDPA)

Gov. Ned Lamont, D-Conn, signed the Connecticut Data Privacy Act into law on May 10, 2022 making Connecticut the 5th state after California, Virginia, Colorado and Utah to enact a comprehensive consumer privacy act. The law will be in effect from July 1, 2023. CTDPA is drawn heavily from the Colorado’s CPA and Virginia’s CDPA. Many provisions of this law are similar to or fall between the CPA and CDPA, but the few notable distinctions must be taken care of.

The law applies to entities that

Conduct business in Connecticut or produce products or services targeted to Connecticut residents and that during the preceding calendar year, either:

• Controlled or processed the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing payment transactions.
• Controlled or processed the personal data of at least 25,000 consumers and derived over 25% of their gross revenue from the sale of personal data.

CONSUMER

“Consumer” means an individual who is a resident of the state acting in an individual or household context and does not include an individual acting in an employment or commercial context.

SALE OF PERSONAL DATA

“Sale of personal data” means the exchange of personal data for monetary or other valuable consideration by the controller to a third party.

PERSONAL DATA

“Personal data” means information that is linked or reasonably linkable to an identified individual or an identifiable individual. It does not include de-identified data or publicly available information.

CONSENT

“Consent” means a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer.

It does not include hovering over, muting, pausing, or closing a given piece of content, or agreement obtained using dark patterns.

Right to Access

A consumer has the right to know whether a controller is processing the consumer’s personal data and access that data.

Right to Correct

It is the consumer’s right to correct any inaccuracies in the consumer’s personal data, considering the nature of that data and its purpose of processing.

Right to Deletion

A consumer has the right to ask for the deletion of their personal data that the consumer provided to the controller.

Right to Data Portability

A consumer has the right to obtain a copy of the consumer’s personal data, that the consumer previously provided to the controller, in a format that is portable, readily usable and allows the consumer to transmit the data to another controller without impediment, where the processing is carried out by automated means.

Right to Opt-Out

A consumer has the right to opt out of the processing of the consumer’s personal data for the purpose of targeted advertising, the sale of personal data or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

Data Minimization

Controllers must only collect the personal data that is adequate, relevant, and reasonably necessary considering the purposes for which their data is processed as disclosed to the consumer.

Purpose Specification

Controllers should not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.

Transparency

A controller shall provide consumers with reasonably accessible, clear, and meaningful privacy notice that includes:

• The categories and purpose of personal data processed by the controller;
• How consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision about the consumer’s request;
• The categories of personal data that the controller shares with third parties, if any;
• The categories of third parties, if any, with which the controller shares personal data; and
• An active electronic mail address that the consumer may use to contact the controller.

Security

The controller must establish, implement, maintain and update reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity and accessibility relevant to the volume and nature of the personal data at issue.

Opt-in Consent

Controllers should not process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with Children’s Online Privacy Protection Act.Additionally, controllers are required to “provide an effective mechanism” for consumers to revoke consent that is at least as easy as the mechanism used to provide it.

Non-Discrimination

A controller may not discriminate against a consumer for exercising a right by denying a good or service to the consumer or charging the consumer a different price.

Data protection assessments

Controllers are required to perform and document Data Protection Impact Assessments for each processing activity “that presents a heightened risk of harm” to consumers.

The private right of action is not provided under CTDPA following the steps of other data privacy of US. It offers a 60 days cure period to the Controllers. If the controller fails to cure the violation within 60 days of receiving notice, the attorney general may bring an action. Entities may face civil penalties up to $5,000 per willful violation.

Businesses already complying with these state privacy laws such as California’s CCPA and CPRA, Virginia’s CDPA, Colorado’s CPA, etc. (and/or the GDPR) should be well-positioned for compliance with the CTDPA requirements, including Connecticut’s consent requirement and the data privacy assessments required for certain processing.