Connecticut Data Privacy Act (CTDPA)

What is Connecticut Data Privacy Law

Gov. Ned Lamont, D-Conn, signed the Connecticut Data Privacy Act into law on May 10, 2022 making Connecticut the 5th state after California, Virginia, Colorado and Utah to enact a comprehensive consumer privacy act. The law will be in effect from July 1, 2023. CTDPA (Connecticut data privacy law) is drawn heavily from the Colorado’s CPA and Virginia’s CDPA. Many provisions of this law are similar to or fall between the CPA and CDPA, but the few notable distinctions must be taken care of.

Who must comply with Connecticut Data Privacy Act?

The law applies to entities that:
Conduct business in Connecticut or produce products or services targeted to Connecticut residents and that during the preceding calendar year, either:

Controlled or processed the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing payment transactions.
Controlled or processed the personal data of at least 25,000 consumers and derived over 25% of their gross revenue from the sale of personal data.

Who enforces Connecticut Data Privacy Act (CTDPA)?

The private right of action is not provided under CTDPA (Connecticut Data Protection Act) following the steps of other data privacy of US. It offers a 60 days cure period to the Controllers. If the controller fails to cure the violation within 60 days of receiving notice, the attorney general may bring an action. Entities may face civil penalties up to $5,000 per willful violation.

Connecticut Data Privacy Act (CTDPA) - Mandatly Inc.

Key highlights of CTDPA (connecticut data privacy law):

Personal Data“Personal data” means information that is linked or reasonably linkable to an identified individual or an identifiable individual. It does not include de-identified data or publicly available information.

Consumer RightsThe CTDPA provides the consumer rights, which largely mirror those provided by the CPRA.

Privacy AssessmentsControllers are required to perform and document Data Protection Impact Assessments for each processing activity “that presents a heightened risk of harm” to consumers.

ConsentUnder CTDPA, consent means “a clear affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to allow the processing of personal data relating to the consumer.”

Know the difference between Virginia’s CDPA, CCPA and CPRA?

Download this whitepaper to know more about the key differences between the provisions of Virginia’s new privacy law called CDPA, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).  It provides an overview of each law’s requirements, highlighting their similarities and differences. Although there are some similarities in all the active privacy laws, the framework, and definitions of CDPA carries its unique requirements and guidance.

Download White Paper

Know the difference between Virginias CDPA, CCPA and CPRA - Mandatly Inc.

Consumer Rights under Connecticut Data Privacy Act (CTDPA)

Right to Access
A consumer has the right to know whether a controller is processing the consumer’s personal data and access that data.
Right to Correct
It is the consumer’s right to correct any inaccuracies in the consumer’s personal data, considering the nature of that data and its purpose of processing.
Right to Deletion
A consumer has the right to ask for the deletion of their personal data that the consumer provided to the controller.
Right to Data Portability
A consumer has the right to obtain a copy of the consumer’s personal data, that the consumer previously provided to the controller, in a format that is portable, readily usable and allows the consumer to transmit the data to another controller without impediment, where the processing is carried out by automated means.
Right to Opt-Out
A consumer has the right to opt out of the processing of the consumer’s personal data for the purpose of targeted advertising, the sale of personal data or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

Obligations of Controllers

Under the Connecticut Data Privacy Act (CTDPA) compliance, Controllers must follow strict rules to protect people’s information and make sure they’re following the law.

Data Minimization
Controllers must only collect the personal data that is adequate, relevant, and reasonably necessary considering the purposes for which their data is processed as disclosed to the consumer.
Purpose Specification
Controllers should not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.
Transparency
A controller shall provide consumers with reasonably accessible, clear, and meaningful privacy notice that includes:
- The categories and purpose of personal data processed by the controller;
- How consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision about the consumer’s request;
- The categories of personal data that the controller shares with third parties, if any;
- The categories of third parties, if any, with which the controller shares personal data; and
- An active electronic mail address that the consumer may use to contact the controller.
Security
The controller must establish, implement, maintain and update reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity and accessibility relevant to the volume and nature of the personal data at issue.
Opt-in Consent
Controllers should not process sensitive data concerning a consumer without obtaining the consumer’s consent, or, in the case of the processing of sensitive data concerning a known child, without processing such data in accordance with Children’s Online Privacy Protection Act.Additionally, controllers are required to “provide an effective mechanism” for consumers to revoke consent that is at least as easy as the mechanism used to provide it.
Non-Discrimination
A controller may not discriminate against a consumer for exercising a right by denying a good or service to the consumer or charging the consumer a different price.
Data protection assessments
Controllers are required to perform and document Data Protection Impact Assessments for each processing activity “that presents a heightened risk of harm” to consumers.

How Mandatly helps you achieve Connecticut's CTDPA compliance?

Mandatly’s CTDPA compliance solution goes above and beyond automation and includes comprehensive privacy risk management features that enable you to make effective business decisions and eliminate privacy risks.

Consumer RightsEnd-to-end DSAR fulfillment solution with automated identity verification and data discovery to fulfill the consumer request timely, securely, and efficiently.

Data Inventory and MappingMaintain your data sources and map data flows to meet the CTDPA "Lookback" requirements.

Privacy AssessmentsBundled with intelligence to uncover and assess privacy risks that your business can be exposed to.

Privacy NoticesGenerate privacy notices for your website or applications to keep your customers informed about how their Personal Information is collected, processed, and shared.

Do not sell my informationEnables customers to opt-out of the cookie based and non-cookie based sale of personal information.

AnalyticsReporting features are built into the system to get a holistic view of the compliance program for different stakeholders.

Start with our forever free edition

Get Started Free

No credit card required

DSAR Management
Data Subject requests per month	100
Web based intake form	1
Identity verification methods	Manual
Workflow enabled Data discovery and deletion for systems (application, database, website, file system, products etc.)
Automated data discovery and data feeds from systems	Not Included
Secured delivery with configurable expiration days
Standard workflow (configurable) and email integration
Standard notifications and response templates
Reporting and dashboards
Customized workflow and notification
Remove “Mandatly” Branding

Cookie Compliance
Number of Domains (additional cost for multiple domains)	1
Website Scanning (Pages and sub-domains)	Upto 50 pages
Periodic scanning	Manual
Cookie categorization	Automatic
Predefined banners and layouts
Configurable banners and layouts
Configurable consent categories
Unlimited consent records	upto 50000
Multiple language support
Remove “Mandatly” Branding

Data Inventory
Data Asset (application, database, website, file system, products etc.)	25
Processing activites	100
Pre-built data inventory assessment templates
Auto risk detection
Data elements (Predefined and custom)
Standard workflow (configurable), e-mail Integration and notification
Standard notifications and response templates
Reporting and Dashboard
Create you own data inventory assessment templates, Set up risk rules and alerts
Custom workflow and notification
API integration with external systems
Remove “Mandatly” Branding

Intelligent Assessment
Assessments on Processing activities and Data Sources (Application, Database, Website, Manual, Products etc.)	50
Standard Assessment templates (PTA, PIA/DPIA, PbD)
Configure your own assessments and setup up risks and alerts
Integration with Data Inventory to link data sources and processing activities (RoPA)
Standard Workflow, Notification and Email Integration
Reporting and Dashboard
Custom workflow and notification
Risk assessment and Mitigation
Remove “Mandatly” Branding

DSAR Management
Data Subject requests per month	Unlimited
Web based intake form	10
Identity verification methods	Manual Email Verification
Workflow enabled Data discovery and deletion for systems (application, database, website, file system, products etc.)
Automated data discovery and data feeds from systems	Upto 2 systems
Secured delivery with configurable expiration days
Standard workflow (configurable) and email integration
Standard notifications and response templates
Reporting and dashboards
Customized workflow and notification
Remove “Mandatly” Branding

Connecticut Data Privacy Act (CTDPA)

What is Connecticut Data Privacy Law

Who must comply with Connecticut Data Privacy Act?

Who enforces Connecticut Data Privacy Act (CTDPA)?

Key highlights of CTDPA (connecticut data privacy law):

Know the difference between Virginia’s CDPA, CCPA and CPRA?

Consumer Rights under Connecticut Data Privacy Act (CTDPA)

Obligations of Controllers

How Mandatly helps you achieve Connecticut's CTDPA compliance?

Start with our forever free edition

Recent Articles

Texas Data Privacy and Security Act (TDPSA): Everything you need to know

GDPR Compliance Made Easy: Tips for Updating Your Privacy Policy

Navigating GDPR Compliance: A Comprehensive Guide to Cookie Policies

The American Privacy Rights Act of 2024 (APRA)

The Role of Employee Training in GDPR Compliance and Data Security

Explore the Link Between Cybersecurity and GDPR Compliance

Enter your details below to download!

Free

Basic

Professional

Enterprise

Get a Free Demo of Mandatly's

Data Inventory
Data Asset (application, database, website, file system, products etc.)	100
Processing activites	1000
Pre-built data inventory assessment templates
Auto risk detection
Data elements (Predefined and custom)
Standard workflow (configurable), e-mail Integration and notification
Standard notifications and response templates
Reporting and Dashboard
Create you own data inventory assessment templates, Set up risk rules and alerts
Custom workflow and notification
API integration with external systems
Remove “Mandatly” Branding