The privacy landscape in the U.S. is slowly getting more complex as Connecticut officially becomes the fifth state to enact a comprehensive consumer privacy regulation. On May 10, 2022, the Connecticut governor signed An Act Concerning Personal Data Privacy and Online Monitoring into law, otherwise known as the Connecticut Data Privacy Act (CTDPA). The CTDPA shares many similarities with the privacy laws of four other states (California, Virginia, Colorado, and Utah), but has the most in common with Virginia’s CDPA and Colorado’s CPA, which tend to be more consumer oriented. The CTDPA is set to go into effect on July 1, 2023, alongside the new Colorado privacy law.
Let’s take a closer look at the key provisions of the Connecticut Data Privacy Act and how this new law compares to its four predecessors.
Key Provisions of the CTDPA
Here’s a breakdown of the CTDPA and how its requirements compare to privacy laws in California, Virginia, Colorado, and Utah.
The CTDPA applies to individuals and entities that conduct business in the state or produce products or services targeted to Connecticut residents. Organizations fall under the scope of the CTDPA if they meet one of the following threshold requirements:
- They control or process the personal data of at least 100,000 consumers (excluding data controlled or processed solely for the purposes of completing a payment transaction).
- They derive over 25% of their gross revenue from the “sale” of personal data and control or process the personal data of 25,000 or more consumers.
Unlike the CCPA, CPRA, and UCPA, the CTDPA does not require an annual gross revenue threshold of $25 million to be included in the scope of the law. Additionally, the 25% revenue threshold for personal sales is 25% lower than the four state laws with a similar threshold (i.e., CDPA, UCPA, CCPA, and CPRA). Due to this difference, more companies are likely to find themselves within the scope of the CTDPA.
Almost identical to most of the other state privacy laws, personal data under the CTDPA is defined as “any information that is linked or reasonably linkable to an identified or identifiable individual.” The law excludes deidentified or publicly available information from its definition of personal data, same as the UCPA and CPRA. The CTDPA also exempts any information lawfully made available through government records or widely distributed media, as well as information that a controller has a reasonable basis to believe that a consumer has lawfully made available to the public. The Colorado law does not exempt this type of information.
Sale of Personal Data
According to the CTDPA, a sale of personal data occurs when personal data is exchanged for monetary or other valuable consideration. By including information that is exchanged for “other valuable consideration,” the definition mimics that of the CCPA, CPRA, and CPA.
The CTDPA excludes certain types of disclosures from the definition of sale, which include disclosures to processors and a controller's affiliates, disclosures to a third party for the purpose of providing products or services requested by the consumer, disclosures directed by the consumer, and disclosures or transfers as part of a merger and other acquisitions where the third party assumes control of all or part of the business’ assets.
As with the other state privacy laws, the CTDPA provides consumers with a number of rights regarding their personal data.
Right to Access.
Consumers have the right to confirm if a controller is processing their personal data and access the personal data that a controller is processing about them.
Right to Delete.
Consumers have the right to delete the personal data provide by or obtained about them.
Right to Correction.
Consumers have the right to correct the inaccuracies in their personal data. The UCPA is currently the only law to not have this consumer right.
Right to Data Portability.
Consumers have the right to obtain a copy of their personal data from the controller in a portable and readily usable format that allows them to transfer the data to another entity or platform.
Right to Opt-Out
Consumers have the right to opt out of the processing of their personal data for purposes of:
- Targeted advertising
- The sale of personal data
Although the UCPA does not offer the right to opt out of profiling, the CDPA and CPA include all three of these opt out rights. The CTDPA also grants consumers the ability to designate another person as an authorized agent to exercise the right to opt out on their behalf, same as the CCPA and CPA.
For each consumer request, controllers have 45 days to respond, and an additional 45-day extension is available if reasonably necessary for the business to comply – a process identical to the CDPA and UCPA. Consumers have the right to request information free of charge once during any 12-month period, after which businesses can charge a fee or decline to fulfill the request if they are “unfounded, excessive, or repetitive.” If a controller cannot authenticate a consumer's identity, the controller can decline to comply with a consumer's request, but they must send a notice stating why they will not comply. Controllers do not need to authenticate a consumer’s identity in order to address opt out requests, though.
Sensitive Data and Consent
Sensitive data under the CTDPA refers to personal data revealing racial or ethnic origins, religious beliefs, sexual orientation, citizenship or immigration status, health and medical treatment or conditions, genetic or biometric data used to identify individuals, specific geolocation data, and personal data collected from a known child. Similar to the CDPA and CPA (and unlike the UCPA), the CTDPA requires opt-in consent for the collection and processing of sensitive data. Consent from a consumer must be “freely given, specific, informed, and unambiguous,” and may include a written statement or any other unambiguous affirmative action. Like the CPA and CPRA, the CTDPA also prohibits the use of dark patterns to obtain consent.
Data Protection Assessment
Connecticut joins the California, Virginia, and Colorado state privacy laws in requiring that controllers conduct a data protection assessment prior to engaging in data processing activities that present a heightened risk of harm to consumers. Activities that would require a data protection assessment include:
- The sale of personal data
- The processing of personal data for targeted advertising
- Profiling that presents certain risks to the consumer
- The processing of sensitive data
The CTDPA requires that these data protection assessments are available to the Connecticut Attorney General upon request only, rather than the CPRA’s rule which requires businesses to submit mandatory risk assessments to California regulators on a regular basis.
Processing Obligations for Controllers
The processing obligations for controllers under the CTDPA closely resemble those found in the CDPA, CPA and UCPA, with a few additional obligations.
- Transparency: Controllers must provide consumers with a reasonably clear and meaningful privacy notice that includes: 1) The categories of personal data processed by the controller; 2) The purposes for processing; 3) How consumers can exercise the rights granted by the CTDPA, including how to appeal a rejected consumer request; 4) The categories of personal data that the controller shares with third parties; 5) The controller’s email address or additional online contact mechanism. The privacy notice must also contain a description for how a consumer can submit a consumer rights request.
- Security: Controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices. These practices must safeguard the confidentiality, accessibility, and integrity of a consumer’s personal data.
- Nondiscrimination: A controller is prohibited from processing personal data in violation of federal and state anti-discrimination laws. Consumers cannot be discriminated against for exercising their rights; however, if a consumer’s decision to opt out conflicts with their privacy settings or a rewards or discount program, a controller can provide a notice to confirm the consumer’s selection.
- Data Minimization: A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the purpose of processing the data.
- Revocable Consent: Controllers must provide consumers with an effective method to revoke consent. Upon revocation, the controller must cease processing the data within 15 days after receipt of the request.
Processing Obligations for Processors
Like other comprehensive state privacy regulations, the CTDPA requires a contract between controllers and processors that govern and specify the obligations of the processor. Like the CPA, the Connecticut law requires processors to perform audits and allows controllers to have the opportunity to object to certain subcontractors.
Just like Virginia, Colorado, and Utah, the CTDPA does not include a private right of action in its law. The Connecticut Attorney General has exclusive enforcement authority to levy fines and penalties under the Connecticut Unfair Trade Practices Act (CUTPA), which can carry fines up to $5,000 per violation ($2,500 less than that of the CCPA and CDPA).
While the CTDPA is set to go into effect July 1, 2023, there is a grace period until December 31, 2024, for enforcement actions. During this time, the Attorney General must provide businesses with notice of alleged violations and provide them with a 60-day period to cure any such violation. On January 1, 2025, the right to cure will sunset and the attorney general will have the option to grant certain controllers and processors a right to cure, considering the following factors:
- The number of violations
- The controller or processor’s size and complexity
- The nature and extent of the processing
- The substantial likelihood of injury to the public
- The safety of persons or property
- Whether the alleged violation was caused by a human or technical error
The privacy laws in Virginia and Utah do not have an expiration date for the right to cure periods.
The CTDPA contains a number of entities and data that are exempted from its scope, including:
- State and local governments
- Higher education institutions
- National securities associations registered under the SEC Act of 1934
- Financial institutions and data subject to the Gramm-Leach-Bliley Act (GLBA)
- Covered entities and business associates as defined by the Health Insurance Portability and Accountability Act (HIPAA)
Specific information regulated by HIPAA, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Airline Deregulation Act, and specific employee and job applicant data are also exempt.
As with all of the existing U.S. state privacy laws, the CTDPA also goes into effect in 2023, giving organizations roughly a year to comply. With five new privacy laws to comply with, 2023 will be a busy compliance year for organizations. Although most of the CTDPA’s requirements are similar to the other four laws, it has some provisions that will require additional time and consideration. And with more states passing their own privacy legislation, delaying any compliance efforts could prove challenging as we move close to the impeding 2023.