.svg){kind=icon}
.svg)
register now
Connecticut Data Privacy Act: What Businesses Need to Know
Date:
Hosted By:
This new law isn’t extremely different from other data privacy laws from U.S. states, but the distinctions are worth knowing for compliance efforts.
After the Connecticut General Assembly enacted the bill in April, Connecticut Governor Ned Lamont signed An Act Concerning Personal Data Privacy and Online Monitoring on May 10th, 2022. Connecticut is the sixth state to pass consumer privacy legislation.
The Connecticut Data Privacy Act (also known as CTDPA or Connecticut Senate Bill 6) will apply to persons and businesses who conduct business in Connecticut or manufacture products or services that are targeted to Connecticut citizens when it goes into effect on July 1st, 2023. It will specifically target companies that in the previous year controlled or processed the personal data of at least 100,000 customers, or controlled or processed the personal data of at least 25,000 customers and received more than 25% of their total income from the selling of personal data.
If you want to ensure that your business is compliant with this new data privacy law, take a look at our in-depth guide to the scope, consumer rights, compliance obligations, and exemptions of the Connecticut Data Privacy Act below.
The Connecticut law follows the same fundamental concept as Virginia and Colorado, but with a few key differences. The statute applies to organizations who do business in Connecticut or generate products or services for Connecticut people and have done the following in the previous fiscal year:
The law's reach is somewhat larger than Virginia's and slightly smaller than Colorado's, with a revenue barrier for data sales income that falls somewhere between Virginia's (50 percent of gross revenues) and Colorado's (50 percent of gross revenues) (any revenue or discount). It's also worth noting that the legislation expressly excludes personal data collected purely for payment purposes. As a result, businesses that just accept debit or credit cards to complete a sale will be exempt from the law's restrictions.
The Connecticut statute does not include an annual revenue level that triggers responsibilities. In practice, this means that, unlike the California Consumer Privacy Act, an entity will not be subject to the law solely based on its annual revenues, and that entities will not be required to exceed a certain yearly revenue threshold in order to be covered by the law. A few crucial definitions should be considered while evaluating the act’s scope. It defines "consumer" as a Connecticut resident and clearly excludes those operating in a business or employment environment, as Virginia, Colorado, and Utah have done. As a result, when entities analyze the law's application, the personal data of such persons might be withheld.
Furthermore, the law defines "selling of personal data" as the exchange of personal data by the controller to a third party for monetary or other significant benefits. Unlike Virginia and Utah, which define a sale as an exchange of personal data for monetary compensation exclusively, the statute uses the CCPA and Colorado definitions, which include an exchange for other useful considerations as well. The term "selling of personal data" also expressly excludes some disclosures, which virtually exactly mirror those in the Colorado statute, such as disclosures to a processor or an affiliate of the controller, disclosures that a consumer asks the controller to disclose, and so on.
The Connecticut statute, like Virginia and Colorado, clearly excludes any de-identified data or publicly available information from the definition of "personal data." "Publicly available information" refers to information that a controller has a reasonable basis for thinking a consumer has lawfully made available to the general public through government records or widely dispersed media.
The answer to that would be “yes.” The California Consumer Privacy Act, Colorado Privacy Act, Virginia Consumer Data Protection Act, and Utah Consumer Privacy Act are all comparable. It contains the broad term "sale" used by the CPA and the CPRA, which covers the exchange of personal data for monetary or other valued compensation. Beginning January 1st, 2025, the CTDPA will require controllers to recognize opt-out preference signals transmitted via a universal opt-out method, following the lead of the CPA. The CTDPA, like the CPRA, does not require opt-out requests to be authenticated. The CTDPA, like the CPA and CPRA, forbids the use of dark patterns to seek permission.
The CTDPA requires controllers to get parental consent before collecting personal data from a known child, as required by the CPA and VCDPA. In addition, the CTDPA joins the CPRA, VCDPA, and CPA in requiring controllers to complete data protection assessments before engaging in data processing activities that pose a high risk of harm to consumers. Although the CTDPA gives controllers a chance to correct infractions at first, that right will expire on December 31st, 2024. The CTDPA, like other current state privacy laws in the United States, does not allow for a private right of action. The Attorney General of Connecticut will be in charge of enforcing the statute.
Controllers must restrict the acquisition of personal data to what is appropriate, relevant, and reasonably necessary in regard to the purposes for which such data is processed, as notified to the consumer, as required by the CCPA and legislation of Virginia and Colorado.
Controllers are forbidden from processing personal data for purposes that are neither reasonably required nor consistent with the specified purposes for which such personal data is processed, unless an exemption exists, such as obtaining permission.
The requirements for responding to consumer inquiries are quite similar in Virginia and Colorado. Controllers must reply to a consumer's request without any delay, but no later than 45 days after receiving it, with the possibility of an additional 45-day extension if necessary. Consumers must be able to challenge a controller's refusal to act on a request within a reasonable timeframe using a clearly visible appeal mechanism. Controllers must notify customers in writing within 60 days of any action or inaction taken in response to the appeal, just as Virginia law requires. If the consumer's appeal is refused, the controller must provide an online facility or other option for the consumer to contact and file a complaint with the attorney general.
The legislation, like most of its predecessors, requires a contract between a controller and a processor to regulate the data processing undertaken on behalf of the controller by the processor. Such contracts must explicitly state the instructions for processing data, as well as the nature and purpose of processing, the kind of data subject to processing, the length of processing, and both parties' rights and duties.
Controllers must complete and document a data protection assessment for each processing activity that poses a high risk of damage to consumers.
Controllers must also create, implement, and maintain suitable administrative, technological, and physical data security procedures proportionate to the amount and kind of personal data at issue to safeguard the confidentiality, integrity, and accessibility of personal data.
The legislation bans controllers from processing sensitive data without consent. Personal data obtained from an individual the controller knows is under the age of 13 is considered "sensitive data," and must be treated in compliance with the Children's Online Privacy Protection Act. Consent must be freely granted, precise, informed, and unequivocal, and it cannot be gained by the use of dark patterns, according to the legislation. Furthermore, controllers must offer an effective way for consumers to revoke the consent that is at least as simple as the mechanism used to grant consent. The controller shall cease processing the data as soon as possible after receiving the revocation, but no later than 15 days.
Controllers are banned from discriminating against consumers who use any of their legal rights by withholding goods or services, charging different prices or rates for goods or services, or delivering a different degree of quality of products or services.
Connecticut's legislation, like its predecessors, requires controllers to present customers with a privacy notice that is fairly accessible, clear, and meaningful.
The following rights are provided to consumers under this new act:
If you’re concerned about being compliant with this new law, don’t worry – there’s a good chance that you’re actually exempt. Certain categories of companies and data are also excluded from the law's restrictions. The following six categories of entities are excluded from the legislation, regardless of whether the data gathered and processed would otherwise be subject to the law:
The bill exempts data from sixteen categories, including HIPAA-regulated information, the Fair Credit Reporting Act, the Driver's Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Airline Deregulation Act. Data on specific employees and job applicants are likewise excluded.
The statute, like Virginia, Colorado, and Utah, lacks a private right of action, and, like Virginia, enforcement is solely in the hands of the attorney general. The attorney general must notify the controller of the infraction before taking action. The statute, like Colorado's, then provides a controller 60 days to repair the infraction, which is double the 30-day cure time allowed by California, Utah, and Virginia rules. The right to cure under the statute is similar to Colorado's in that it will no longer be needed beginning January 1st, 2025, after which the attorney general will have discretion whether or not to grant a chance to cure.
The Connecticut Unfair Commercial Practices Act defines a violation of the law as an unfair trade practice. As a result, civil fines of up to $5,000 per willful infringement may be imposed. The attorney general may also pursue equitable remedies, including as restitution, disgorgement, and injunctive relief, under the CUTPA.
.svg)
After the Connecticut General Assembly enacted the bill in April, Connecticut Governor Ned Lamont signed An Act Concerning Personal Data Privacy and Online Monitoring on May 10th, 2022. Connecticut is the sixth state to pass consumer privacy legislation.
The Connecticut Data Privacy Act (also known as CTDPA or Connecticut Senate Bill 6) will apply to persons and businesses who conduct business in Connecticut or manufacture products or services that are targeted to Connecticut citizens when it goes into effect on July 1st, 2023. It will specifically target companies that in the previous year controlled or processed the personal data of at least 100,000 customers, or controlled or processed the personal data of at least 25,000 customers and received more than 25% of their total income from the selling of personal data.
If you want to ensure that your business is compliant with this new data privacy law, take a look at our in-depth guide to the scope, consumer rights, compliance obligations, and exemptions of the Connecticut Data Privacy Act below.
The Connecticut law follows the same fundamental concept as Virginia and Colorado, but with a few key differences. The statute applies to organizations who do business in Connecticut or generate products or services for Connecticut people and have done the following in the previous fiscal year:
The law's reach is somewhat larger than Virginia's and slightly smaller than Colorado's, with a revenue barrier for data sales income that falls somewhere between Virginia's (50 percent of gross revenues) and Colorado's (50 percent of gross revenues) (any revenue or discount). It's also worth noting that the legislation expressly excludes personal data collected purely for payment purposes. As a result, businesses that just accept debit or credit cards to complete a sale will be exempt from the law's restrictions.
The Connecticut statute does not include an annual revenue level that triggers responsibilities. In practice, this means that, unlike the California Consumer Privacy Act, an entity will not be subject to the law solely based on its annual revenues, and that entities will not be required to exceed a certain yearly revenue threshold in order to be covered by the law. A few crucial definitions should be considered while evaluating the act’s scope. It defines "consumer" as a Connecticut resident and clearly excludes those operating in a business or employment environment, as Virginia, Colorado, and Utah have done. As a result, when entities analyze the law's application, the personal data of such persons might be withheld.
Furthermore, the law defines "selling of personal data" as the exchange of personal data by the controller to a third party for monetary or other significant benefits. Unlike Virginia and Utah, which define a sale as an exchange of personal data for monetary compensation exclusively, the statute uses the CCPA and Colorado definitions, which include an exchange for other useful considerations as well. The term "selling of personal data" also expressly excludes some disclosures, which virtually exactly mirror those in the Colorado statute, such as disclosures to a processor or an affiliate of the controller, disclosures that a consumer asks the controller to disclose, and so on.
The Connecticut statute, like Virginia and Colorado, clearly excludes any de-identified data or publicly available information from the definition of "personal data." "Publicly available information" refers to information that a controller has a reasonable basis for thinking a consumer has lawfully made available to the general public through government records or widely dispersed media.
The answer to that would be “yes.” The California Consumer Privacy Act, Colorado Privacy Act, Virginia Consumer Data Protection Act, and Utah Consumer Privacy Act are all comparable. It contains the broad term "sale" used by the CPA and the CPRA, which covers the exchange of personal data for monetary or other valued compensation. Beginning January 1st, 2025, the CTDPA will require controllers to recognize opt-out preference signals transmitted via a universal opt-out method, following the lead of the CPA. The CTDPA, like the CPRA, does not require opt-out requests to be authenticated. The CTDPA, like the CPA and CPRA, forbids the use of dark patterns to seek permission.
The CTDPA requires controllers to get parental consent before collecting personal data from a known child, as required by the CPA and VCDPA. In addition, the CTDPA joins the CPRA, VCDPA, and CPA in requiring controllers to complete data protection assessments before engaging in data processing activities that pose a high risk of harm to consumers. Although the CTDPA gives controllers a chance to correct infractions at first, that right will expire on December 31st, 2024. The CTDPA, like other current state privacy laws in the United States, does not allow for a private right of action. The Attorney General of Connecticut will be in charge of enforcing the statute.
Controllers must restrict the acquisition of personal data to what is appropriate, relevant, and reasonably necessary in regard to the purposes for which such data is processed, as notified to the consumer, as required by the CCPA and legislation of Virginia and Colorado.
Controllers are forbidden from processing personal data for purposes that are neither reasonably required nor consistent with the specified purposes for which such personal data is processed, unless an exemption exists, such as obtaining permission.
The requirements for responding to consumer inquiries are quite similar in Virginia and Colorado. Controllers must reply to a consumer's request without any delay, but no later than 45 days after receiving it, with the possibility of an additional 45-day extension if necessary. Consumers must be able to challenge a controller's refusal to act on a request within a reasonable timeframe using a clearly visible appeal mechanism. Controllers must notify customers in writing within 60 days of any action or inaction taken in response to the appeal, just as Virginia law requires. If the consumer's appeal is refused, the controller must provide an online facility or other option for the consumer to contact and file a complaint with the attorney general.
The legislation, like most of its predecessors, requires a contract between a controller and a processor to regulate the data processing undertaken on behalf of the controller by the processor. Such contracts must explicitly state the instructions for processing data, as well as the nature and purpose of processing, the kind of data subject to processing, the length of processing, and both parties' rights and duties.
Controllers must complete and document a data protection assessment for each processing activity that poses a high risk of damage to consumers.
Controllers must also create, implement, and maintain suitable administrative, technological, and physical data security procedures proportionate to the amount and kind of personal data at issue to safeguard the confidentiality, integrity, and accessibility of personal data.
The legislation bans controllers from processing sensitive data without consent. Personal data obtained from an individual the controller knows is under the age of 13 is considered "sensitive data," and must be treated in compliance with the Children's Online Privacy Protection Act. Consent must be freely granted, precise, informed, and unequivocal, and it cannot be gained by the use of dark patterns, according to the legislation. Furthermore, controllers must offer an effective way for consumers to revoke the consent that is at least as simple as the mechanism used to grant consent. The controller shall cease processing the data as soon as possible after receiving the revocation, but no later than 15 days.
Controllers are banned from discriminating against consumers who use any of their legal rights by withholding goods or services, charging different prices or rates for goods or services, or delivering a different degree of quality of products or services.
Connecticut's legislation, like its predecessors, requires controllers to present customers with a privacy notice that is fairly accessible, clear, and meaningful.
The following rights are provided to consumers under this new act:
If you’re concerned about being compliant with this new law, don’t worry – there’s a good chance that you’re actually exempt. Certain categories of companies and data are also excluded from the law's restrictions. The following six categories of entities are excluded from the legislation, regardless of whether the data gathered and processed would otherwise be subject to the law:
The bill exempts data from sixteen categories, including HIPAA-regulated information, the Fair Credit Reporting Act, the Driver's Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Airline Deregulation Act. Data on specific employees and job applicants are likewise excluded.
The statute, like Virginia, Colorado, and Utah, lacks a private right of action, and, like Virginia, enforcement is solely in the hands of the attorney general. The attorney general must notify the controller of the infraction before taking action. The statute, like Colorado's, then provides a controller 60 days to repair the infraction, which is double the 30-day cure time allowed by California, Utah, and Virginia rules. The right to cure under the statute is similar to Colorado's in that it will no longer be needed beginning January 1st, 2025, after which the attorney general will have discretion whether or not to grant a chance to cure.
The Connecticut Unfair Commercial Practices Act defines a violation of the law as an unfair trade practice. As a result, civil fines of up to $5,000 per willful infringement may be imposed. The attorney general may also pursue equitable remedies, including as restitution, disgorgement, and injunctive relief, under the CUTPA.
.svg)
