Connecticut Data Privacy Act: What You Need To Know and How To Stay Compliant

Sameer Ahirrao -

Connecticut Data Privacy Act (CTDPA) went into effect on July 1,2023, granting Connecticut residents rights over their personal data and setting privacy protection standards for personal data controllers and processors. Under the law, consumers may obtain a copy of their personal data. They may correct or delete the information and may elect to opt out of personal data processing for purposes such as targeted advertising.

In this article, we will take a closer look at the provisions of the Connecticut Data Privacy Act, the responsibilities of businesses operating in the state, the rights of consumers, and how to stay compliant.

What is the Connecticut Data Privacy Act?

Signed May 10, 2022, the CTDPA gives Connecticut residents more control over their personal data. For the purposes of the act, a consumer is defined as a resident of the state acting on their own behalf not in a commercial or employment context.

The regulation includes many of the same provisions of the data privacy acts in other states, but most closely resembles those in Colorado and Virginia.

Ensuring consumers' rights to the following:

  • Right to access data.
  • Right to correct inaccuracies.
  • Right to delete personal data.
  • Right to obtain a copy of their data in a format that allows them to transmit it to another controller.
  • Right to opt out of the sale and processing of data.

Who Does the CTDPA Apply To?

The act applies to those who conduct business in the state or who produce products or services targeted to Connecticut residents and who, during the previous year:

  • Controlled or processed personal data of 100,000 or more consumers, excluding solely for completing a payment transaction; or
  • Controlled or processed personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.

Connecticut Data Privacy Act Exemptions

It’s important to note that the CTDPA does not apply to every organization operating in Connecticut. The law explicitly excludes:

  • State agencies.
  • Nonprofit organizations.
  • Higher education institutions.
  • National securities associations registered under the Securities Exchange Act of 1934.
  • Financial institutions and data subject to the Gramm-Leach-Bliley Act.
  • Covered entities or business associates subject to the Health Insurance Portability and Accountability Act (HIPAA).
  • In addition, there are a number of exemptions for personal data maintained in compliance with other privacy laws, such as the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Airline Deregulation Act.

Personal data processed solely for payment transactions is also exempt from the CTDPA. The idea here is that businesses like restaurants, cafes, and the like don’t really process personal data in the same way as, say, digital advertising companies and shouldn’t be regulated in the same way.

Connecticut Data Privacy Act Regulations

  • The CTDPA was established to ensure businesses protect and ensure the accuracy of Connecticut consumer data.
  • Controllers, which include the individuals and entities that determine the purpose and means of processing personal data, are required to:
  • Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purpose for which it is processed. In other words, you can’t collect more data than you need to accomplish your goal.
  • Create and maintain security practices that protect the confidentiality, integrity and accessibility of data.
  • Obtain consent, including if the collection is for targeted advertising, or in the case of a child, comply with the Children’s Online Privacy Protection Act (COPPA). Like other U.S. privacy laws, the CTDPA is an opt-out law; that means that in most cases, you can process consumers’ data so long as they are informed and have not yet opted out. There are exceptions, however, which we’ll dive into below.
  • Provide a way for consumers to revoke consent “that is at least as easy as the mechanism by which the consumer provided the consumer’s consent,” and cease processing data as soon as practicable (but no later than 15 days after receipt of the request).
  • Provide a privacy notice that is reasonably accessible, clear, and meaningful, and that includes: categories of personal data processed, the purpose for processing personal data, how consumers can exercise their rights, what data is shared with third parties and their categories, and a way to contact the controller.
  • Conduct and document a data protection assessment for each of the controller’s processing activities that presents a heightened risk of harm to a consumer. This includes: 1) The processing of personal data for targeted advertising. 2) The sale of personal data, where “sale” is defined as involving a monetary transaction or “other valuable considerations.” This second item is important; it means that even exchanging data for services is regulated. 3) The processing of personal data for profiling. 4) The processing of sensitive data.

The Connecticut Data Privacy Law and Sensitive Data

As is the case with most other state privacy laws, some data is considered more sensitive than others, and requires additional protection.

The Connecticut privacy law defines sensitive data as personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health conditions or diagnosis, sex life, sexual orientation or citizenship or immigration status, as well as genetic or biometric data used to identify an individual; children’s information; or precise geolocation data.

When sensitive information is being collected, the CTDPA requires consumers to opt in first. That means businesses cannot collect and process this data without the consumer giving their explicit consent first. Some state laws, like Virginia’s data privacy law, treat sensitive data in the same way. Others, like Utah’s data privacy law, don’t require opt-in consent for sensitive data.

In addition, the law prohibits the use of “dark patterns” or a user interface designed to subvert or impair a consumer’s decision making to obtain consent.

CTDPA Enforcement and Penalties for Violations

The Connecticut Attorney General has the authority to enforce violations and may issue fines of up to $5,000 per violation. Additionally, the Attorney General can issue orders to offenders to prevent them from violating the law, force them to pay restitution to victims, and order disgorgement (which essentially means giving up any profit they accrued from illegal activity).

One unique feature of the CTDPA is its phased approach to its rollout. As time goes on, businesses will slowly have to become compliant with different aspects of the law.

From the Connecticut data privacy law's effective date of July 1, 2023, through December 31, 2024, the Attorney General will issue a notice of violation to a controller, who will have 60 days to cure the violation.

This period of time is meant to give businesses the chance to adjust to the regulation. After January 1, 2025, the Attorney General’s office will no longer offer this 60-day cure period by default. Instead, the Attorney General will evaluate whether a cure period should be offered based on the number of violations, size and complexity of controller or processor, and other factors.

About Ardent Privacy:

Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with various global regulations by taking a data centric approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, data inventory, data mapping, data minimization, and securely delete data in enterprises to reduce legal and financial liability.