On Tuesday, May 10, Connecticut Governor Ned Lamont signed into law, “An Act Concerning Personal Data Privacy and Online Monitoring,” making Connecticut the fifth state to enact consumer data privacy legislation. The statute, which is being referred to as the Connecticut Data Privacy Act (CTDPA) takes effect on July 1, 2023. Here is what companies controlling or processing consumer information should understand about the CTDPA as they begin to prepare for compliance.

Key Takeaways

  1. The CTDPA generally applies to businesses that control or process personal data, including sensitive data, which are each broadly defined.
  2. Nonprofits, institutions of higher education, certain financial institutions, and Health Insurance Portability and Accountability Act (HIPAA)-covered entities and business associates are excluded, along with certain classifications of data, including de-identified data and data already protected by various federal laws.
  3. Consumers have rights to access, delete, correct, and obtain copies of their personal data, and can opt out of targeted advertising, profiling, and sale of their personal data.
  4. Businesses subject to the CTDPA must be in compliance by July 1, 2023.

Who and What are Covered?

The CTDPA applies to any person or company conducting business in Connecticut or producing products or services targeted to residents of Connecticut, provided, in the previous year the entity either: (i) controlled or processed the personal data of at least 100,000 consumers (excluding data used solely for the purpose of a payment transaction); or (ii) controlled or processed the personal data of at least 25,000 consumers and derived at least 25% of its gross revenue from the sale of personal data.

“Personal Data” is broadly defined and means any information linked or reasonably linkable to an identified or identifiable individual. “Sensitive Data” is personal data that includes racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship or immigration status, genetic or biometric data, personal data collected from a known child, or precise geolocation data.

There are several significant exceptions to the general rule above. The CTDPA does not apply to Connecticut governmental agencies, nonprofit organizations, institutions of higher education, national securities associations registered under the Securities Exchange Act, financial institutions subject to the Gramm-Leach-Bliley Act, or covered entities or business associates under HIPAA. In addition to these excluded entities, there are 16 excluded classifications of data, which include health care and clinical research data, consumer credit information subject to the Fair Credit Reporting Act (FCRA), and data regulated by the Family Educational Rights and Privacy Act (FERPA).

Consumer Rights

Beginning on July 1, 2023, consumers have the right to do the following:

  • Access their personal data and confirm whether it is being processed;
  • Correct inaccuracies in their personal data;
  • Delete personal data provided by or obtained about them;
  • Obtain a copy of their personal data in a portable, readily usable, and transmissible format; and
  • Opt out of the processing of their personal data for the purposes of targeted advertising, sale, or profiling.

Obligations of Businesses

When the CTDPA takes effect on July 1, 2023, any business that determines the purpose and means of processing personal data is considered a “controller,” and must (among other requirements):

  • Limit its collection of personal data to what is adequate, relevant, and reasonably necessary to accomplish the purpose for which it will be processed;
  • Obtain consent from the consumer before processing any sensitive data or before processing personal data for purposes inconsistent with what has been disclosed to the consumer;
  • Obtain consent before selling any consumer's personal data or conducting targeted advertising to consumers between the ages of 13 and 16 if the business knows the age of the consumer;
  • Implement administrative, technical and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data;
  • Allow a consumer to revoke consent in a manner as straightforward as when they provided their original consent, and stop processing their personal data no later than 15 days after receipt of the request;
  • Provide a clear and meaningful privacy notice addressing the categories of data processed, the purpose for processing such data, procedures for consumers to exercise their rights (including an appeal process), the categories of personal data shared with third parties, and the categories of third parties with whom the personal data are shared;
  • Clearly and conspicuously disclose whether personal data is sold or processed for targeted advertising along with the process for a consumer to opt out;
  • Ensure any third parties processing personal data on its behalf are bound by the terms of a contract governing data processing procedures;
  • Conduct and document data protection assessments for each of its activities presenting a heightened risk of harm to a consumer, including targeted advertising, sale of personal data, and the processing of sensitive data; and
  • No later than January 1, 2025, implement the capacity for a consumer to opt out of any processing of personal data for purposes of targeted advertising or sale through an opt-out preference signal, such as a plugin, extension, browser setting or other mechanism that communicates or signals the consumer's choice to opt out.

What's Next ?

Connecticut has joined four other states in enacting personal data protection laws, and several proposed privacy laws remain pending in other states. While there are similarities among the five current state privacy laws, the differences will inevitably create operational complexity for businesses that must comply with more than one. In addition to the complexity arising from complying with multiple states' data privacy laws, the CTDPA defines and uses the term “personal data” differently from how the term “personal information,” is used in existing Connecticut cybersecurity and breach notification statutes. Businesses subject to the CTDPA and other states' privacy laws should, therefore, begin the process of implementing or re-evaluating their privacy notices and data governance policies and procedures and devising a compliance strategy.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.