On May 10, 2022, Connecticut Governor Ned Lamont signed into law an Act Concerning Personal Data Privacy and Online Monitoring ("Connecticut Data Privacy Act", "CTDPA" or the "Act"). Like the California Privacy Rights Act, Colorado Privacy Act, Utah Consumer Privacy Act, and Virginia Consumer Data Protection Act, the Act provides the state's residents with a familiar slate of comprehensive privacy protections and grants them new rights regarding their personal data. At the same time, Connecticut's law adds to America's state-by-state, patchwork approach to data privacy, and increases pressure for a comprehensive privacy bill at the federal level.
Scope and Applicability
Effective July 1, 2023, the CTDPA governs the processing of "personal data" by "controllers" - entities that determine the purpose and means of processing information. Like other state privacy laws, the CTDPA is applicable only to entities that meet certain geographic and processing requirements. Specifically, to be subject to the law, an entity must (1) conduct business in Connecticut or produce products or services targeted to Connecticut residents; and (2) annually process or control the personal data of either (a) at least 100,000 Connecticut residents; or (b) at least 25,000 Connecticut residents, but where the controller derives more than 25% of its gross revenue from the sale of such data.
Notably, the CTDPA introduces two unique features compared to other states' laws: (1) it exempts from its applicability threshold data used solely for the purpose of completing a payment transaction (i.e., such data will not count towards the 100,000-resident threshold); and (2) it does not consider an entity's annual revenue in determining the Act's applicability. The payment transaction exemption was added to address the concerns of restaurants, shops, and similar small businesses that potentially process data from large numbers of residents, but only to fulfill a transaction. It remains to be seen whether future state privacy laws will borrow this provision to protect small businesses.
Otherwise, the CTDPA looks much like other states' laws, providing now-familiar exemptions for: (1) government entities; (2) nonprofit organizations; (3) institutions of higher education; (4) entities registered under the Securities Exchange Act of 1934; (5) financial institutions regulated by the federal Gramm-Leach-Bliley Act; and (6) covered entities or business associates regulated by HIPAA. Moreover, the Act does not apply to information pertaining to employees or business representatives, clinical trial information, and information regulated by the federal Fair Credit Reporting Act, among other exemptions.
Like data privacy laws in effect in other US states and foreign countries, the CTDPA provides consumers a host of rights with respect to their personal data, including:
- Access and Knowledge. Consumers may access their personal data (unless such access would reveal a business's trade secrets), and may request confirmation from controllers whether the controller is processing their personal data.
- Portability. Consumers may obtain a copy of the personal data a controller holds about them in a readily usable format.
- Correction. Consumers may correct inaccuracies in their personal data.
- Deletion. Consumers may request deletion of personal data provided by or obtained about them.
- Opt Out. Consumers may opt out of the processing of their personal data for purposes of (1) targeted advertising; (2) the sale of their personal data (with some exceptions); and (3) profiling in furtherance of certain types of automated decision-making.
Controllers must offer consumers - or their authorized agents - a "secure and reliable" means of exercising their rights and must respond to requests within 45 days.
The CTDPA imposes the following obligations on controllers:
Controllers must provide a privacy notice to consumers that includes a description of the categories of personal data processed, the purpose for processing personal data, the categories of third parties with whom the controller shares personal data, and how consumers can exercise their rights under the CTDPA.
- Purpose Limitation. Controllers must not process personal data for reasons incompatible with the disclosed purposes for which the data was collected, without the consumer's consent.
- Data Minimization. Controllers must limit the collection of personal data to what is adequate and necessary to achieve the purpose for which such data is collected.
- Data Security. Controllers must implement and maintain reasonable administrative, technical, and physical data security controls to safeguard personal data.
- Sensitive Data and Children's Data. Controllers must obtain consumer consent in order to process sensitive data. Regarding children's data, controllers must not process it for the purpose of targeted advertising nor sell it if the consumer is between the ages of 13 and 16, unless the consumer has consented. For children under 13, controllers must process their data in accordance with the Children's Online Privacy Protection Act.
- Opt Out. Controllers must display a clear and conspicuous link on their website that enables a consumer to opt out of targeted advertising or the sale of their personal data. Further, beginning January 1, 2025, controllers' websites must recognize universal opt-out signals.
- Data Protection Assessment. Controllers must conduct a data protection assessment for processing activities presenting heightened risk of harm to consumers, which may include: the sale of personal data, the use of personal data for targeted advertising, and the processing of sensitive data.
Controllers must enter into contracts with processors that set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties, among other provisions. Processors in turn must adhere to controllers' instructions, safeguard personal data, and assist controllers in complying with controllers' obligations under the CTDPA.
The Attorney General of Connecticut will have the exclusive authority to enforce the CTDPA. Transgressions will constitute violations under Connecticut's Unfair Trade Practices Act, for which the Attorney General can issue fines and other penalties. Before January 1, 2025, however, the Attorney General must provide businesses notice and opportunity to cure alleged violations of the Act within 60 days. Like the Utah, Colorado, and Virginia privacy laws (but unlike California's), the CTDPA does not provide consumers with a private right of action.
While it has some new and intriguing elements, the CTDPA closely resembles the privacy laws of California, Colorado, Utah, and Virginia. Businesses that have begun the process of complying with these other laws, or are already CCPA-compliant, should be well-positioned to adhere to the CTDPA's obligations, with certain adjustments.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.