The new Connecticut data privacy law—inconveniently titled "An Act Concerning Personal Data Privacy and Online Monitoring" (hereinafter referred to as "CPDPA") was signed into law on Tuesday, May 10, 2022 and will have an effective date of July 1, 2023. The CPDPA is moderately similar to both the Colorado Privacy Act (the "CPA") and the Virginia Consumer Data Privacy Act ("VCDPA"), with only a few minor differences.
The CPDPA applies businesses that conduct business in the state of Connecticut or produce products or services targeted to residents of Connecticut and during the prior calendar year, controlled or processed the personal data of:
- at least 100,000 consumers or
- not less than 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.
Note this requirement is different from both the CPA and VCDPA—where the CPA has no percent of gross revenue requirement, and the VCDPA requires more than 50% of gross revenue to be derived from the sale of personal data.
Similar to the CPA and VCDPA, the CPDPA grants to consumers six identical rights (the right to confirm, access, correct, delete, obtain a copy, and opt-out of the processing of personal data for the purpose of targeted advertising, the sale of consumer data, and profiling), and prohibits the processing of sensitive data without affirmative consumer consent.
Like all prior state data privacy laws, consumers have the ability to exercise their rights under the CPDPA by submitting a consumer request to businesses. This process is largely similar to that of Virginia and Colorado, including the right to appeal a business's denial of such request. However, the CPDPA does not allow a business to extend an appeal deadline, unlike both the VCDPA and the CPA.
Similar to the CPA, the CDPA requires businesses to adopt a technical opt-out mechanism. However, while the CPA delegated authority to the Colorado Attorney General to promulgate relevant rules regarding the technical specifications, the CPDPA outlines such requirements. No later than January 1, 2025, the business must allow a consumer to opt out of any processing of the consumer's personal data through an opt-out preference signal sent by a platform, technology, or other mechanism to the controller. Such signal must be sent with the consumer's consent, and must indicate the consumer's intent to opt out of any such processing or sale. The CPDPA provides specific requirements for the platform, such as not making use of a default setting and to be as consistent as possible with any other similar platform required by any federal or state law.
Notably, a business may deny a consumer opt out request under certain circumstances. While most state data privacy laws grant a similar right to businesses concerning consumer requests, Connecticut is the only state to grant such right concerning opt out requests.
As with the CPA and VCDPA, data protection assessments are required in certain circumstances, and there must be a binding contract between a controller and processor to govern any data processing.
The CPDPA does not have a private right of action—the Connecticut Attorney General has exclusive enforcement authority. From July 1, 2023 to December 31, 2024, the Attorney General may issue a notice of violation to a business prior to initiating an action if the Attorney General determines that a cure is possible. After December 31, 2024, there will be no notice and cure process. A violation of the CPDPA is considered an unfair trade practice. Each violation will carry with it a penalty of up to $5,000 for willful violations.
Finally, it appears the state of Connecticut may continue to promulgate either additional legislation or amend the CPDPA. Prior to September 1, 2022, the Connecticut General Assembly must convene a task force to study issues concerning data privacy, such as information sharing among health care providers, algorithmic decision-making, legislation concerning COPPA, verification of the age of children creating social media accounts, data colocation, and other topics concerning data privacy. Such task force will submit a report no later than January 1, 2023 with their findings and recommendations.
As more states promulgate state data privacy legislation that differ in minor ways, it is absolutely vital for businesses to consult with data privacy counsel to ensure compliance with all compulsory requirements in this ever-shifting landscape.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.