On May 10, 2022, The Connecticut Data Privacy Act ("CTDPA") was signed into law. Connecticut was the fifth State of the Union to pass its own consumer privacy regulations. The CTDPA is one of the most comprehensive and consumer-friendly state privacy laws to date. The CTDPA will take effect on July 1, 2023.

The CTDPA is designed to both protect the privacy rights of Connecticut State residents and establish corresponding privacy protection responsibilities for companies doing business in the State. The law is modeled, in large part, after the Colorado Privacy Act ("CPA") and Virginia's Consumer Data Protection Act ("CDPA"). The CTDPA, CPA, and CDPA, respectively, are all consumer-friendly regulations, and have very similar provisions. It is important that companies conducting business in Connecticut become acquainted with the State's new privacy law. Key provisions may be unfamiliar, and the CTDPA is scheduled to take effect in under four months.

Defining Key Terms in Connecticut's New Privacy Law

Connecticut's new privacy law applies to "controllers" and "processors" of data – language also found in the CPA and CDPA. A controller is "an individual who, or legal entity that, alone or jointly with others determines the purposes and means of processing personal data". A processor is "an individual who, or legal entity that, processes personal data on behalf of a controller." The CTDPA defines a consumer as an individual residing in Connecticut that is acting as a private person. This is important, because individuals who are "acting in a commercial or employment context," which includes applying for a job, are excluded from the protections afforded by Connecticut's consumer privacy law.

The CTDPA has heightened standards of protection when it comes to sensitive data. Sensitive data includes:

(A) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status;

(B) the processing of genetic or biometric data for the purpose of uniquely identifying an individual;

(C) personal data collected from a known child (under the age of 13); and

(D) precise geolocation data.

What Are Some of the Key Provisions of the CTDPA?

Connecticut's new privacy law applies to organizations that:

(A) control or process the personal data of 100,000 or more consumers annually, unless the personal data is controlled or processed solely for the purpose of completing a payment transaction; and/or

(B) derive over 25% of their gross revenue from the sale of personal data, and

control or process the personal data of 25,000 or more consumers.

Under the CTDPA, Connecticut consumers have the right to directly contact a controller to access personal data that the controller has collected about them, correct any inaccuracies in this data, and request that their data, including data collected through third parties, be deleted. Connecticut's privacy law requires that controllers allow consumers to opt-out of the sale of their personal data and/or the processing of personal data for the purposes of targeted advertising. In addition, processors must not collect, use, store, disclose, or analyze any personal data without obtaining consumer consent.

Hire Experienced Attorneys to Help You Comply with Connecticut's New Privacy Law

The CTDPA is comprised of twenty-seven pages of comprehensive and consumer-friendly regulatory provisions. As mentioned above, this law is scheduled to take effect on July 1, 2023. The key provisions discussed hereinabove are only a few of the many that the Connecticut State Attorney General will start holding companies accountable for in July. Businesses operating in Connecticut should soon come into compliance with the CTDPA, if they have not already. The attorneys at Klein Moynihan Turco have decades of experience advising companies on how to comply with state and federal privacy regulations.

Similar Blog Posts:

Connecticut Privacy Law Advances to House

Businesses Must Make State Specific Privacy Policy Changes!

State Privacy Laws in 2023: Are Your Privacy Practices Compliant?

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.