The Connecticut Data Privacy Act (CTDPA) is one of the most recent comprehensive state consumer privacy laws we have seen this year – and businesses are sure to have questions about this significant new obligation now that it has taken effect. The law was finalized last year but just took effect on July 1. While similar to the consumer privacy laws in other states that have taken hold in the last few years – including California, Colorado, Indiana, Iowa, Montana, Tennessee, Texas, Virginia, and Utah – the CTDPA has its own unique contours that will require compliance efforts. What are the six biggest questions you need answered about Connecticut’s newest law?

1. What Does Connecticut’s New Data Privacy Law Do?

The CTDPA gives Connecticut consumers more choices and control with respect to the personal data collected about them by companies that do business in the state. Like other data privacy laws, the CTDPA gives consumers the right to:

• access their personal data;
• correct inaccuracies in their personal data;
• delete their personal data;
• obtain a copy of their personal data in a format that allows them to transmit it to another controller; and
• opt out of the sale and processing of their personal data.

The CTDPA also establishes responsibilities and privacy protection standards for data controllers that process personal data.

2. Does The CTDPA Apply To Employment Data?

In a nutshell, no. The CTDPA protects a Connecticut resident acting in an individual or household context, such as browsing the Internet or making a purchase at a store. It does not protect an individual acting in an employment context, such as applying for a job.

3. Who Does The CTDPA Apply To?

The CTDPA applies to businesses in Connecticut, or businesses which produce products or services targeted to Connecticut residents, and which, during the prior calendar year, controlled or processed the personal data of: (a) at least 100,000 consumers; or (b) 25,000 or more consumers and derived over 25% of gross revenue from the sale of personal data. 

The CTDPA also applies to service providers, known as “processors,” who maintain or provide services involving personal data on behalf of covered businesses. Personal data refers to any information that can be linked to an identifiable individual (excluding publicly available information), such as a home address, driver’s license or state identification number, passport information, financial account number, login credentials, and payment card information. 

4. Is Anyone Exempt From Complying With The CTDPA?

The CTDPA does not apply to every organization operating within the state of Connecticut. There are certain entities which are exempt from complying with the requirements of the CTDPA. These include state and local governments, nonprofit organizations, financial institutions subject to the Gramm-Leach-Bliley Act, national securities associations registered under the Securities Exchange Act of 1934, entities subject to the Health Insurance Portability and Accountability Act, and higher education institutions. The CTDPA also does not apply to certain types of personal data maintained in compliance with other laws, such as the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, and Fair Credit Reporting Act.

5. What Are Controllers Required To Do Under The CTDPA?

The CTDPA defines a “controller” as an individual or legal entity that, independently or jointly with others, collects and processes personal data and is responsible for responding to consumer requests about the collection and processing of personal data. Under the CTDPA, controllers are required to:

• Provide notice that is reasonably accessible, clear, and meaningful, and that includes: categories of personal data processed, the purpose(s) for processing, whether and why the controller shares personal data with third parties, and information about how consumers can exercise their various rights (i.e., access and deletion) over their personal data.
• Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purpose for which it is processed.
• Obtain consent before processing a consumer’s sensitive data.
• Respond to requests to exercise consumer rights granted under the CTDPA.
• Create and maintain security practices that protect the confidentiality, integrity, and accessibility of the data.
• Conduct assessments before processing personal data in a manner that presents a heightened risk of harm to consumers. This includes processing personal data for the purposes of targeted advertising, sale, or profiling, and processing sensitive data.
• Not discriminate against consumers who exercise their rights under the CTDPA or process personal data in a manner that would otherwise result in unlawful discrimination.

6. How Is The CTDPA Enforced?

The Attorney General has exclusive authority to enforce violations of the CTDPA. There is no private right of action under this law. Entities or individuals that violate the CTDPA may face civil penalties up to $5,000 per violation pursuant to the Connecticut Unfair Trade Practices Act. In addition to civil penalties, the Attorney General can also seek injunctive relief, restitution, and/or disgorgement (i.e., giving up any profits accrued from illegal activity).

If the Attorney General determines that a controller could remedy a violation of the CTDPA, the Attorney General must give the controller notice of the violation before initiating a lawsuit and the controller then has 60 days to remedy the violation. This right to cure sunsets on December 31, 2024.