Senior Content Marketing Manager II
June 22, 2022â˘7 min read
What is the Connecticut Data Privacy Act?
Preparing for Connecticut Data Privacy Act compliance
Passed on May 10, 2022, the Connecticut Data Privacy Act is the fifth state privacy law in the US. Going into force on July 1, 2023 (the same day as the Colorado Privacy Act), Utah businesses will have just over thirteen months to ensure CTDPA compliance.
Connecticutâs new privacy law takes heavy cues from the four other states with comprehensive privacy laws (Colorado, Virginia, Utah, and California)âmostly closely mirroring the Virginia Consumer Data Protection Act and Colorado Privacy Act.
Despite many similarities, the CTDPA does have notable differences from the other state lawsâdifferences businesses should be aware of when working towards compliance. This guide outlines who the CTDPA applies to, consumer rights granted by the law, how it will be enforced, and how businesses can prepare.
Like all privacy laws, the first thing organizations should consider is whether or not they fall under the billâs scope. The first threshold for Connecticutâs new privacy law is that an organization must do business in Connecticut (CT) or market goods or services to CT residents.
Additionally, the organization must:
Making payment transaction data exempt is one key way the CTDPA differs from other state privacy laws. This stipulation means that as long as businesses only use data from credit or debit card sales in that context (and they arenât processing data in other ways), the CTDPA doesnât apply.
Also notableâunlike other state privacy laws, the CTDPA lacks an annual revenue threshold.
This means some companies, which may be beholden to other state laws based only on their annual revenue, will not fall under the CTDPAâs scope.
Weâll cover more of these key differences below.
Understanding the differences between state privacy laws is critical to effective complianceâwhat works in one state may not work in the next. As regulation continues to ramp up, itâs important businesses get it right the first time.
As mentioned above, the CTDPA has no annual revenue threshold.
For reference, the California Consumer Privacy Act (CPRA) and Utah Consumer Privacy Act (UCPA) both have $25 million revenue thresholds, though each state applies the threshold somewhat differently.
Aside from annual revenue thresholds, all state privacy laws include criteria around revenue derived from selling personal data. The CTDPA is triggered at 25% of annual revenueâsitting above Colorado (which triggers at any amount of revenue) and below Virginia, California, and Utah (all of which trigger at 50% of gross revenue).
The CTDPA defines the sale of personal data as:
âthe exchange of personal data for monetary or other valuable consideration by the controller to a third party.â
âOr other valuable considerationâ is the key phrase here, expanding the scope of this clause to include non-monetary exchanges (sharing, trades, etc.) and mirroring Colorado and California.
By contrast, Virginia and Utah define the sale of personal data more narrowly, only including strict data sales.
Following the CPRA, Utah businesses must obtain consent before selling data from minors or using their data to inform targeted advertising campaigns. This is a stricter stance on data sale and targeted advertising for minors age 13 to 16, compared to the laws in Colorado, Virginia, and Utah.
Similar to the CPA, the CTDPA offers businesses an automatic 60 day cure period, in which they may address any violation for which theyâve been given notice. On January 1, 2025, this cure period will no longer be automatic, and can be provided at the Attorney Generalâs discretion.
All other states offer only 30 days and, in the case of the CRPA, the automatic cure period is set to be repealed on January 1, 2023.
Following Virginia and Colorado, Utah residents may file an appeal if a business refuses to fulfill the consumer rights outlined by the CTDPA.
Utah consumers may request to see what personal data a business has collected about them.
If they notice a mistake in the personal data held by a business, consumers may request it be corrected.
Utah residents may request that a business delete the personal data a business holds about them.
Utah residents may request a copy of their data in an easily transmittable format, so it may be moved to or shared with another entity.
Similar to the CPA, consumers may request a copy of all the personal data held by the organizationâregardless of how the organization came to have the data. This is notable because in Virginia, consumers may only request a copy of the data they themselves provided.
Consumers under the CTDPA may opt out of data processing in the context of targeted advertising, personal data sale, or profiling from automated decision making.
Only the Utah Attorney General may pursue legal action for CTDPA violations.
Similar to Virginia, Colorado, and Utah, Connecticutâs privacy law does not offer a private right of action, which would allow consumers to press civil suits on their own behalf.
The CTDPA offers six entity-level exemptions.
This means data processing by these types of organizations is exemptâeven if it would otherwise fall under CTDPA jurisdiction.
The first step in preparing for CTDPA compliance is figuring out whether the law applies to your organization. Remember, the CTDPAâs scope covers organizations that:
If your organization does meet these criteria, the CTDPA likely applies, but be sure to review listed exemptions as well. There are six entity level exemptions and 16 data type exemptions, so itâs possible your organization falls under one of those.
Once youâve determined if Connecticutâs privacy law applies, itâs time to start working towards compliance. Remember, the bill goes into effect on July 1, 2023âso organizations should start now to be ready in time.
Under the CTDPA, organizations may process data in relation to targeted advertising, data sale, and profiling based on automated decision makingâbut they must give consumers a clear way to opt-out.
For minors ages 13-16, the rules are stricter. Businesses must get consent before processing begins and provide an opt-out option in case the minor changes their mind.
In all scenarios, the CTDPA requires that consent is âfreely given, specific, informed and unambiguous.â The law also specifically bans the use of dark patterns, in which interface design is used to coerce individuals into actions they might not otherwise take.
The takeaway here is clearâprovide an easy to find mechanism for consent management, one that enables opt-out for most Utah adults and opt-in/opt-out for Utah minors.
The CTDPA offers Utah residents the right to access, correct, and delete their personal data, so your organization will need a way to fulfill these consumer requests. With very few requests coming in, a manual process is workable; however, automated tools provide the best results at scale.
In the manual scenario, a team member will need to track down every database that stores personal data, find the data for the individual making the request, collate everything they find, and then send that packet back to the consumer.
For a single request, the process is a bit complicated, but doable. For thousands or even millions of requests, itâs simply not possible. An automated privacy request tool will be key for most businesses as consumer requests start flowing in.
The CTDPA requires that consumers be able to file an appeal if their privacy request is rejectedâmeaning your company needs to provide a way for consumers to file their appeal.
It doesnât necessarily need to be complicated, a simple web form may do the trick. However, when setting up this mechanism, be sure to consider how it might work at scale.
Not every organization under the CTDPA will need to complete a data protection assessment (DPA), but for those who do itâs an important step.
Connecticutâs privacy law states a business must complete a DPA if their data processing activities create a âheightened risk of harmâ to consumers. Activities that fall under this category include:
The point of a DPA is not necessarily to restrict data processing, but rather to evaluate its benefits against the potential risks. It will also help your organization consider ways those risks might be addressed or mitigated.
Though the CTDPA has some notable differences from other state privacy laws, the broad strokes are the same, and business have less than 14 months to prepare.
Savvy businesses will begin working towards compliance nowâimplementing the necessary tools to fulfill privacy requests, providing CT consumers with a way to make appeals and opt-out of targeted advertising and data sale, as well as completing data protection assessments if necessary.
If your organization has been impacted by the Connecticut Data Privacy Act or other consumer privacy laws, Transcend can help you ensure compliance.
Automate data subject request workflows with Privacy Requests, ensure nothing is tracked without user consent using Transcend Consent, or discover data silos and auto-generate reports with Data Mapping.
Senior Content Marketing Manager II