Connecticut's New Privacy Law: What You Need to Know
At a glance
The Connecticut Data Privacy Act (CTDPA) was passed on May 10, 2022 and will go into force on July 1, 2023âthe same day as the Colorado Privacy Act (CPA).
The CTDPA is similar in scope to other state privacy laws but, notably, it lacks an annual revenue threshold and exempts data thatâs only used for payment transactions.
To prepare for CTDPA compliance, businesses will need to implement a way to manage consent, fulfill privacy requests, and field consumer appeals. If engaging in risky data processing activities, theyâll also need to conduct a data protection assessment.
Table of contents
What is the Connecticut Data Privacy Act?
Preparing for Connecticut Data Privacy Act compliance
What is the Connecticut Data Privacy Act?
Passed on May 10, 2022, the Connecticut Data Privacy Act is the fifth state privacy law in the US. Going into force on July 1, 2023 (the same day as the Colorado Privacy Act), Utah businesses will have just over thirteen months to ensure CTDPA compliance.
Connecticutâs new privacy law takes heavy cues from the four other states with comprehensive privacy laws (Colorado, Virginia, Utah, and California)âmostly closely mirroring the Virginia Consumer Data Protection Act and Colorado Privacy Act.
Despite many similarities, the CTDPA does have notable differences from the other state lawsâdifferences businesses should be aware of when working towards compliance. This guide outlines who the CTDPA applies to, consumer rights granted by the law, how it will be enforced, and how businesses can prepare.
Scope: Whoâs subject to the CTDPA?
Like all privacy laws, the first thing organizations should consider is whether or not they fall under the billâs scope. The first threshold for Connecticutâs new privacy law is that an organization must do business in Connecticut (CT) or market goods or services to CT residents.
Additionally, the organization must:
Collect, store, or sell personal data for 100,000 or more CT consumers (unless that data is only used in the context of payment transactions) OR
Process personal data for 25,000 of more consumers AND receive over 25% of annual gross revenue from selling personal data
Making payment transaction data exempt is one key way the CTDPA differs from other state privacy laws. This stipulation means that as long as businesses only use data from credit or debit card sales in that context (and they arenât processing data in other ways), the CTDPA doesnât apply.
Also notableâunlike other state privacy laws, the CTDPA lacks an annual revenue threshold.
This means some companies, which may be beholden to other state laws based only on their annual revenue, will not fall under the CTDPAâs scope.
Weâll cover more of these key differences below.
Differences between the CTDPA and other state privacy laws
Understanding the differences between state privacy laws is critical to effective complianceâwhat works in one state may not work in the next. As regulation continues to ramp up, itâs important businesses get it right the first time.
Revenue thresholds
As mentioned above, the CTDPA has no annual revenue threshold.
For reference, the California Consumer Privacy Act (CPRA) and Utah Consumer Privacy Act (UCPA) both have $25 million revenue thresholds, though each state applies the threshold somewhat differently.
Aside from annual revenue thresholds, all state privacy laws include criteria around revenue derived from selling personal data. The CTDPA is triggered at 25% of annual revenueâsitting above Colorado (which triggers at any amount of revenue) and below Virginia, California, and Utah (all of which trigger at 50% of gross revenue).
Sale of personal data
The CTDPA defines the sale of personal data as:
âthe exchange of personal data for monetary or other valuable consideration by the controller to a third party.â
âOr other valuable considerationâ is the key phrase here, expanding the scope of this clause to include non-monetary exchanges (sharing, trades, etc.) and mirroring Colorado and California.
By contrast, Virginia and Utah define the sale of personal data more narrowly, only including strict data sales.
Opt-in consent
Following the CPRA, Utah businesses must obtain consent before selling data from minors or using their data to inform targeted advertising campaigns. This is a stricter stance on data sale and targeted advertising for minors age 13 to 16, compared to the laws in Colorado, Virginia, and Utah.
Cure period
Similar to the CPA, the CTDPA offers businesses an automatic 60 day cure period, in which they may address any violation for which theyâve been given notice. On January 1, 2025, this cure period will no longer be automatic, and can be provided at the Attorney Generalâs discretion.
All other states offer only 30 days and, in the case of the CRPA, the automatic cure period is set to be repealed on January 1, 2023.
Appeals
Following Virginia and Colorado, Utah residents may file an appeal if a business refuses to fulfill the consumer rights outlined by the CTDPA.
Consumer rights
Right to access
Utah consumers may request to see what personal data a business has collected about them.
Right to correct
If they notice a mistake in the personal data held by a business, consumers may request it be corrected.
Right to delete
Utah residents may request that a business delete the personal data a business holds about them.
Right to data portability
Utah residents may request a copy of their data in an easily transmittable format, so it may be moved to or shared with another entity.
Similar to the CPA, consumers may request a copy of all the personal data held by the organizationâregardless of how the organization came to have the data. This is notable because in Virginia, consumers may only request a copy of the data they themselves provided.
Right to opt out
Consumers under the CTDPA may opt out of data processing in the context of targeted advertising, personal data sale, or profiling from automated decision making.
Enforcement
Only the Utah Attorney General may pursue legal action for CTDPA violations.
Similar to Virginia, Colorado, and Utah, Connecticutâs privacy law does not offer a private right of action, which would allow consumers to press civil suits on their own behalf.
Exemptions
The CTDPA offers six entity-level exemptions.
Local and state governments
Nonprofits
Higher education institutions
Organizations registered under the Securities Exchange Act of 1934
Organizations subject to the Gramm-Leach-Bliley Act
Entities covered by the Health Insurance Portability and Accountability Act (HIPPA)
This means data processing by these types of organizations is exemptâeven if it would otherwise fall under CTDPA jurisdiction.
Preparing for CTDPA compliance
Determine whether the CTDPA applies to your business
The first step in preparing for CTDPA compliance is figuring out whether the law applies to your organization. Remember, the CTDPAâs scope covers organizations that:
Do business in CT or market goods or services to CT residents
Collect, store, or sell personal data for 100,000 or more CT consumers (unless that data is used only for payment transactions) OR
Process personal data for 25,000 of more consumers AND make over 25% of annual gross revenue selling personal data
If your organization does meet these criteria, the CTDPA likely applies, but be sure to review listed exemptions as well. There are six entity level exemptions and 16 data type exemptions, so itâs possible your organization falls under one of those.
Once youâve determined if Connecticutâs privacy law applies, itâs time to start working towards compliance. Remember, the bill goes into effect on July 1, 2023âso organizations should start now to be ready in time.
Implement consent management
Under the CTDPA, organizations may process data in relation to targeted advertising, data sale, and profiling based on automated decision makingâbut they must give consumers a clear way to opt-out.
For minors ages 13-16, the rules are stricter. Businesses must get consent before processing begins and provide an opt-out option in case the minor changes their mind.
In all scenarios, the CTDPA requires that consent is âfreely given, specific, informed and unambiguous.â The law also specifically bans the use of dark patterns, in which interface design is used to coerce individuals into actions they might not otherwise take.
The takeaway here is clearâprovide an easy to find mechanism for consent management, one that enables opt-out for most Utah adults and opt-in/opt-out for Utah minors.
Offer a privacy request mechanism
The CTDPA offers Utah residents the right to access, correct, and delete their personal data, so your organization will need a way to fulfill these consumer requests. With very few requests coming in, a manual process is workable; however, automated tools provide the best results at scale.
In the manual scenario, a team member will need to track down every database that stores personal data, find the data for the individual making the request, collate everything they find, and then send that packet back to the consumer.
For a single request, the process is a bit complicated, but doable. For thousands or even millions of requests, itâs simply not possible. An automated privacy request tool will be key for most businesses as consumer requests start flowing in.
Create a mechanism for appeals
The CTDPA requires that consumers be able to file an appeal if their privacy request is rejectedâmeaning your company needs to provide a way for consumers to file their appeal.
It doesnât necessarily need to be complicated, a simple web form may do the trick. However, when setting up this mechanism, be sure to consider how it might work at scale.
Conduct data protection assessments
Not every organization under the CTDPA will need to complete a data protection assessment (DPA), but for those who do itâs an important step.
Connecticutâs privacy law states a business must complete a DPA if their data processing activities create a âheightened risk of harmâ to consumers. Activities that fall under this category include:
Processing data for targeting advertising
Personal data sales
Processing data for automated profiling
Processing sensitive data
The point of a DPA is not necessarily to restrict data processing, but rather to evaluate its benefits against the potential risks. It will also help your organization consider ways those risks might be addressed or mitigated.
Conclusion
Though the CTDPA has some notable differences from other state privacy laws, the broad strokes are the same, and business have less than 14 months to prepare.
Savvy businesses will begin working towards compliance nowâimplementing the necessary tools to fulfill privacy requests, providing CT consumers with a way to make appeals and opt-out of targeted advertising and data sale, as well as completing data protection assessments if necessary.
About Transcend
If your organization has been impacted by the Connecticut Data Privacy Act or other consumer privacy laws, Transcend can help you ensure compliance.
Automate data subject request workflows with Privacy Requests, ensure nothing is tracked without user consent using Transcend Consent, or discover data silos and auto-generate reports with Data Mapping.
Discover more articles