Connecticut's New Privacy Law: What You Need to Know

• The Connecticut Data Privacy Act (CTDPA) was passed on May 10, 2022 and will go into force on July 1, 2023—the same day as the Colorado Privacy Act (CPA).

• The CTDPA is similar in scope to other state privacy laws but, notably, it lacks an annual revenue threshold and exempts data that’s only used for payment transactions.

• To prepare for CTDPA compliance, businesses will need to implement a way to manage consent, fulfill privacy requests, and field consumer appeals. If engaging in risky data processing activities, they’ll also need to conduct a data protection assessment.

What is the Connecticut Data Privacy Act?

• Scope: Who’s subject to the CTDPA?

• CTDPA vs. other state privacy laws

• Consumer rights provided by the CTDPA

• Enforcement

• Exemptions

Preparing for Connecticut Data Privacy Act compliance

• Determine whether the CTDPA applies to your business

• Implement consent management

• Offer a privacy request mechanism

• Create a mechanism for appeals

• Conduct data protection assessments

Passed on May 10, 2022, the Connecticut Data Privacy Act is the fifth state privacy law in the US. Going into force on July 1, 2023 (the same day as the Colorado Privacy Act), Utah businesses will have just over thirteen months to ensure CTDPA compliance.

Connecticut’s new privacy law takes heavy cues from the four other states with comprehensive privacy laws (Colorado, Virginia, Utah, and California)—mostly closely mirroring the Virginia Consumer Data Protection Act and Colorado Privacy Act.

Despite many similarities, the CTDPA does have notable differences from the other state laws—differences businesses should be aware of when working towards compliance. This guide outlines who the CTDPA applies to, consumer rights granted by the law, how it will be enforced, and how businesses can prepare.

Like all privacy laws, the first thing organizations should consider is whether or not they fall under the bill’s scope. The first threshold for Connecticut’s new privacy law is that an organization must do business in Connecticut (CT) or market goods or services to CT residents.

Additionally, the organization must:

• Collect, store, or sell personal data for 100,000 or more CT consumers (unless that data is only used in the context of payment transactions) OR

• Process personal data for 25,000 of more consumers AND receive over 25% of annual gross revenue from selling personal data

Making payment transaction data exempt is one key way the CTDPA differs from other state privacy laws. This stipulation means that as long as businesses only use data from credit or debit card sales in that context (and they aren’t processing data in other ways), the CTDPA doesn’t apply.

Also notable—unlike other state privacy laws, the CTDPA lacks an annual revenue threshold.

This means some companies, which may be beholden to other state laws based only on their annual revenue, will not fall under the CTDPA’s scope.

We’ll cover more of these key differences below.

Understanding the differences between state privacy laws is critical to effective compliance—what works in one state may not work in the next. As regulation continues to ramp up, it’s important businesses get it right the first time.

As mentioned above, the CTDPA has no annual revenue threshold.

For reference, the California Consumer Privacy Act (CPRA) and Utah Consumer Privacy Act (UCPA) both have $25 million revenue thresholds, though each state applies the threshold somewhat differently.

Aside from annual revenue thresholds, all state privacy laws include criteria around revenue derived from selling personal data. The CTDPA is triggered at 25% of annual revenue—sitting above Colorado (which triggers at any amount of revenue) and below Virginia, California, and Utah (all of which trigger at 50% of gross revenue).

The CTDPA defines the sale of personal data as:

“the exchange of personal data for monetary or other valuable consideration by the controller to a third party.”

‘Or other valuable consideration’ is the key phrase here, expanding the scope of this clause to include non-monetary exchanges (sharing, trades, etc.) and mirroring Colorado and California.

By contrast, Virginia and Utah define the sale of personal data more narrowly, only including strict data sales.

Following the CPRA, Utah businesses must obtain consent before selling data from minors or using their data to inform targeted advertising campaigns. This is a stricter stance on data sale and targeted advertising for minors age 13 to 16, compared to the laws in Colorado, Virginia, and Utah.

Similar to the CPA, the CTDPA offers businesses an automatic 60 day cure period, in which they may address any violation for which they’ve been given notice. On January 1, 2025, this cure period will no longer be automatic, and can be provided at the Attorney General’s discretion.

All other states offer only 30 days and, in the case of the CRPA, the automatic cure period is set to be repealed on January 1, 2023.

Following Virginia and Colorado, Utah residents may file an appeal if a business refuses to fulfill the consumer rights outlined by the CTDPA.

Utah consumers may request to see what personal data a business has collected about them.

If they notice a mistake in the personal data held by a business, consumers may request it be corrected.

Utah residents may request that a business delete the personal data a business holds about them.

Utah residents may request a copy of their data in an easily transmittable format, so it may be moved to or shared with another entity.

Similar to the CPA, consumers may request a copy of all the personal data held by the organization—regardless of how the organization came to have the data. This is notable because in Virginia, consumers may only request a copy of the data they themselves provided.

Consumers under the CTDPA may opt out of data processing in the context of targeted advertising, personal data sale, or profiling from automated decision making.

Only the Utah Attorney General may pursue legal action for CTDPA violations.

Similar to Virginia, Colorado, and Utah, Connecticut’s privacy law does not offer a private right of action, which would allow consumers to press civil suits on their own behalf.

The CTDPA offers six entity-level exemptions.

• Local and state governments

• Nonprofits

• Higher education institutions

• Organizations registered under the Securities Exchange Act of 1934

• Organizations subject to the Gramm-Leach-Bliley Act

• Entities covered by the Health Insurance Portability and Accountability Act (HIPPA)

This means data processing by these types of organizations is exempt—even if it would otherwise fall under CTDPA jurisdiction.

The first step in preparing for CTDPA compliance is figuring out whether the law applies to your organization. Remember, the CTDPA’s scope covers organizations that:

• Do business in CT or market goods or services to CT residents

• Collect, store, or sell personal data for 100,000 or more CT consumers (unless that data is used only for payment transactions) OR

• Process personal data for 25,000 of more consumers AND make over 25% of annual gross revenue selling personal data

If your organization does meet these criteria, the CTDPA likely applies, but be sure to review listed exemptions as well. There are six entity level exemptions and 16 data type exemptions, so it’s possible your organization falls under one of those.

Once you’ve determined if Connecticut’s privacy law applies, it’s time to start working towards compliance. Remember, the bill goes into effect on July 1, 2023—so organizations should start now to be ready in time.

Under the CTDPA, organizations may process data in relation to targeted advertising, data sale, and profiling based on automated decision making—but they must give consumers a clear way to opt-out.

For minors ages 13-16, the rules are stricter. Businesses must get consent before processing begins and provide an opt-out option in case the minor changes their mind.

In all scenarios, the CTDPA requires that consent is “freely given, specific, informed and unambiguous.” The law also specifically bans the use of dark patterns, in which interface design is used to coerce individuals into actions they might not otherwise take.

The takeaway here is clear—provide an easy to find mechanism for consent management, one that enables opt-out for most Utah adults and opt-in/opt-out for Utah minors.

The CTDPA offers Utah residents the right to access, correct, and delete their personal data, so your organization will need a way to fulfill these consumer requests. With very few requests coming in, a manual process is workable; however, automated tools provide the best results at scale.

In the manual scenario, a team member will need to track down every database that stores personal data, find the data for the individual making the request, collate everything they find, and then send that packet back to the consumer.

For a single request, the process is a bit complicated, but doable. For thousands or even millions of requests, it’s simply not possible. An automated privacy request tool will be key for most businesses as consumer requests start flowing in.

The CTDPA requires that consumers be able to file an appeal if their privacy request is rejected—meaning your company needs to provide a way for consumers to file their appeal.

It doesn’t necessarily need to be complicated, a simple web form may do the trick. However, when setting up this mechanism, be sure to consider how it might work at scale.

Not every organization under the CTDPA will need to complete a data protection assessment (DPA), but for those who do it’s an important step.

Connecticut’s privacy law states a business must complete a DPA if their data processing activities create a “heightened risk of harm” to consumers. Activities that fall under this category include:

• Processing data for targeting advertising

• Personal data sales

• Processing data for automated profiling

• Processing sensitive data

The point of a DPA is not necessarily to restrict data processing, but rather to evaluate its benefits against the potential risks. It will also help your organization consider ways those risks might be addressed or mitigated.

Though the CTDPA has some notable differences from other state privacy laws, the broad strokes are the same, and business have less than 14 months to prepare.

Savvy businesses will begin working towards compliance now—implementing the necessary tools to fulfill privacy requests, providing CT consumers with a way to make appeals and opt-out of targeted advertising and data sale, as well as completing data protection assessments if necessary.

If your organization has been impacted by the Connecticut Data Privacy Act or other consumer privacy laws, Transcend can help you ensure compliance.

Automate data subject request workflows with Privacy Requests, ensure nothing is tracked without user consent using Transcend Consent, or discover data silos and auto-generate reports with Data Mapping.