The Connecticut Personal Data Privacy and Online Monitoring Act, also known as the Connecticut Data Privacy Act (CTDPA), is the fifth and latest comprehensive data privacy law enacted in the United States.
The act will become enforceable on July 1, 2023, which means businesses have some time to develop and implement a compliant data privacy strategy to stay ahead of potential liability.
Let's take a closer look at Connecticut's new law by going over its purpose, scope, requirements, and practical steps your business can take to comply.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 1. What is the Purpose of the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA)?
- 2. Consumer Privacy Rights Under the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA)
- 2.1. Right to Confirm and Access
- 2.2. Right to Correction
- 2.3. Right to Deletion
- 2.4. Right to Data Portability
- 2.5. Right to Opt Out
- 2.6. Responding to Consumer Requests
- 3. Who the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) Applies to
- 3.1. Who is a Consumer?
- 3.2. What is Personal Data?
- 3.3. What are a Controller and Processor?
- 4. Who the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) Doesn't Apply to
- 5. Requirements and Best Practices for Compliance with the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA)
- 5.1. Observe the Data Minimization and Purpose Limitation Principles
- 5.3. Implement Appropriate Data Security Measures
- 5.4. Implement a Compliant Consent Mechanism
- 5.5. Provide a System for Responding to Consumer Requests
- 5.6. Conduct Data Protection Assessments
- 6. Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) Enforcement and Penalties
- 7. Summary
- 8. All US Privacy Laws
What is the Purpose of the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA)?
In the absence of a unified data privacy framework at the federal level, Connecticut has joined a growing number of states to enact a comprehensive data privacy law.
As the name suggests, the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) was established to protect the personal data and online privacy of Connecticut residents.
The CTDPA was officially signed into law on May 10, 2022, by Connecticut Governor Ned Lamont after being passed by the Connecticut General Assembly on April 28, 2022.
- Provides new rights for residents of Connecticut
- Imposes several obligations on businesses under its scope
- Exempts certain organizations and types of data from its coverage, and
- Delegates enforcement powers to the Attorney General
To accomplish this, the law introduces a number of privacy rights to give consumers more control over how their personal data is collected and used. What's more, Connecticut's new law imposes several responsibilities and establishes privacy protection standards for businesses that operate in Connecticut or target its residents.
Notably, the CTDPA adopts many features from previous state privacy laws, particularly the Virginia Consumer Data Protection Act (CDPA) and the Colorado Privacy Act (CPA).
Although the similarities between the CTDPA and other state laws may help ease the burden of compliance on businesses, the CTDPA also contains a few noteworthy distinctions that must be factored into any business's compliance efforts.
That said, if your business already complies with other state privacy laws like the CDPA or CPA, you will likely not need to do much to come into compliance with Connecticut's new law.
Consumer Privacy Rights Under the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA)
Much like other privacy laws, Connecticut's new law gives its residents several privacy rights when it comes to how businesses collect and use their personal data. They are as follows.
Right to Confirm and Access
Under the CTDPA, consumers have the right to confirm whether your business is processing their personal data and, if so, access such data.
Note, however, that the CTDPA allows you to decline a consumer's request for confirmation or access to their data if such a request compels you to disclose a trade secret.
Right to Correction
The CTDPA gives consumers the right to correct any inaccuracies in their personal data, taking into consideration the nature of the data and the purposes for processing the data.
Here's an example of this privacy right from Upwork:
Right to Deletion
Under the CTDPA, consumers can submit requests to have their personal data deleted from your records and network or backup systems.
Right to Data Portability
Consumers are also entitled to request a copy of their personal data in a portable, structured, and machine-readable format that makes it easier to reuse their data or transfer it directly to another controller.
Note that the CTDPA also allows you to decline this request if it compels you to disclose a trade secret.
Here's how OSCE PA presents this right:
Right to Opt Out
The CTDPA gives consumers the right to opt out of a business's data processing activities for purposes such as:
- Targeted Advertising
- The sale of their personal data, and
- Profiling in furtherance of solely automated decisions that produce legal or similarly notable effects concerning the consumer
According to the CTDPA, you must provide "clear and conspicuous" links on your website that allows a consumer (or an agent of the consumer) to opt out of targeted advertising or sale of the consumer's data.
However, beginning January 1, 2025, the CTDPA requires you to recognize universal opt-out preference signals (much like in Colorado's law), indicating a consumer's intent to opt out of any processing or sale of personal data.
Finally, keep in mind that (like most privacy laws) the CTDPA contains an anti-discrimination clause. This means that you must not discriminate against a consumer for exercising any of their rights by:
- Refusing to sell them products or services
- Charging them a different price or rate for products or services, or
- Providing them with a different level of quality of products or services
Responding to Consumer Requests
As a controller, you are obligated to promptly respond to a consumer's request within 45 days after receiving the request.
You can extend that deadline by an additional 45 days (if reasonably necessary) as long as you inform the consumer about the extension and the reasons for such.
Note that you can charge a reasonable fee if the consumer makes more than one request within a 12-month time period or if the request is "manifestly unfounded, excessive, or repetitive."
Who the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) Applies to
The CTDPA applies to individuals or entities who conduct business within the state of Connecticut or produce products or services that are designed to target the residents of Connecticut and who, during the preceding year, either:
- Processed or controlled the personal data of at least 100,000 consumers, excluding data processed solely to complete a payment transaction, or
- Processed or controlled the personal data of at least 25,000 consumers and derived more than 25 percent of their gross revenue from selling personal data
To better comprehend the scope of the CTDPA, it's important to understand how certain terms are defined under the law.
Who is a Consumer?
The CTDPA defines a consumer as an individual who is a resident of Connecticut. The law goes on to specify details of instances where an individual is not considered a consumer.
According to the CTDPA:
"A consumer does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency."
What is Personal Data?
Much like other privacy laws, the CTDPA defines personal data as "any information that is linked or reasonably linkable to an identified or identifiable individual."
Although the law doesn't provide an exhaustive list of what may be considered personal data, the more obvious ones include names, phone numbers, email/IP addresses, credit card details, identification numbers, and so on.
Exceptions to this definition are de-identified data and publicly available information.
Deidentified data is any information that has been adjusted to remove features that can be used to deduce information about or link to an individual.
Note that before any data can be considered de-identified under the CTDPA, you must do the following:
- Take reasonable measures to ensure that such data cannot be linked to an individual
- Publicly commit to process such data only in a de-identified fashion and not try to re-identify it
- Make sure that any recipient of such data is contractually obligated to comply with the above criteria
What are a Controller and Processor?
A controller refers to an individual or organization that decides the purpose and methods of processing personal data. Controllers are principally responsible for safeguarding the privacy and data of consumers by fulfilling certain obligations, but we'll go into that later.
A processor, on the other hand, refers to any individual or organization that processes personal data on behalf of a controller. Processors are legally obligated to assist controllers in fulfilling their obligations.
They must also enter a contract with controllers that outlines the following information:
- The instructions for processing data
- The nature and purpose of the processing
- The type of data subject to processing
- The duration of processing
- The rights and obligations of both parties
Common examples of processors include third-party service providers like payment processors, marketing research agencies, and ecommerce platforms.
Who the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) Doesn't Apply to
The following organizations are exempt from the CTDPA's coverage:
- Governmental organizations in Connecticut
- Nonprofit organizations
- Higher education institutions
- National securities associations registered under the Securities Exchange Act of 1934
- Financial institutions or data subject to the Gramm-Leach-Bliley Act
- Covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA)
In addition to the organizations exempted, the CTDPA also exempts 16 types of data from its scope, including specific information regulated by the Fair Credit Reporting Act (FCRA), HIPAA, the Family Educational Rights and Privacy Act (FERPA), the Airline Deregulation Act, the Farm Credit Act (FCA), and the Driver's Privacy Protection Act.
Lastly, the CTDPA exempts specific categories of data relating to employment.
Requirements and Best Practices for Compliance with the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA)
As a controller subject to the CTDPA, you are required to observe and take certain steps to comply with the obligations specified in the law.
Let's briefly go over these obligations as well as provide practical guidance on how you can comply accordingly.
Observe the Data Minimization and Purpose Limitation Principles
Consistent with most privacy laws, the CTDPA requires you (as a controller) to limit your collection of personal data to what is "adequate, relevant, and reasonably necessary" to carry out the data processing activities specified to consumers.
Additionally, unless consent is obtained from the consumer, the CTDPA prohibits you from processing data for purposes that are neither "reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed."
Here's how Gymshark observes these data protection principles in its Privacy Notice:
- The categories of personal data you process
- The purposes for which you process personal data
- How consumers may exercise their privacy rights
- How consumers may appeal your decision concerning their requests
- The categories of personal data you disclose to third parties (if applicable)
- The categories of third parties to whom you disclose personal data (if applicable)
- An active email address or an alternative online mechanism through which consumers may contact you
Furthermore, if you sell personal data to third parties or process data for targeted advertising, you need to "clearly and conspicuously disclose such processing" as well as explain how consumers may exercise their right to opt out.
Implement Appropriate Data Security Measures
According to the CTDPA, controllers must:
"establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data."
What's more, the law specifies that the level of security must be appropriate to the volume and type of personal data being processed.
Implement a Compliant Consent Mechanism
Much like in other privacy laws, consent is deeply regulated under the CTDPA. As a controller, you must not process a consumer's sensitive data without obtaining freely given, specific, informed, and unambiguous consent.
Sensitive data includes but isn't limited to:
- Racial/Ethnic data
- Sexual orientation
- Religious beliefs
- Genetic/Biometric data
- Data from a known child
Note that the CTDPA prohibits you from processing the data of a child unless you comply with the Children's Online Privacy Protection Act (COPPA).
Consent is also needed to process a consumer's data for targeted advertising or to sell their data if a controller is aware of and intentionally ignores that the consumer is between the age of 13 and 16.
Finally, you must "provide an effective mechanism" that allows consumers to withdraw consent as easily as they gave it. Once consent is withdrawn, you must stop all processing activities as soon as practicable, but within 15 days after receiving the request.
Provide a System for Responding to Consumer Requests
In doing this, you must consider:
- The typical ways consumers interact with your business
- The need for secure and reliable communication of consumer requests, and
- Your ability to confirm a consumer's identity
Conduct Data Protection Assessments
Under the CTDPA, controllers are legally obligated to conduct and document a data protection assessment for processing activities that "presents a heightened risk of harm" to consumers.
Such activities include:
- Processing data for targeted advertising
- Selling personal data
- Processing personal data for profiling purposes, where such profiling presents a reasonably foreseeable risk of unfair treatment or substantial injury to consumers
- Processing sensitive data
Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) Enforcement and Penalties
The CTDPA does not include a private right of action. In other words, enforcement authority falls exclusively to the Attorney General.
Connecticut's new law provides an enforcement grace period beginning on July 1, 2023, and ending on December 31, 2024. During this period, the AG must provide a controller with a written notice of violation, after which the controller has 60 days to "cure" the violation.
If the violation is not cured within 60 days, the AG may then initiate an enforcement action.
The right to cure will end on December 31, 2024, leaving the AG with discretionary authority to provide an opportunity to cure, subject to certain conditions.
There is no specific fine or penalty in the CTDPA's provisions but keep in mind that a violation of the law is considered an unfair trade practice under the Connecticut Unfair Trade Practices Act.
Therefore, a business in violation of the CTDPA may face civil penalties up to $5,000 for each intentional violation.
Below are the key takeaways in this article to help your business comply with the Connecticut Personal Data Privacy and Online Monitoring Act:
- The CTDPA is a privacy law that was established to protect the online privacy and personal data of Connecticut residents.
- The CTDPA may apply to businesses that operate in Connecticut or produce products or services that target Connecticut residents (subject to other conditions).
- The law requires businesses to observe consumers' rights and help exercise them promptly at their request.
- Businesses must observe the data minimization and purpose limitation principles when processing data.
- Businesses must have a reasonable data security system in place to protect the confidentiality of personal data.
- Businesses must establish and maintain a mechanism to obtain consent from consumers.
- Giving and revoking consent must be equally easy for consumers.
- Businesses must provide a safe and reliable means for consumers to contact them.
- Businesses must conduct data protection assessments when reasonably necessary.
All US Privacy Laws
Want to read more about privacy laws in the USA? Start here:
|COPPA: Children's Online Privacy Protection Act
|Federal law that protects the privacy of children under 13 years of age when online or using a mobile app.
|HIPAA: Health Insurance Portability and Accountability Act
|Federal law that protects the privacy of health information of individuals.
|California CalOPPA: California Online Privacy Protection Act
|California CCPA: California's Consumer Privacy Act
|California law that gives consumers many privacy rights while putting transparency obligations on businesses.
|California CPRA: California's Privacy Rights Act
|California law that expands the CCPA and gives consumers additional rights.
|Virginia VCDPA: Virginia's Consumer Data Protection Act
|Virginia law that allows users to opt out of the sale of their personal data.
|Maryland PIPA: Maryland's Personal Information Protection Act
|Maryland law that requires businesses to keep personal information private and secured.
|Utah UCPA: Utah's Consumer Privacy Act
|Utah law that provides a range of consumer privacy rights, including the right to data portability.
|Connecticut CTDPA: Connecticut's Personal Data Privacy and Online Monitoring
|Connecticut law that places transparency requirements on businesses while granting consumers rights over their personal data.
|Colorado CPA: Colorado's Privacy Act
|Colorado law that grants privacy rights to consumers while dictating how businesses can collect and process personal data.
|Florida FPPA: Florida's Privacy Protection Act
|Florida law that lets consumers control how their personal data is used, while requiring businesses to be more transparent.