Connecticut Personal Data Privacy and Online Monitoring

The Connecticut Personal Data Privacy and Online Monitoring Act, also known as the Connecticut Data Privacy Act (CTDPA), is the fifth and latest comprehensive data privacy law enacted in the United States.

The act will become enforceable on July 1, 2023, which means businesses have some time to develop and implement a compliant data privacy strategy to stay ahead of potential liability.

Let's take a closer look at Connecticut's new law by going over its purpose, scope, requirements, and practical steps your business can take to comply.

What is the Purpose of the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA)?

In the absence of a unified data privacy framework at the federal level, Connecticut has joined a growing number of states to enact a comprehensive data privacy law.

As the name suggests, the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) was established to protect the personal data and online privacy of Connecticut residents.

The CTDPA was officially signed into law on May 10, 2022, by Connecticut Governor Ned Lamont after being passed by the Connecticut General Assembly on April 28, 2022.

Following the trend set by privacy laws in California, Virginia, Colorado, and Utah, the CTDPA:

• Provides new rights for residents of Connecticut
• Imposes several obligations on businesses under its scope
• Exempts certain organizations and types of data from its coverage, and
• Delegates enforcement powers to the Attorney General

To accomplish this, the law introduces a number of privacy rights to give consumers more control over how their personal data is collected and used. What's more, Connecticut's new law imposes several responsibilities and establishes privacy protection standards for businesses that operate in Connecticut or target its residents.

Notably, the CTDPA adopts many features from previous state privacy laws, particularly the Virginia Consumer Data Protection Act (CDPA) and the Colorado Privacy Act (CPA).

Although the similarities between the CTDPA and other state laws may help ease the burden of compliance on businesses, the CTDPA also contains a few noteworthy distinctions that must be factored into any business's compliance efforts.

That said, if your business already complies with other state privacy laws like the CDPA or CPA, you will likely not need to do much to come into compliance with Connecticut's new law.

Consumer Privacy Rights Under the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA)

Much like other privacy laws, Connecticut's new law gives its residents several privacy rights when it comes to how businesses collect and use their personal data. They are as follows.

Right to Confirm and Access

Under the CTDPA, consumers have the right to confirm whether your business is processing their personal data and, if so, access such data.

For example, here's how Stripe presents this right in its Privacy Policy:

Note, however, that the CTDPA allows you to decline a consumer's request for confirmation or access to their data if such a request compels you to disclose a trade secret.

Right to Correction

The CTDPA gives consumers the right to correct any inaccuracies in their personal data, taking into consideration the nature of the data and the purposes for processing the data.

Here's an example of this privacy right from Upwork:

Right to Deletion

Under the CTDPA, consumers can submit requests to have their personal data deleted from your records and network or backup systems.

Here's how Etsy presents this right in its Privacy Policy:

Right to Data Portability

Consumers are also entitled to request a copy of their personal data in a portable, structured, and machine-readable format that makes it easier to reuse their data or transfer it directly to another controller.

Note that the CTDPA also allows you to decline this request if it compels you to disclose a trade secret.

Here's how OSCE PA presents this right:

Right to Opt Out

The CTDPA gives consumers the right to opt out of a business's data processing activities for purposes such as:

• Targeted Advertising
• The sale of their personal data, and
• Profiling in furtherance of solely automated decisions that produce legal or similarly notable effects concerning the consumer

According to the CTDPA, you must provide "clear and conspicuous" links on your website that allows a consumer (or an agent of the consumer) to opt out of targeted advertising or sale of the consumer's data.

However, beginning January 1, 2025, the CTDPA requires you to recognize universal opt-out preference signals (much like in Colorado's law), indicating a consumer's intent to opt out of any processing or sale of personal data.

Finally, keep in mind that (like most privacy laws) the CTDPA contains an anti-discrimination clause. This means that you must not discriminate against a consumer for exercising any of their rights by:

• Refusing to sell them products or services
• Charging them a different price or rate for products or services, or
• Providing them with a different level of quality of products or services

Responding to Consumer Requests

As a controller, you are obligated to promptly respond to a consumer's request within 45 days after receiving the request.

You can extend that deadline by an additional 45 days (if reasonably necessary) as long as you inform the consumer about the extension and the reasons for such.

Note that you can charge a reasonable fee if the consumer makes more than one request within a 12-month time period or if the request is "manifestly unfounded, excessive, or repetitive."

Who the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) Applies to

The CTDPA applies to individuals or entities who conduct business within the state of Connecticut or produce products or services that are designed to target the residents of Connecticut and who, during the preceding year, either:

• Processed or controlled the personal data of at least 100,000 consumers, excluding data processed solely to complete a payment transaction, or
• Processed or controlled the personal data of at least 25,000 consumers and derived more than 25 percent of their gross revenue from selling personal data

To better comprehend the scope of the CTDPA, it's important to understand how certain terms are defined under the law.

Who is a Consumer?

The CTDPA defines a consumer as an individual who is a resident of Connecticut. The law goes on to specify details of instances where an individual is not considered a consumer.

According to the CTDPA:

"A consumer does not include an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency."

What is Personal Data?

Much like other privacy laws, the CTDPA defines personal data as "any information that is linked or reasonably linkable to an identified or identifiable individual."

Although the law doesn't provide an exhaustive list of what may be considered personal data, the more obvious ones include names, phone numbers, email/IP addresses, credit card details, identification numbers, and so on.

Exceptions to this definition are de-identified data and publicly available information.

Deidentified data is any information that has been adjusted to remove features that can be used to deduce information about or link to an individual.

Note that before any data can be considered de-identified under the CTDPA, you must do the following:

• Take reasonable measures to ensure that such data cannot be linked to an individual
• Publicly commit to process such data only in a de-identified fashion and not try to re-identify it
• Make sure that any recipient of such data is contractually obligated to comply with the above criteria

What are a Controller and Processor?

A controller refers to an individual or organization that decides the purpose and methods of processing personal data. Controllers are principally responsible for safeguarding the privacy and data of consumers by fulfilling certain obligations, but we'll go into that later.

A processor, on the other hand, refers to any individual or organization that processes personal data on behalf of a controller. Processors are legally obligated to assist controllers in fulfilling their obligations.

They must also enter a contract with controllers that outlines the following information:

• The instructions for processing data
• The nature and purpose of the processing
• The type of data subject to processing
• The duration of processing
• The rights and obligations of both parties

Common examples of processors include third-party service providers like payment processors, marketing research agencies, and ecommerce platforms.

Who the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) Doesn't Apply to

The following organizations are exempt from the CTDPA's coverage:

• Governmental organizations in Connecticut
• Nonprofit organizations
• Higher education institutions
• National securities associations registered under the Securities Exchange Act of 1934
• Financial institutions or data subject to the Gramm-Leach-Bliley Act
• Covered entities and business associates subject to the Health Insurance Portability and Accountability Act (HIPAA)

In addition to the organizations exempted, the CTDPA also exempts 16 types of data from its scope, including specific information regulated by the Fair Credit Reporting Act (FCRA), HIPAA, the Family Educational Rights and Privacy Act (FERPA), the Airline Deregulation Act, the Farm Credit Act (FCA), and the Driver's Privacy Protection Act.

Lastly, the CTDPA exempts specific categories of data relating to employment.

Requirements and Best Practices for Compliance with the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA)

As a controller subject to the CTDPA, you are required to observe and take certain steps to comply with the obligations specified in the law.

Let's briefly go over these obligations as well as provide practical guidance on how you can comply accordingly.

Observe the Data Minimization and Purpose Limitation Principles

Consistent with most privacy laws, the CTDPA requires you (as a controller) to limit your collection of personal data to what is "adequate, relevant, and reasonably necessary" to carry out the data processing activities specified to consumers.

Additionally, unless consent is obtained from the consumer, the CTDPA prohibits you from processing data for purposes that are neither "reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed."

Here's how Gymshark observes these data protection principles in its Privacy Notice:

Have a Compliant Privacy Policy

Another very important obligation imposed on controllers by the CTDPA is to publish a "reasonably accessible, clear and meaningful" Privacy Policy on their website on their website or other platforms.

If you already have a Privacy Policy, you need to update it to reflect the changes required by the CTDPA.

To be considered compliant with this requirement, your Privacy Policy must conspicuously display the following information:

• The categories of personal data you process
• The purposes for which you process personal data
• How consumers may exercise their privacy rights
• How consumers may appeal your decision concerning their requests
• The categories of personal data you disclose to third parties (if applicable)
• The categories of third parties to whom you disclose personal data (if applicable)
• An active email address or an alternative online mechanism through which consumers may contact you

Furthermore, if you sell personal data to third parties or process data for targeted advertising, you need to "clearly and conspicuously disclose such processing" as well as explain how consumers may exercise their right to opt out.

Implement Appropriate Data Security Measures

According to the CTDPA, controllers must:

"establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data."

What's more, the law specifies that the level of security must be appropriate to the volume and type of personal data being processed.

Bumble provides a short but concise clause in its Privacy Policy that addresses its data security practices as shown below:

Implement a Compliant Consent Mechanism

Much like in other privacy laws, consent is deeply regulated under the CTDPA. As a controller, you must not process a consumer's sensitive data without obtaining freely given, specific, informed, and unambiguous consent.

Sensitive data includes but isn't limited to:

• Racial/Ethnic data
• Sexual orientation
• Religious beliefs
• Genetic/Biometric data
• Data from a known child

Note that the CTDPA prohibits you from processing the data of a child unless you comply with the Children's Online Privacy Protection Act (COPPA).

Consent is also needed to process a consumer's data for targeted advertising or to sell their data if a controller is aware of and intentionally ignores that the consumer is between the age of 13 and 16.

Finally, you must "provide an effective mechanism" that allows consumers to withdraw consent as easily as they gave it. Once consent is withdrawn, you must stop all processing activities as soon as practicable, but within 15 days after receiving the request.

To obtain consent, we recommend using an unticked clickwrap checkbox to make sure consumers have read and approved your terms and policies like PayPal does here:

Provide a System for Responding to Consumer Requests

As a controller, your Privacy Policy must include at least one "secure and reliable" means for consumers to get in touch with your business regarding their requests.

In doing this, you must consider:

• The typical ways consumers interact with your business
• The need for secure and reliable communication of consumer requests, and
• Your ability to confirm a consumer's identity

Conduct Data Protection Assessments

Under the CTDPA, controllers are legally obligated to conduct and document a data protection assessment for processing activities that "presents a heightened risk of harm" to consumers.

Such activities include:

• Processing data for targeted advertising
• Selling personal data
• Processing personal data for profiling purposes, where such profiling presents a reasonably foreseeable risk of unfair treatment or substantial injury to consumers
• Processing sensitive data

Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) Enforcement and Penalties

The CTDPA does not include a private right of action. In other words, enforcement authority falls exclusively to the Attorney General.

Connecticut's new law provides an enforcement grace period beginning on July 1, 2023, and ending on December 31, 2024. During this period, the AG must provide a controller with a written notice of violation, after which the controller has 60 days to "cure" the violation.

If the violation is not cured within 60 days, the AG may then initiate an enforcement action.

The right to cure will end on December 31, 2024, leaving the AG with discretionary authority to provide an opportunity to cure, subject to certain conditions.

There is no specific fine or penalty in the CTDPA's provisions but keep in mind that a violation of the law is considered an unfair trade practice under the Connecticut Unfair Trade Practices Act.

Therefore, a business in violation of the CTDPA may face civil penalties up to $5,000 for each intentional violation.

Summary

Below are the key takeaways in this article to help your business comply with the Connecticut Personal Data Privacy and Online Monitoring Act:

• The CTDPA is a privacy law that was established to protect the online privacy and personal data of Connecticut residents.
• The CTDPA may apply to businesses that operate in Connecticut or produce products or services that target Connecticut residents (subject to other conditions).
• The law requires businesses to observe consumers' rights and help exercise them promptly at their request.
• Businesses must observe the data minimization and purpose limitation principles when processing data.
• The law requires businesses to publish a clear and straightforward Privacy Policy to disclose certain information to consumers.
• Businesses must have a reasonable data security system in place to protect the confidentiality of personal data.
• Businesses must establish and maintain a mechanism to obtain consent from consumers.
• Giving and revoking consent must be equally easy for consumers.
• Businesses must provide a safe and reliable means for consumers to contact them.
• Businesses must conduct data protection assessments when reasonably necessary.

All US Privacy Laws

Want to read more about privacy laws in the USA? Start here: