Connecticut Passes the Next U.S. State Comprehensive Data Privacy Bill
On May 10, 2022, Governor Ned Lamont signed the Connecticut Data Privacy Act (CTDPA). Connecticut became the fifth state to pass a consumer privacy law. The CTDPA is similar to Colorado, Virginia, and Utah’s privacy legislation.
Check out our Privacy Laws Comparison Matrix to compare and contrast the details of US State and international data privacy laws.
Effective Date: July 1, 2023
Applicability: CTDPA applies to:
- Individuals and entities doing business in Connecticut, or that produce products or services that are targeted to Connecticut residents; AND
- That in the preceding year, controlled or processed the personal data of at least
- 100,000 Connecticut residents (excluding for the purpose of completing a payment transaction); or
- 25,000 Connecticut residents, if the individual or entity derived more than 25% of their annual gross revenue from selling personal data
Exemptions: CTDPA does not apply to:
- State and local government entities
- Higher education
- Financial institutions subject to the GLBA
- Covered entities, business associates,and protected health information under HIPAA
- Information regulated by FCRA
- Personal data regulated by the FERPA
Consumer Rights: Consumers are defined as Connecticut residents who are not acting in a commercial or employment context (employees).
- Rights may be exercised directly or through an authorized agent
- Information must be provided to the consumer free of charge, once per 12-month period
Consumers have the following rights:
- Know if a controller is processing their personal data
- Access to their personal data
- Opt-out of the processing of personal data for Sale, targeted advertising, or profiling.
- Consumers may opt out through an opt-out preference signal such as Global Privacy Control.
- This is optional until January 1, 2025, when it becomes mandatory
- To appeal when their consumer requests are denied.
Sale of Data: Sale is defined as “the exchange of personal data for monetary or other valuable consideration.”
Assessments: Impact assessments are required when a controller’s processing activities present a heightened risk of harm to a consumer including:
- Targeted advertising
- Sale of personal data
- Sensitive data
Consent: Consent is required for the following:
- Processing of sensitive data
- For those under 16 years of age
- The sale of data
- Targeted advertising
- Secondary use of data
Dark Patterns: CTDPA prohibits dark patterns. Dark patterns are manipulative decision-making or choice techniques that falsely influence consumer choices.
Controller Obligations: Controllers are required to:
- Practice data minimization
- Only process personal data for necessary purposes or for the purposes to which the consumer consented
- Have reasonable administrative, technical, and physical data security practices
- Provide a mechanism for consumers to revoke consent that is at least as easy as for providing consent
- Provide reasonably accessible, clear and meaningful privacy notice
Privacy Notices: Controllers must provide consumers with a privacy notice with the following information:
- Categories of personal data processed
- Purposes for which the categories are processed
- Categories of personal data shared with third parties
- Categories of third parties the controller shares personal data with
- An active email address or online mechanism for the consumer to contact the controller
- How to exercise rights
Enforcement: The Attorney General has exclusive authority to enforce violations
- No private right of action
- Cure period – 60 days
- This will be optional beginning July 1, 2023, and until December 31, 2024
- Will be mandatory January 1, 2025
Exploratory Task Force: CTDPA requires the Connecticut General Assembly’s General Law Committee, to establish a task force to provide additional recommendations on important privacy related issues. A report of its findings and recommendations must be presented by January 1, 2023. Recommendations will consider the following topics:
- Algorithmic decision-making
- Children’s privacy
What should you do to get ready for this new law?
While Connecticut may be the next state to enact a data privacy law, it won’t be the last. Complying with this law will in many ways be consistent with what you are doing in California, Virginia, Utah, and Colorado.
If you’ve mapped to those requirements you’re pointed in the right direction to comply with CTDPA. There is however still work to be done including: updating your policies, vendor agreements and subject request mechanisms.
WireWheel offers a complete solution to help manage the requirements of CTDPA, including a solution to fulfill employee DSARs, including an integration with Microsoft Priva and connectors to over 500 plus systems including HR systems such as Workday and Oracle. Contact us to learn more.