Connecticut is the fifth U.S. state to adopt a comprehensive privacy law, following California, Virginia, Colorado, and Utah. Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring (the “CTDPA”), goes into effect on July 1, 2023.
1 – Framework and Scope
The CTDPA provides consumer rights similar to those in existing state privacy laws, including the right to confirm processing and to access, correct, delete, or port personal data. It also imposes requirements on controllers and processors of personal data similar to those imposed by Virginia’s and Colorado’s laws.
The CTDPA applies to for-profit entities that conduct business in Connecticut or produce products or services targeted to Connecticut residents and that, during the last calendar year, either:
- Controlled or processed the personal data of 100,000+ consumers, excluding personal data used solely to complete a payment transaction; or
- Controlled or processed the personal data of 25,000+ consumers and derived more than 25% of their gross revenue from the sale of personal data.
The law does not cover B2B data or employee data, and it exempts government entities, nonprofits, higher education institutions, and certain entities or data subject to certain federal privacy laws.
The following CTDPA provisions are particularly noteworthy for many businesses.
- Opt–Out. Consumers have the right to opt out of the sale of their personal data (defining “sale” broadly, similar to California), and the use of their personal data for targeted advertising or profiling in furtherance of solely automated decisions that produce legal or similarly “significant effects concerning the consumer.” This aligns with the other state privacy laws (except for Utah, which does not include the profiling opt-out).
- Global Privacy Control. By January 1, 2025, controllers must allow consumers to exercise their opt-out right through an opt-out preference signal (e.g., a global device setting or browser extension). Unlike Colorado, Connecticut does not require controllers to authenticate opt-out requests.
- Obtaining and Revoking Consent. Controllers must obtain consent (1) to process sensitive data, (2) to process personal data in a way that is not reasonably necessary or compatible with the disclosed purpose for processing, or (3) to sell personal data of consumers aged 13-16 or use this data for targeted advertising (subject to certain conditions). Consumers must be able to revoke this type of consent as easily as they provided it. In addition, after consent is revoked for such processing, controllers must stop this processing within 15 days.
- Data Protection Assessments. Connecticut also joins California, Virginia, and Colorado in requiring controllers to conduct assessments prior to engaging in data processing activities that present a “heightened risk of harm to a consumer.”
The CTDPA has no private right of action and will be exclusively enforced by the state attorney general. Enforcement actions are subject to a 60-day cure period until December 31, 2024, after which the attorney general may grant the opportunity to cure violations on a discretionary basis.
A CTDPA violation is considered an unfair trade practice under the Connecticut Unfair Trade Practices Act (CUTPA), which carries civil penalties of up to $5,000 per willful violation and potentially equitable remedies, including restitution, disgorgement, and injunctive relief.
Finally, the CTDPA does not provide rulemaking authority, but like Virginia, it requires the legislature to convene a task force to study various data privacy topics and submit a report of its findings and recommendations to amend the CTDPA by January 1, 2023.