Connecticut’s new consumer data privacy law is the latest state law regulating consumer privacy online. Like the laws in four other states — California, Colorado, Virginia, and most recently, Utah — the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA) is designed to protect consumer privacy and grant them greater access to their online data.
Although it was enacted on May 10, 2022, the new Connecticut data privacy law will go into effect on July 1, 2023. This delay gives businesses time to develop processes and procedures that comply with the new law.
What should your business do in the meantime? How do you determine if the CTDPA applies to your company? And if so, what should you do?
Keep reading for more insight into Connecticut’s data privacy law, how it differs from similar US data privacy laws, and how it may affect your business.
- What Is the Connecticut Personal Data Privacy and Online Monitoring Act?
- What Does the CTDPA Cover?
- What Does the CTDPA Require?
- Comparison To Other State Laws
- What Is the CTDPA's Impact on Consumers?
- What Is the CTDPA's Impact on Businesses?
- Who Must Comply With the CTDPA?
- How Can Businesses Comply With the CTDPA?
- How Will the CTDPA Be Enforced?
- Fines and Penalties Under the CTDPA
- Summary
What Is the Connecticut Personal Data Privacy and Online Monitoring Act?
In the absence of federal legislation, legislators designed Connecticut’s data privacy law to protect Connecticut consumers’ privacy of their online data as well as to give Connecticut consumers greater control over who uses their data.
Under the CTDPA, Connecticut consumers now have the right to:
- Request information about whether their data is being processed
- Opt out of their data being processed for certain processing activities such as targeted advertising
- Obtain portable copies of their data
- Request corrections to their data
Although Connecticut’s consumer data privacy law is not quite as business-friendly as Utah’s, it does not apply to all types of entities and data, preventing the CTDPA from becoming too demanding on businesses.
What Does the CTDPA Cover?
The CTDPA applies to personal data from a consumer, regulating entities that are controllers or processors of personal data.
Under Connecticut consumer data privacy law a:
- Processor is “an individual who, or legal entity that, processes personal data on behalf of a controller.”
- Controller is “an individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data.”
How Does the CTDPA Define Consumer?
The new Connecticut consumer privacy law does limit who qualifies as a consumer. It broadly defines a consumer as a Connecticut resident but excludes individuals acting in certain contexts, such as in an employment or commercial context.
How Does the CTDPA Define Personal Data?
Under the CTDPA, personal data is defined as “any information that is linked or reasonably linkable to an identified or identifiable individual.” However, the law does not cover de-identified data and publicly available information, which it defines broadly.
According to CTDPA, “publicly available information” is not limited to information made available by government entities; it also includes information made public by individuals on widely distributed media outlets such as social media.
Data controllers should still have a reasonable basis to believe that individuals made their information public.
Which Processors and Controllers Does the CTDPA Cover?
Connecticut’s data privacy law may not apply even if your business processes or controls personal data.
To be covered by the CTDPA, you must meet both of the following conditions:
- You conduct business in Connecticut, or your business targets its services or products to residents of Connecticut.
- In the preceding calendar year, your business either:
- Processed or controlled the personal data of 100,000 or more consumers
- Processed or controlled the personal data of 25,000 or more consumers if your business earned more than 25% of total revenue through the sale of personal data.
- This requirement does not include “personal data controlled or processed solely for the purpose of completing a payment transaction.”)
But some entities that meet both conditions are still exempt from the Connecticut data privacy law, such as:
- Institutions of higher education
- Nonprofits
- Government contractors that process data for the government
- Entities subject to Gramm-Leach-Bliley Act of 1999 (‘GLBA’) or to the Health Insurance Portability and Accountability Act of 1996 (‘HIPAA’)
What Does the CTDPA Require?
The CTDPA has two main aims — protecting the privacy of a consumer’s data and giving consumers the ability to limit the use of their data.
It achieves these aims with three major parts:
- Requires controllers to have security measures for consumer data.
- It gives consumers the right to request information from controllers and processors about who has their data and to get copies of it.
- It prevents controllers from collecting and using sensitive data such as data related to racial and ethnic origin unless individuals give consent
- It gives consumers opt-out rights to prevent their personal data from being processed in certain circumstances.
Security Measures
Under Connecticut’s consumer privacy law, controllers must implement and maintain security measures to protect consumers’ personal data privacy.
The CTDPA only requires that your security measures be reasonable.
However, different security measures may be “reasonable” in various circumstances, depending on whether you have a small or large business, the nature of the personal data, and the volume of personal data.
Contracts
The CTDPA requires that a written contract between a controller and processor must exist with certain provisions, including the following:
- Instructions for data processing
- The type of data to be processed
- Specific information about what kind of processing will occur and for what purpose
- The length of time the processing will last
Request Rights
In addition to requiring controllers and processors to protect consumer privacy, the Connecticut privacy law gives consumers several ways to engage with a controller or processor to control and access their data, including the right to make certain requests of a controller or processor.
The controller determines how a consumer can make a request, and the requests may be for the following:
- Consumers may find out whether their data is being processed.
- Consumers may get access to their data and a portable copy if possible.
- Consumers have the right to ask for correction of any inaccuracies related to their data.
- Consumers may request the deletion of their data.
- Consumers have an opt-out right to prevent targeted advertising or the sale or processing of their data in certain circumstances.
Authenticating Requests
After receiving the request, the controller should attempt to authenticate the request using reasonable efforts. If the controller cannot authenticate the request, then the controller does not have to grant the request.
However, the law carves out an exception: Controllers do not have to authenticate opt-out requests.
While attempting the authenticate a request, the controller has to do one of the following without “undue delay” and no later than 45 days after the request:
- Take action: You can grant or deny the request, and you must give the consumer notice of your action along with an explanation. If you deny the request, you must give information about the consumer’s appeal rights. If you deny a request other than an opt-out request because you cannot authenticate it, then you must give the consumer notice that you could not authenticate the request. Furthermore, you need to inform them that you will not grant their request until you receive additional information reasonably necessary to authenticate the request.
- Take an extension: You can take one 45-day extension to respond if an extension is reasonably necessary. Whether an extension is “reasonably necessary” depends on how many requests the consumer has made and how complex they are. You must notify the consumer within this 45-day period if you take an extension and explain why you need the extension.
Fees
The CTDPA requires that you respond to consumer requests free of charge.
However, fees for responding to a consumer request are allowed in particular situations, but even then, the price may only cover the reasonable administrative costs for responding to the request.
To charge a fee, you must be able to demonstrate the following:
- The consumer already made at least one other request in the preceding 12 months.
- The consumer’s requests are “manifestly unfounded, excessive, or repetitive.”
Finally, the consumer has the right to appeal a denial of their request, and the controller must respond in writing to the appeal within 60 days. If the controller denies the appeal, the controller must provide the consumer with an online mechanism or other means to contact the attorney general.
Notice To Consumers and Right To Opt Out
The CTDPA requires covered entities to give consumers the right to opt out of the processing of their data for some purposes. It also requires businesses to provide a notice with information about the data processing.
The CTDPA requires covered businesses to give consumers the right to opt out of the processing of their personal data for:
- Targeted advertising
- Selling the consumer’s personal data
- Profiling in certain circumstances
Note that as soon as the law takes effect, the right to opt out must be a “clear and conspicuous” link on the business’s website.
On January 1, 2025, opt-out rights will get even broader.
A controller must recognize a consumer’s universal “opt-out preference signal.” The CTDPA requires that a covered entity provides the consumer with the means to revoke consent even after the consumer gave it. Once a consumer revokes consent, the business must stop processing the data within 15 days after receiving the consumer’s revocation.
Privacy Notice to Consumers
In addition, an entity subject to the Connecticut data privacy law must provide a notice with information about the following:
- The categories of personal data processed
- The purpose of processing personal data
- How consumers can exercise their rights, including their right to appeal
- The type of personal data shared with third parties along with information about the third parties
- A way the consumer can contact the controller online
Children’s Data
The CTDPA incorporates the Children’s Online Privacy Protection Act (COPPA). If a consumer is known to be a child as defined by the COPPA — under the age of 13 — their parent or legal guardian must give verifiable consent before a business can process the child’s information.
Connecticut’s data privacy law also extends this requirement to children under 16.
Comparison To Other State Laws
Connecticut is the fifth state to enact consumer data privacy legislation. Various other US states — California, Colorado, Utah, and Virginia — each have consumer data privacy acts that vary slightly.
Fortunately, the Connecticut consumer privacy law has a lot in common with other state laws, so if another state’s consumer privacy law already applies to your business, you may already be largely in compliance with Connecticut’s law.
However, each state’s law has been slightly different, making businesses face a growing web of differing state regulations, an issue that business representatives raised before the Connecticut legislature.
Check out the comparison table below to see how these laws differ from each other:
| Connecticut Personal Data Privacy and Online Monitoring Act | California Consumer Privacy Act | Colorado Privacy Act | Utah Consumer Privacy Act | Virginia Consumer Data Protection Act | |
| Business revenue thresholds | No specific revenue dollar amount | May be a covered business by having a minimum of $25 million in revenue with no need to meet additional criteria | No specific revenue dollar amount | Businesses must have at least $25 million in revenue and meet additional criteria | No specific revenue dollar amount |
| Exclusions for aggregated and de-identified data | Only de-identified data | Both | Only de-identified data | Both | Only de-identified data |
| What constitutes the “sale” of data | The exchange of something of value, but need not be money. | The exchange of something of value, but need not be money. | The exchange of something of value, but need not be money. | Monetary exchange such as payment of money or writing a check is a “must”. Other considerations do not count as sale. | Monetary exchange such as payment of money or writing a check is a “must”. Other considerations do not count as sale |
| Opt-in vs. opt-out rights for sensitive data | Controllers must obtain consent before they process sensitive data such as data about racial or ethnic origin or data related to immigration status | Does not include different rules for sensitive information | Controllers must obtain consent before they process sensitive data | Consumers may opt out of having their sensitive data processed, but controllers don’t have to get their consent before processing data. | Controllers must get a consumer’s consent before processing sensitive data. |
| Consumer access to trade secrets when making requests | Consumers may not access trade secrets | Consumers may not access trade secrets | Consumers may not access trade secrets | Consumers may not access trade secrets | Consumers may access trade secrets |
| Consumers’ appeal rights | Consumers may appeal a processor’s denial of a consumer request. | Consumers may appeal a processor’s denial of a consumer request. | Consumers may appeal a processor’s denial of a consumer request. | No appeal rights | Consumers may appeal a processor’s denial of a consumer request. |
| Opt-out rights from profiling | Some profiling | Yes | Some profiling | No | Yes |
| Consumers can request corrections to their data | Yes | Yes | Yes | No | Yes |
| Private right of action | No, only the state attorney general can file a court action to enforce the law. | Yes, consumers can file their own actions in court to enforce the law. | No, only the state attorney general can file a court action to enforce the law. | No, only the state attorney general can file a court action to enforce the law. | No, only the state attorney general can file a court action to enforce the law. |
| Consumer can request the deletion of personal data | Yes | Yes | Yes | Yes | No |
What Is the CTDPA’s Impact on Consumers?
A survey conducted by KPMG in 2021 reported that 86% of Americans consider data privacy a growing concern. Similarly, a Pew survey on the subject found that more than 80% of Americans feel uncomfortable with their lack of control over their data.
The CTDPA addresses these concerns in several ways:
- Covered entities will have to establish greater security measures to protect the privacy of consumer data
- Connecticut consumers will be able to make requests to learn a lot more about how companies use their personal data
- Connecticut consumers will be able to request that their data be deleted in some instances
- Connecticut consumers will have opt-out rights to prevent their data from being processed for some purposes
What Is the CTDPA’s Impact on Businesses?
The CTDPA may require significant financial outlays from covered businesses. As a relevant example, before California’s consumer data privacy act was passed, an economic report estimated that companies impacted by the law would spend $55 billion in initial compliance costs.
However, many businesses may already be largely in compliance, depending on whether they do business in one of the other four states with similar consumer data privacy laws.
Note that these laws vary slightly, so if your business has already made changes to comply with one of those states’ laws, you need to look for additional requirements under the CTDPA.
Because the law doesn’t take effect until July 2023 and won’t be enforced until 2025, you have time to prepare for the significant impact of this law.
On the other hand, covered businesses may reap some benefits from the CTDPA. For example, as more business models involve collecting consumer data, increasing consumer confidence by complying with data privacy laws can be a net benefit.
Who Must Comply With the CTDPA?
Entities that qualify as controllers or processors must comply with the CTDPA. You must comply with the CTDPA if you meet these two conditions:
- You conduct business in Connecticut or target services or products to Connecticut residents.
- In the preceding calendar year, your business processed or controlled 100,000 or more consumers’ personal data — or 25,000 or more if your business got greater than 25% of total revenue through the sale of personal data. This does not, however, include “personal data controlled or processed solely for the purpose of completing a payment transaction.”
Are There Any Exemptions?
Yes, there are exemptions in the Connecticut data privacy law. The following entities do not qualify as controllers or processors:
- Entities that process data as government contractors
- Nonprofits
- Higher education institutions
How Can Businesses Comply With the CTDPA?
Here are a few key things that you should do to prepare for the CTDPA:
- Establish security measures to protect consumer privacy or review existing measures to ensure they meet the CTDPA requirements.
- Enter into contracts with your processor or controller that satisfy the CTDPA or amend existing contracts.
- Draft privacy notices and develop opt-out mechanisms.
- Create policies and procedures for responding to consumer requests.
How Will the CTDPA Be Enforced?
Only the Connecticut attorney general can file an enforcement action for violations of the CTDPA. The law does not provide a private right of action, so consumers may not file their own lawsuits.
The CTDPA provides that before January 1, 2025, the attorney general must give businesses a 60-day grace period to cure any violations before bringing an enforcement action. However, beginning on January 1, 2025, the attorney general has the option to give a business a 60-day grace period to cure violations, but the law no longer requires them to do so.
In determining whether to give a business a grace period, the CTDPA provides that the attorney general consider several factors, including the number of violations, the size and complexity of the company, and the cause of the violation, among others.
Fines and Penalties Under the CTDPA
A violation of the Connecticut data privacy law is an unfair trade practice under the Connecticut Unfair Trade Practices Act.
The possible penalties the attorney general could seek to levy include:
- Up to $5,000 per willful violation
- Equitable remedies, including restitution, disgorgement, and injunctive relief
For a business to be penalized under the CTDPA, the attorney general must win an enforcement action in court.
Summary
The Connecticut privacy law is the most recent addition to the consumer privacy laws enacted in the US. As more states pass legislation to protect consumers, businesses that control or process consumer data must evaluate their privacy practices.
Although the state laws are similar, they are not identical. Without comprehensive federal legislation, many businesses will need to comply with a growing number of varying state consumer privacy laws.
More about the author
Written by Ali Talip Pınarbaşı, CIPP/E, & LLM
Ali is a London-based Data Privacy Law Consultant with a Master of Laws Degree in EU Privacy law at King's College London. He has three years of experience in advising businesses on how to comply data protection laws. More about the author
