Enter to open, tab to navigate, enter to select
Connecticut Enacts Consumer Privacy Act
Practical Law Legal Update w-035-5227 (Approx. 8 pages)
Connecticut Enacts Consumer Privacy Act
by Practical Law Data Privacy & Cybersecurity
| Published on 11 May 2022 • Connecticut |
Connecticut has enacted the Connecticut Data Privacy Act, a comprehensive data protection law that imposes new requirements on businesses and provides Connecticut residents with various rights regarding their personal data. The law takes effect July 1, 2023 and provides the Connecticut Attorney General with exclusive enforcement authority.
On May 10, 2022, Connecticut Governor Ned Lamont signed the Connecticut Data Privacy Act (CTDPA) (S.B. 6) into law. The law takes effect July 1, 2023 and provides residents acting as consumers in individual or household contexts more control over their personal data. The law does not apply to individuals acting in employment or commercial contexts.
The CTDPA's broad personal data definition includes any information that is linked or reasonably linkable to an identified or identifiable individual. It does not include de-identified data or publicly available information. The CTDPA defines a sale of personal data as the exchange of personal data for monetary or other valuable consideration by the controller to a third party.
The CTDPA grants consumers rights to:
- Confirm whether a controller is processing their personal data, unless the confirmation would require the controller to reveal a trade secret.
- Access their personal data, unless the access would require the controller to reveal a trade secret.
- Request deletion of the personal data that was provided by or obtained about the consumer.
- Obtain a copy of the personal data that they previously provided to the controller in a format that is:
- portable and readily usable, to the extent technically possible; and
- transmittable to another controller if the processing is carried out automatically as long as the controller does not need to reveal a trade secret.
- Opt out of having their personal data processed for purposes of:
- targeted advertising;
- the sale of personal data; or
- profiling to further solely automated decisions that produce legal or similarly significant effects concerning the consumer.
The CTDPA requires controllers to:
- Provide consumers with a reasonably accessible, clear, and meaningful privacy notice stating:
- the categories of personal data the controller processes and their processing purposes;
- how consumers may exercise their rights;
- the categories of personal data the controller shares with third parties and the categories of those third parties, if any; and
- an active email address or other online mechanism that the consumer can use to contact the controller.
- Limit personal data collection to what is adequate, relevant, and reasonably necessary for the disclosed processing purposes.
- Limit personal data processing to what is reasonably necessary for or compatible with the disclosed processing purposes unless the controller obtains consumer consent.
- Process consumers' sensitive data only after providing them with clear notice and an opportunity to opt out or meeting the requirements of the federal Children's Online Privacy Protection Act and its implementing regulations for data concerning children under 13. The CTDPA defines sensitive data as:
- personal data that reveals an individual's race or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status;
- genetic or biometric data, if the processing is for identification purposes, excluding physical or digital photographs, video or audio recordings, or data generated from them unless the data is generated to identify a specific individual;
- personal data collected from a known child; or
- precise geolocation data.
- Not process personal data in violation of state and federal laws that prohibit unlawful discrimination against consumers.
- Offer an effective mechanism for a consumer to revoke their consent that is at least as easy as the mechanism the consumer used to give consent. The controller must stop processing the data within 15 days of receiving the revocation request.
- Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to its volume and nature.
- Respond to consumers' requests to exercise their rights within 45 days, subject to some exclusions and extension opportunities.
- Not discriminate against consumers for exercising their CTDPA rights, although controllers may offer consumers a different price, quality, or selection if they opt out of targeted advertising or the offer is related to their voluntary participation in a loyalty, rewards, or similar program.
- Conduct data protection assessments and provide them to the attorney general on request for processing activities created or generated after July 1, 2023 that present a heightened risk of harm to a consumer, including:
- processing personal data for targeted advertising purposes;
- selling personal data;
- processing personal data for profiling purposes under certain circumstances; and
- processing sensitive data.
- By January 1, 2025, provide consumers with the ability to opt out of any processing of their personal data for targeted advertising or personal data sales. The opt-out preference must be sent to the controller, with the consumer's consent, by a platform, technology, or mechanism indicating the consumer's intent to opt out of the processing or sale.
The CTDPA requires entities processing data on behalf of controllers to assist the controllers in meeting their obligations under the law.
The CTDPA applies to individuals and entities that do business in Connecticut or produce products or services that target Connecticut residents and, during the preceding year, controlled or processed data of either:
- 100,000 or more consumers, excluding personal data controlled or processed solely for completing a payment transaction.
- 25,000 or more consumers and derived more than 25% of their gross revenue from selling personal data.
The CTDPA does not apply to:
- Data collection, processing, sale, or disclosure activity regulated by certain laws, including:
- the Children's Online Privacy Protection Act of 1998 (15 U.S.C. §§ 6501 to 6506);
- the Health Insurance Portability and Accountability Act (HIPAA) (Pub. L. No. 104-191 (1996));
- the Health Care Quality Improvement Act of 1986 (42 U.S.C. §§ 11101 to 11152);
- the Fair Credit Reporting Act (15 U.S.C. §§ 1681 to 1681x);
- the Driver's Privacy Protection Act of 1994 (18 U.S.C. §§ 2721 to 2725); and
- the Airline Deregulation Act (49 U.S.C. § 41713).
- Any Connecticut body, authority, board, bureau, commission, district, or agency, or any political subdivision.
- Federally tax exempt nonprofit organizations.
- Institutions of higher education.
- National securities associations registered under 15 U.S.C. §78o-3 of the Securities Exchange Act of 1934.
- Financial institutions or data subject to Title V of the Gramm-Leach-Bliley Act.
- Covered entities or business associates as defined in HIPAA regulations.
The CTDPA provides the Connecticut attorney general with exclusive enforcement authority and does not include a private right of action. From July 1, 2023 to December 31, 2024, before initiating any action for a violation, the attorney general must issue a notice of violation to the controller if they determine a cure is possible. If the controller fails to cure the violation within 60 days of receiving notice, the attorney general may bring an action. Beginning January 1, 2025, the attorney general has discretion as to providing the opportunity to cure an alleged violation, taking into consideration:
- The number of violations.
- The controller's or processor's size and complexity
- The nature and extent of the processing activities.
- The substantial likelihood of injury to the public.
- The safety of individuals or property.
- Whether the alleged violation was likely caused by human or technical error.
The attorney general may also seek injunctive relief and civil penalties under Connecticut's Deceptive Trade Practices Act.