Understanding The Connecticut Data Privacy Act (CTDPA) and Its Impact

The Connecticut Data Privacy Act (CTDPA) is one of the latest state privacy legislations to hit the U.S., following other regulations like the CCPA, CPRA, VCDPA, and more.

The CTDPA deals with the personal data of Connecticut residents — outlining how businesses can engage in processing personal data, acceptable physical data security practices, how to deal with biometric data, and data for targeted advertising.

In this article, we will take a closer look at the provisions of the Connecticut Data Privacy Act, the responsibilities of businesses operating in the state, the rights of consumers, and how to stay compliant.

What Is the Connecticut Data Privacy Act (CTDPA)?

The Connecticut Data Privacy Act, also known as C.G.S. section 36a-701b, is a data privacy legislation aimed at protecting the personal data of Connecticut residents and regulating how businesses maintain reasonable administrative control of that data.

This act sets strict standards for companies handling sensitive information such as financial and medical records and outlines the responsibilities of both businesses and consumers in safeguarding that information.

Besides protecting the privacy of Connecticut residents, the CTDPA also gives them more rights over personal data processed. For instance, it lets residents opt out of the use of their data for targeted advertising, profiling, and sales. 

Under the regulation, companies must provide residents with information on the data they collect, what they plan to use it for, and how long they’ll store it. Businesses are obliged to provide a privacy notice containing all this information and give consumers an option to delete personal data provided.

Read the full text of the Connecticut Data Privacy Act (PDF Version).

CTDPA Terms

Throughout the Connecticut Data Privacy Act, you'll notice words like controller, processor, personal data, and consumer used within the regulations. Here’s what each term means legally:

• Controller: This is an individual or business that determines the main purpose of data and means of controlling the data. They can act alone or in conjunction with other individuals or businesses. Your business will fall into this definition if you collect consumer's personal data. 

• Processor: This is a business or individual that processes data for a controller. Your business will fall here if you typically process data for other merchants or companies. 

• Personal data: This is any information that can be reasonably linked to an identifiable individual.

• Consumer: This is any Connecticut resident who is a private person. The regulation excludes data from people acting in an employment or commercial context.

When Does the CTDPA Come Into Effect?

The CTDPA was passed on May 10, 2022, and will come into effect on July 1, 2023.

The regulation has a cure period that runs from July 1, 2023, to December 21, 2024. During this period, companies that have violated the regulation will receive a notice from the attorney general about their violations. They’ll then be given a 60-day cure period to stop and correct their violations. 

Once January 1, 2025, arrives, the attorney general can choose to offer violators a cure period but does not have to. 

What Organizations Are Impacted by the CTDPA?

Businesses must meet at least one of three requirements below to be held liable under the CTDPA:

• Your business is located in Connecticut, or be selling or marketing its services to Connecticut residents. 

• Your business is collecting, storing, or processing personal data of 100,000 or more Connecticut residents. The regulation makes an exception for data solely used in the context of payment transactions.

• Your business must make 25% of its gross revenue from selling personal data and must be processing the personal data of at least 25,000 Connecticut residents.

Organizations That Are Exempt From the CTDPA 

The CTDPA exempts a few organizations, including:

• Nonprofits

• Local and state government entities

• Some national security associations

• Institutions of higher education

• Health Insurance Portability and Accountability Act (HIPAA) “covered entities” and “business associates” 

• Financial institutions that are covered by the Gramm-Leach-Billey Act (GLBA)

What Data Is Protected by the CTDPA?

The CTDPA clarifies that personal data is any information that can be reasonably used to identify an individual such as consumer's sensitive data or data revealing racial backgrounds. This definition excludes publicly available data and de-identified data.

The regulation is aimed at protecting sensitive data. As a controller, you’ll be required to receive the consumer’s consent to process their sensitive data. It defines sensitive data as any information that reveals specific traits of users, including:

• Religious beliefs

• Sexual orientation

• Racial or ethnic origin

• Precise geolocation data

• Physical or mental health condition

• Immigration status or citizenship

• Physical health condition

• Genetic or biometric data used as a unique identifier for an individual

The CTDPA also provides a few exceptions to the data it covers. The following data types aren’t covered by the CTDPA:

• De-identified data

• Publicly available data

• Protected health data

• Aggregate information

• Employee data, including any data provided during a job application

• Personal data that’s been collected for research or clinical trials

Responsibilities of Businesses Under the CTDPA

The CTDPA has two main objectives: 

1. Protecting the privacy of consumer data

2. Offering consumers some control over how businesses use their data

To ensure that it achieves these objectives, the regulation requires businesses operating in the state to:

Implement and Maintain Data Protection Security Measures

The CTDPA requires controllers and processors to implement measures that ensure the protection of consumer personal data shared. While the regulation doesn’t outline how businesses should protect the data, it directs businesses to use reasonable security measures. in processing sensitive data, including that collected in a commercial or employment context. 

What’s considered to be a reasonable security measure might differ between any two businesses. The right measures to follow will depend on the nature of the personal data collected, the size of your business, and the online mechanism used to store data.

Maintain Data Privacy/Security Contracts With Processors

The CTDPA requires all controllers to get into data protection contracts with their processors. These contracts should contain specific information, including:

• Data processing instructions

• A specification of the data to be processed

• A specification of the purpose and type of data processing

• A specification on the length of time the processing will last

Obtain Data Collection/Processing Consent From Consumers

Businesses operating in Colorado need to obtain consent from consumers before they can process sensitive data or the data of minors. In the case of children’s data, businesses must gain consent from the child’s verifiable parents or legal guardians. 

Consent needs to be given freely and should be specific, informed, and unambiguous. Businesses need to indicate things like categories of personal data, measures taken to prevent the sale of personal data, how targeted advertising is dealt with, and other personal data privacy procedures.

If businesses want to use the data for purposes other than what the individual consented to, they need to communicate this and produce legal documents showing the same. Companies that want to use the data for a longer period than specified will need to do the same. 

Businesses must also provide consumers with an easy-to-use and accessible method to opt out of processing personal data. For instance, you must provide a clear and conspicuous link on your website for consumers to opt out of data processing, similar to a DSAR form.

If a consumer revokes their consent, you’re required to cease processing their personal data as soon as possible. However, the time between when the consumer revokes the consent and when you stop processing their data shouldn’t exceed 15 days.

Provide Consumers With a Privacy Notice

Businesses must provide consumers with a clear and meaningful privacy notice on its website. The notice needs to include details like:

• The type of data process

• Information about any third parties that data is shared with

• Justifications for storing and processing sensitive data

• How consumers can exercise their data privacy rights under the CTDPA

• Consumers’ rights to appeal the rejection of a request

• How consumers can contact you or the controller

Avoid Discriminating Against Consumers

Discrimination against consumers who exercise their rights under the CTDPA is not permitted. The regulation also prohibits you from violating other federal laws that protect consumers from discrimination. 

However, the CTDPA does note that if a consumer’s decision to opt out of data processing conflicts with their voluntary participation in a rewards/loyalty program or their privacy settings, you’re allowed to inform the consumer of the conflict. They’ll then need to reconfirm their participation in the program or their privacy settings. 

Accommodate Consumers’ Request Rights

Businesses are required to accommodate consumer requests concerning their data. Consumers can make a number of requests, including to:

• Find out if you’re processing their data

• Access their data in a portable format

• Correct inaccuracies in the data you collect

• Have their data deleted

• Opt out of the use of their data for targeted advertising or sales

Businesses are required to authenticate all requests once made by a consumer. If authentication fails, businesses are allowed to deny the request.  

While authenticating the consumer’s request, businesses have a 45-day window to either take action or request an extension. 

Businesses are allowed to either grant or deny a consumer’s request, with a denial being followed by an explanation. Denied requests must also be followed by details on the user’s right to appeal the decision. 

Businesses must respond to an appeal with a written notice within 60 days. If an appeal is denied, the corporation should provide the appealing consumer with details on how to contact the attorney general if they wish to contest the decision. 

Denial of requests due to failed authentications must be communicated to the customer via a notice, along with details on how the customer can pass the authentication request.  

Businesses are allowed to take a 45-day extension if it’s "reasonably necessary" before responding to a consumer’s request. For instance, it might be "reasonably necessary" to take an extension if the request is complex or bulky. The requesting consumer should be notified about the extension within the initial 45-day period. This notice should be accompanied by an explanation for the extension. 

Conduct Data Protection Assessments

Under the CTDPA, businesses are required to take their data processing activities through a data protection assessment (DPA), especially for data whose breach could harm the consumer. It's also necessary to communicate the risks and benefits of processing the data to stakeholders like the consumer, the controller, or the general public.

In cases where the Connecticut attorney general launches an investigation into CTDPA violations, they'll examine the use of DPAs and assess whether the business was compliant.  

Creating and maintaining DPAs will be necessary after the regulation comes into effect on July 1, 2023. 

Can Businesses Charge Fees Under the CTDPA?

For the most part, businesses are not allowed to charge fees when responding to a request, such as information about the sale of personal data.

However, the regulation does allow a few exemptions — and even then, the fees must be reasonable and only compensate the business for the administrative cost of responding to the consumer’s requests. 

Businesses can only charge fees if one of the following requirements are met:

• The consumer should have already made at least one request in the last year. 

• The consumer’s requests can be deemed excessive, unfounded, or repetitive.

What Rights Do Consumers Have Under the CTDPA?

The CTDPA provides consumers with rights that grant them some level of control over how their personal data is collected, stored, used, or sold. Consumers have five rights under this regulation:

Right to Access

Consumers have a right to know whether a controller is processing their personal data. They’re also accorded the right to access such data. However, companies can deny consumers access to the data if they deem that it’s a trade secret.

Right to Correction

Consumers are allowed to correct any inaccuracies in the personal data you’ve collected. These corrections should take into account the data processing purpose and the nature of the data. 

Right to Deletion

Consumers can request the deletion of their personal data. Once the consumer places the deletion request, you’re required to delete any data that the consumer provided to you directly. You’ll also be required to delete any data that you obtained through automatic means, such as through cookie trackers. 

Right to Data Portability

Consumers have a right to access a copy of their personal data. The data should be provided in a portable manner that’s readily usable, allowing them to submit the data to any other controller with little friction. However, if you’ve used automated means to process the data, you’re not required to expose any of your trade secrets.

Right to Opt Out

Consumers are allowed to opt out of the processing of their personal data for a number of reasons, including: 

• Personal data sale

• Targeted advertising

• Profiling

What Are the Fines for CTDPA Noncompliance?

Willful violators can accrue fines of up to $5,000 if found guilty by courts. They can also require you to pay attorney fees, actual damages, and punitive damages. In some cases, they can also issue a restraining order, which will demand a ceasure of data collection. Any offender that violates this restraining order will accrue a penalty of $25,000. 

The onus of enforcement is on the Connecticut attorney general. 

Unlike other privacy regulations, the CTDPA doesn’t allow a private right of action. Violations of the privacy act are perceived as unfair trade practices, which means that they fall under the Connecticut Unfair Trade Practices Act (CUTPA). The CTDPA does not outline any penalties for violation; it follows those outlined under the CUTPA.

CTDPA vs. CCPA: What’s Different Between the Two?

The CTDPA doesn’t exist in a vacuum. It’s Connecticut’s take on data privacy in a world where various US states are coming up with their own privacy laws. Since most laws have similar requirements, you might not have to worry about compliance as much. However, it is vital that you identify the differences between the regulations to ensure your compliance, especially if you conduct your business in multiple locations. 

One regulation to take note of is the California Consumer Privacy Act (CCPA). It looks to uphold the data privacy of Californian citizens. Here’s how the CTDPA compares to the CCPA:

Enactment Dates

The CCPA was the first data privacy law to be established by any state in the United States. While its bill was passed into law on September 13, 2020, the law was enacted on January 1, 2020. 

The CTDPA was passed on March 10th, 2022, and will be enacted on July 1st, 2023.

Who Should Be Compliant?

Both regulations require compliance from businesses that are located in the state or conduct business with the state's residents. 

However, for businesses to be covered by the regulation, they need to meet at least one of these extra requirements:

• In California, businesses need to have an annual gross revenue of $25 million. The CTDPA doesn’t provide a revenue threshold.

• Under the CTDPA, your business will need to comply if you collect, store, or sell the data of at least 100,000 Connecticut individuals annually. California’s regulation has a lower threshold as it requires businesses that handle the data of at least 50,000 Californians to comply.

• Under the CTDPA, companies that derive over 25% of their annual revenue from selling personal data and processing the data of at least 25,000 consumers need to comply. On the flip side, California’s regulation requires compliance from businesses that derive at least 50% of their revenue from selling personal data.

Fines for Violating the Regulations

Under the CTDPA, violations are considered unfair trade practices, which means that they fall under Connecticut Unfair Trade Practices Act (CUTPA). Willful violators can be asked to pay up to $5,000 by the courts. The courts could also require them to pay attorney fees, punitive damages, and actual damages. 

Courts could also get businesses to cease collecting data through a restraining order. Businesses that violate the restraining order could have to pay a penalty of up to $25,000.

Under the CCPA, violators can be subject to the following fines:

• A $100 to $750 fine per consumer per incident, plus actual damages if they are greater than the fine

• Declaratory or injunctive relief

• Any other relief that the court perceives as fair

Private Right of Action

Under the CTDPA, only the Connecticut attorney general is allowed to launch a lawsuit against violators. The CCPA allows consumers to file lawsuits against alleged violators to enforce the law.