The Connecticut Data Privacy Act (CTDPA) is a law that regulates the collection and use of personal information by private companies doing business in the state. The law applies to any company that collects information from residents of Connecticut, regardless of where the company is based. The CTDPA requires companies to disclose what personal information they collect from customers and how they use it, and gives individuals the right to access their own data.
The CTDPA also includes provisions for breach notification, which requires companies to notify affected individuals within 45 days of becoming aware of a breach. If a breach involves sensitive personal information, such as social security numbers or driver's license numbers, then companies must notify affected individuals within 72 hours.
In addition to these core requirements, there are other provisions that apply only to certain types of businesses, like:
- Credit reporting agencies must maintain reasonable security procedures and practices;
- Financial institutions must conduct due diligence on third parties with whom they share or disclose customer data; or
- Insurance companies must maintain reasonable security procedures and practices.