Understanding Connecticut’s Data Privacy Act (CTDPA)

On May 10, 2022, Connecticut enacted SB 6, titled An Act Regarding Personal Data Privacy and Internet Surveillance, commonly referred to as the Connecticut Data Privacy Act (CTDPA). The CTDPA officially went into effect on July 1, 2023, marking a significant step forward in safeguarding consumer privacy.

Navigating this legislation and other state privacy laws can be overwhelming for businesses. This guide provides an updated overview of CTDPA’s applicability, requirements, enforcement, and the steps businesses can take to ensure compliance.

Applicability

The CTDPA applies to entities conducting business in Connecticut or offering products and services to Connecticut residents if they meet at least one of the following criteria:

• Controlled or processed the personal data of at least 100,000 consumers during the preceding calendar year (excluding data processed solely for payment transactions).
• Controlled or processed the personal data of at least 25,000 consumers and derived over 25% of gross revenue from the sale of personal data.

The act also applies to service providers, known as “processors,” who handle personal data on behalf of covered businesses, as well as “controllers” who collect and process personal data. Controllers are responsible for addressing consumer inquiries and ensuring compliance with the law.

Exemptions and Coverage

Excluded entities include state and local governments, nonprofits, higher education institutions, certain national securities associations, financial institutions, and entities covered by the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act.

CTDPA governs the personal data of Connecticut residents acting individually but does not apply to data collected in commercial or employment contexts. De-identified data, publicly available information, and certain categories of personal data are exempt.

Special Provisions for Minors: The law also includes specific protections for children under 18, requiring controllers to adhere to the Children’s Online Privacy Protection Act. Starting July 1, 2024, social media platforms must provide minors or their guardians with mechanisms to delete or "unpublish" their accounts.

Consumer Health Data: As of October 1, 2023, businesses must obtain consumer consent before processing sensitive health-related data, including reproductive or gender-affirming health data. Additionally, geofencing near sensitive health facilities is restricted to protect consumer privacy.

Consumer Rights

Under CTDPA, Connecticut residents have the following rights:

• Access personal data collected about them.
• Correct inaccuracies in their personal data.
• Delete personal data, including data obtained from third parties.
• Obtain a portable copy of their personal data.
• Opt out of targeted advertising, the sale of personal data, or profiling that leads to automated decisions with significant consequences.

Businesses must implement measures to honor these rights, including robust data security protocols, data minimization, and purpose limitations.

Compliance Requirements

To comply with CTDPA, businesses should:

1. Assess whether the law applies to their operations.
2. Implement appropriate data security measures.
3. Limit data collection to what is strictly necessary.
4. Obtain consent before processing sensitive and consumer health data.
5. Address consumer requests promptly and securely.
6. Establish data processing agreements with third-party vendors.
7. Conduct regular data protection assessments for high-risk activities.
8. Develop clear mechanisms for consumers to revoke consent.
9. Provide accessible and comprehensive privacy notices.
10. Avoid discrimination against consumers exercising their rights.

Starting January 1, 2025, businesses must also recognize universal opt-out mechanisms that allow consumers to signal their preferences for opting out of data processing.

Enforcement and Penalties

The Connecticut Attorney General enforces CTDPA. Violations can result in penalties of up to $5,000 per willful violation, restitution, disgorgement, and injunctive relief under the Connecticut Unfair Trade Practices Act.

The "right to cure" provision, which allows businesses 60 days to remedy violations after notice, remains in effect until December 31, 2024. After this date, enforcement actions may proceed without offering businesses a cure period.

Ready to Ensure Compliance with CTDPA?

Navigating Connecticut's Data Privacy Act can be complex, but you don't have to do it alone. Our experienced team is here to help your business achieve compliance and protect your customers' data.

Contact us today for a personalized consultation and take the first step toward safeguarding your business and building trust with your customers.