Topic
- Government Relations
- Privacy Law
And then there were five. Last week, Connecticut Governor Ned Lamont (D) enacted Connecticut’s new privacy law, the Connecticut Data Privacy Act (CTDPA). Effective July 1, 2023, the CTDPA is very similar to existing privacy laws in Virginia (VCDPA) and Colorado (CPA), with a few significant differences that make it unique.
Potentially one of the most significant differences between the CTDPA and other states’ privacy is its triggering threshold requirements. Notably absent any specific annual revenue requirements, the CTDPA applies to persons that conduct business in Connecticut or produce products or services that are targeted to residents of the state, and that control or process the personal data of a particular number of residents, namely either:
- 100,000 or more Connecticut residents, excluding residents whose personal data is controlled or processed solely for the purpose of completing a payment transaction; or
- 25,000 or more Connecticut residents, where the business derives more than 25% of its gross revenue from the sale of personal data.
Connecticut is also the first state law to explicitly carve out payment transaction data from its applicability threshold; this provision was added to alleviate concerns of restaurants, small convenience stores, and similar businesses that process the personal information of many customers for the sole purpose of completing a transaction.
Consistent with other state privacy bills, the CTDPA is a rights-based bill. It offers Connecticut consumers the rights to access, delete, correct, and confirm information collected about them by covered entities. The law also grants consumers data portability and includes a non-discrimination clause. Like Virginia’s and Colorado’s laws, consumers have the right to “opt out of the processing of the personal data for the purposes of targeted advertising, the sale of personal data, or automated decision making. Unlike Virginia and Utah — where a sale occurs when personal data is exchanged for monetary consideration only — the law adopts the broader CCPA– and Colorado-like definition that considers an exchange for “other valuable consideration” to also constitute a sale. The statute also excludes any deidentified data or publicly available information from consumer opt-out requests.
Like the CA and CO laws, the CTDPA permits its state’s consumers to designate an authorized agent (i,e. use of a global privacy control) to act on their behalf and opt out of data processing, Data controllers must accept universal opt-out signals by 2025. Unlike CO’s law, however, the CT statute does not require controllers to authenticate opt-out requests, which in theory will make it easier for consumers to opt out. It also requires data controllers to practice data minimization and purpose limitation, implement technical safeguards, and conduct data protection assessments, making theme available to the Attorney General upon request.
Like all other state privacy laws before it, the CTDPA limits enforcement to the states’ attorney general instead of a private right of action.The CTDPA includes a 60-day cure period which sunsets in 2025. Violations of the CTDPA will constitute an unfair trade practice, which carries civil penalties of up to $5,000 per violation.
Finally, the CTDPA, similar to the VCPDA, requires a general assembly appointed task force to study various topics concerning data privacy. The task force must submit a report of its findings and recommendations to amend the law to the joint standing committee by January 1, 2023.
Our updated state privacy law chart shows more details on how Connecticut’s law compares to other states.
