On May 10, 2022, Connecticut became the fifth state to enact a comprehensive data privacy law. Connecticut’s new privacy law will go into effect on July 1, 2023. The law, which is similar to the privacy laws passed by California, Colorado, Virginia, and Utah lawmakers, gives Connecticut consumers choices regarding the personal data collected about them by companies that do business in the state. And the law imposes other obligations, briefly highlighted below, on businesses that handle Connecticut consumer data.
The Connecticut Data Privacy Act (CTDPA) applies to individuals and businesses that conduct business in Connecticut, or that produce products or services that are targeted to Connecticut residents that, in the preceding calendar year, controlled or processed the personal data of at least (1) 100,000 Connecticut consumers (excluding data processed solely for processing payment transactions); or (2) 25,000 Connecticut consumers and derives over 25% of their gross revenue from the sale of personal data.
Personal data, as defined by the CTDPA, includes information that is linked or reasonably linkable to an identified or identifiable individual. De-identified data or publicly available information is not personal data under the law.
Like, other recently passed state privacy laws, the CTDPA imposes obligations upon “controllers” and “processors” of consumer data (although, as highlighted below, substantial notice and rights-response obligations fall on data controllers). “Controllers” determine the “purpose and means” of processing personal data; “processors” handle data “on behalf of” a controller.
Controllers are required to: (1) limit the collection of data to what is “adequate, relevant and reasonably necessary in relation to the purpose” for which data is processed (as disclosed to customers); (2) establish, implement, and maintain reasonable data security controls, among other requirements: and (3) provide for consent and consent-revocation when processing “sensitive personal data” (including information about race or ethnicity, religion, health conditions, sex life or orientation, citizenship or immigration status, genetic or biometric data, children’s data, and precise geolocation data). The law additionally restricts the ability to target advertising for children between the ages of 13 – 16.
Processors must adhere to the controller’s instructions and assist the controller in meeting the controller’s obligations under the Act. Processors must also provide necessary information to enable the controller to conduct and document data protection assessments, cooperate with data subject rights requests, and assist data controller’s in meeting information security obligations.
Controllers and processors are required to enter into a contract that determines the processor’s data processing procedures for any processing performed on the controller’s behalf. The contract must include certain required content addressing confidentiality, data deletion and return, provision of information to demonstrate compliance, subcontracting, and assessments.
Privacy Notice Requirements
The CTDPA requires the controller to post a “reasonably accessible, clear, and meaningful” privacy notice. Privacy notices must include: the categories of personal data processed by the controller, the purposes for which the categories of personal data are processed, how consumers may exercise their rights, the categories of personal data that the controller shares with third parties, if any, the categories of third parties with whom the controller shares personal data, and an email address or other online mechanism that consumers can contact the controller. If the business “sells” the personal data of consumers to third parties or processes it for targeted advertising, the notice must disclose the manner in which the consumer may exercise their right to opt out of such activities. The “sale of personal data” includes the exchange of personal data for monetary or other valuable considerations.
Additionally, the controller must provide a link on their website that enables the consumer to opt out of the targeted advertising (based on cross-site tracking or targeting) or sale of the consumer’s personal data.
The CTDPA gives consumers several rights regarding their data. Connecticut consumers have the right to access, correct, delete, and port their data. In addition, businesses must provide consumers an opt-out for targeted advertising, the sale of their data, and automated decision-making profiling.
Controllers are required to respond to consumer requests no later than 45 days after receipt of the request.
The CTDPA does not expressly offer consumers a private right of action (though we note that this same fact with respect to other laws has not prevented private actions). Enforcement authority is granted exclusively to the Connecticut Attorney General. The law provides for an enforcement grace period following enactment, meaning that, starting on July 1, 2023, and ending on December 31, 2024, the Attorney General must provide businesses with notice of alleged violations and provide them a 60-day period to cure any such violation.
The important dates to keep in mind for your business to comply with the CTDPA are:
- July 1, 2023 – The CTPDA becomes effective. The recommended target date for full compliance.
- December 31, 2024 – The last date of the enforcement grace period (be sure to cure any remaining alleged violations by then).
- January 1, 2025 – Businesses are required to have controls in place to collect consent and respond to consumer opt-out requests. The Connecticut Attorney General, at their discretion, may offer opportunities to cure alleged violations.
This legal update was authored by Jordan Ockleberry and Michael Young. If you have any questions about the content, please contact Michael Young.