On May 10, 2022, The Governor of Connecticut signed into Law "an Act Concerning Personal Data Privacy and Online Monitoring”, also known as the Connecticut Data Privacy Act (CTDPA). With the passing of this legislation, Connecticut became the fifth state to adopt its own data privacy legislation, following the footsteps of California, Virginia, Colorado, and Utah.
While the Connecticut privacy law bears many similarities to previously-enacted state privacy laws, it also introduces brand new obligations and differs from these laws in certain respects.
The CTDPA will become effective on 1 July 2023, giving businesses less than 12 months to determine if they fall under the applicability of the law and make necessary amendments to bring their data processing activities into compliance with the requirements.
Which businesses does the CTDPA apply to?
What entities are subject to CTDPA?
The CTDPA sets certain thresholds similar to those in Virginia and Colorado to determine if an entity falls under the scope of applicability. An entity will be subject to the CTDPA if it:
"Conduct business in Connecticut or produce products or services targeted to Connecticut residents and that during the preceding calendar year, either:
Taking into account these criteria, there are three key nuances every business should pay attention to:
No annual revenue threshold: Unlike the California Consumer Privacy Act (CCPA), the CTDPA does not impose an annual gross revenue threshold for applicability. This means that a business will not fall under the scope of CTDPA just because its annual revenue satisfies a certain threshold. Furthermore, an entity will be considered within the scope of applicability if it controls or processes the personal data of a certain number of Connecticut individuals, regardless of its annual revenue.
- Payment transaction excluded: If an entity collects or processes personal data to complete a payment transaction, this personal data will not be calculated when determining if the CTDPA applies to the entity. For example, if a payment gateway provider processes credit and debit card details of Connecticut residents to facilitate payment, this personal data is not counted towards the threshold.
Meaning of “Sale of Personal Data”: Under the second threshold, the meaning of “sale of personal data” is critical in determining if an entity exceeds the threshold. CTDPA follows a similar approach to California’s CCPA and defines the boundaries of "selling personal data" very broadly: “The exchange of personal data for monetary or other valuable consideration by the controller to a third party.”
Put simply, the transfer or disclosure of data to a third party can be considered as a sale even without the exchange of money. For example, the transfer of personal information to a data analytics firm to perform analytics or to improve new technologies can fall under the definition of “sale”.
Furthermore, the CTDPA recognizes certain types of personal data sharing as outside the scope of “sale”. For instance, disclosure of data to a data processor such as a payment processor does not constitute a sale. Disclosure of data upon customer request is also not considered a sale.
What entities are excluded from the scope of CTDPA?
The CTDPA exempts six types of entities from the scope of applicability even if they fulfill the set thresholds:
State and local governments.
Higher education institutions.
National securities associations registered under the Securities Exchange Act of 1934.
Financial institutions and data subjects to the Gramm-Leach-Bliley Act.
Covered entities and business associates as defined by the Health Insurance Portability and Accountability Act.
What and who does the CTDPA cover?
The CTDPA provisions apply to the personal data of Connecticut residents who are acting in an individual capacity (“Consumers”). Following the example of California's CCPA, the CTDPA defines personal data broadly:
"Any information that is linked or reasonably linkable to an identified or identifiable individual".
However, its protection does not cover the personal data of individuals who act in commercial or employment contexts.
For example, if a business employs Connecticut residents and collects their health and insurance information, this will not be taken into account when determining if it satisfies the applicability threshold and this processing will not be subject to the CTDPA’s provisions.
De-identified data or publicly available information
While the CTDPA excludes de-identified data from its scope of applicability, it does not exempt aggregated data. Furthermore, the law exempts the following types of publicly available information from its reach:
Personal data disclosed to the public through federal, state, or municipal records,
Personal data made available to the public on widely distributed media.
In both of these circumstances, the data controller must believe, to a reasonable degree, that an individual lawfully disclosed his/her personal data to the public.
Other data categories excluded from the CTDPA
Section 3(b) lists 16 categories of personal data that are exempted from the scope of applicability. For example, the following personal data categories are not subject to the CTDPA:
“Protected health information under HIPAA”
“The collection, maintenance, disclosure, sale, communication or use of any personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living by a consumer reporting agency…”(E.g data under the Fair Credit Reporting Act)
Personal data regulated by the Family Educational Rights and Privacy Act and Driver's Privacy Protection Act
Collection and use of personal data of an agent or contractor in context of that role.
Job applicant data subject to certain conditions.
What data rights do Connecticut consumers have under the CTDPA?
A privacy law cannot empower consumers without providing them with rights to protect their personal data against unlawful collection, use, sale, and storage. The CTDPA empowers Connecticut consumers with five specific rights over their personal data:
Right to access
Consumers are provided with the right to “confirm whether or not a controller is processing the consumer’s personal data and access such personal data.”
However, this right is subject to “trade secret” exemption. This exemption was also included in Colorado, Utah and California privacy laws. The Virginia data privacy law, on the other hand, did not cover “trade secret” exemption.
Right to correct
Connecticut consumers can exercise their right to “correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data.”
For example, if a consumer is subscribed to a news magazine and his/her billing address changes, he/she can submit a request to correct the wrong address.
Right to delete
Connecticut consumers can ask for the deletion of their personal data. When you receive a valid deletion request, you must delete personal data provided directly by consumers.
Furthermore, controllers and processors must also delete personal data that they obtain via automatic methods such as cookie trackers or third parties, such as lead generators or data brokers.
Right to data portability
Consumers can also exercise their right to “obtain a copy of the consumer’s personal data processed by the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means, provided such controller shall not be required to reveal any trade secret.”
Right to opt out
Under the CTDPA, consumers can exercise their right to opt out of the processing of their data for the following purposes:
The sale of personal data, or
"Profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.”
Key obligations for controllers & processors
The Connecticut data privacy act imposes various requirements and obligations on both controllers and processors:
Data security measures: Controllers and processors must “establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue.”
Data minimization: Controllers and processors must only collect personal data that is “adequate, relevant, and necessary” to the purpose of the collection and/or processing of personal data.
Purpose limitation: Controllers should not be processing personal data for “purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed.” If a controller is going to process collected personal data for an incompatible purpose, it should obtain that consumer’s consent.
Sensitive data: Under the CTDPA, businesses cannot collect or process consumers' sensitive data without their prior consent. This consent requirement is similar to the Utah Consumer Privacy Act and Colorado Privacy Act. California’s CCPA, on the other hand, did not contain such a requirement.
Some examples of sensitive data under the CTDPA are data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation.
Privacy Notice: Controller shall provide consumers with an easily accessible, clear and meaningful privacy notice. This privacy notice should include at least the following:
What categories of data does the controller process? (E.g basic personal details such as name surname or online behavioral data such as browsing habits and visited URLs)
What are the purposes for the processing of this data? (E.g product improvement, fraud prevention, provision of services, targeted advertising)
“How consumers may exercise their consumer rights, including how a consumer may appeal a controller's decision with regard to the consumer's request”;
What categories of personal data are shared with third parties?
What are the categories of third parties these personal data is shared with?
“An active electronic mail address, or other online mechanisms that the consumer may use to contact the controller”.
How can my business comply with the CTDPA?
1-Determine if the CTDPA applies to processing personal data
First, you need to determine if your data collection and processing meets the criteria and thresholds set out by the law. Keep in mind that for certain data categories such as personal data subject to HIPAA, you will not be subject to the CTDPA requirements.
2-Implement appropriate data security practices and controls
You need to consider the amount of data you process, number of consumers and the level of sensitivity of personal data.
Based on your risk assessment, you need to identify and implement appropriate data security measures and practices. These could be contractual measures such as confidentiality agreements with the staff. They could also include technical measures such as end-to-end encryption.
3-Collect and process data only if it is strictly necessary
Adhere to the data minimization principle and avoid collecting excessive amounts of personal data.
4-Obtain consent before processing sensitive data
Before you start collecting and processing sensitive health data, ensure that you obtain consumer’s consent.
5-Establish secure methods for consumer requests
The law requires you to establish one or more secure methods so that consumers can submit their data subject requests such as their data deletion, access or data correction requests.
6-Data processing contracts
Controllers and processors must have a data processing contract in place. This agreement should address parties’ rights and obligations.
7-Conduct data protection assessments
When a controller involves in processing personal data that may result in a heightened risk to the consumer, it must conduct data protection assessments.
8-Establish a mechanism to revoke consent
You need to implement a consent revocation mechanism so that revoking consent is as easy as giving consent.
9-Draft a privacy notice
You need to draft and publish a clear and easily accessible privacy notice. This privacy notice should address what categories of personal data you collect, how you use it, who you share it with and how consumers can exercise their rights.
How is the CTDPA enforced?
The CTDPA does not contain private right of action: Consumers cannot start legal proceedings against the controllers and/or processors for non-compliance with the Connecticut Data Privacy Act.
Under the CTDPA, the Connecticut Attorney General is exclusively responsible to enforce the Connecticut Data Privacy Act and only the Connecticut Attorney General can initiate legal action for violation of the CTDPA.
A business may face the following penalties if it violates the CTDPA:
Up to $5,000 per willful violation under the Connecticut Unfair Trade Practices Act because violation constitute unfair trade practice;
Restitution, disgorgement, and injunctive relief.
Didomi helps companies get ready for data privacy regulations
Keeping up with opt-out requests, obtaining consent for sensitive data, crafting a comprehensive consent banner... The Connecticut Data Privacy Act, just like other state privacy laws, has strict requirements on consent, opt-outs, and consumer preferences.
This can be overwhleming for businesses.
But compliance can be simplified. Talk to one of our experts and find out how Didomi’s Consent Management Platform and Preference Management Platform take the guesswork out of data compliance, helping you turn privacy into business opportunities.