Connecticut Adopts Privacy Law

Connecticut Adopts Privacy Law

Many states are grappling with privacy issues and considering data privacy legislation due to the absence of a comprehensive federal data protection law. This effort is being fueled, in large part, by consumers pushing for data privacy protection in the face of businesses’ expanded use and sale of personal data. With the recent passage of a privacy law in Connecticut, 5 states (California, Colorado, Connecticut, Utah and Virginia) now have state privacy laws. At least 13 states and the District of Columbia are currently considering privacy legislation, and another 15 states considered, but did not pass, privacy legislation in the last year.

Recently, Connecticut enacted the (CTDPA), which is similar in many respects to the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CPA), which we reported on last year. Most of the provisions of the CTDPA will go into effect on July 1, 2023. The following is a summary of the CTDPA’s notable provisions:

The CTDPA applies to entities that (i) conduct business in Connecticut or produce products or services targeted to Connecticut residents, and (ii) during the proceeding calendar year, either processed the personal data of at least 100,000 Connecticut residents or processed the personal data of at least 25,000 Connecticut residents and derived more than 25% of their gross revenue from the “sale” of personal data. The law defines a
“sale” of personal data as personal data exchanged for monetary or other valuable consideration, so it’s not necessary for cash to change hands for a “sale” to occur.

Entity exemptions
The law does not apply to non-profits, any Connecticut state or local agency, institutions of higher education, financial institutions subject to the Gramm-Leach-Bliley Act (“GLB”), and qualifying covered entities and business associates subject to the Health Insurance Portability and Accountability Act (“HIPAA”).

Protected Consumers
The CTDPA protects only Connecticut residents acting in an individual capacity (i.e., “consumers”); individuals acting in an employment or commercial (B2B) context are not covered. 

Covered Personal Data
The law applies to any information that is linked, or reasonably linkable, to an identified or identifiable individual.

Excluded Data
Personal data processed solely for payment transactions is specifically excluded. Likewise, the definition of “personal data” does not include deidentified or publicly available information.

Sensitive Data Requirements
Sensitive data may not be processed without consent, and includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship or immigration status; genetic or biometric data used to uniquely identify an individual; personal data collected from a known child; and precise geolocation data.

Obligations of Data Controllers
Among other obligations, data controllers are required to:

    • Provide a clear and conspicuous link on their websites enabling consumers to opt out of targeted advertising or sale of the consumer’s personal data. The authentication of opt out requests is not required.
    • Provide to consumers a reasonably accessible, clear and meaningful privacy notice.
    • Limit the collection of personal data to “what is adequate, relevant and reasonably necessary” to the purposes for processing, as disclosed to the consumer.
    • Establish, implement and maintain reasonable administrative, technical and physical data security practices.
    • Provide an effective mechanism for a consumer to revoke consent and cease processing the data within 15 days of receiving a revocation request.

Consumer Rights
Under the CTDPA, consumers have the rights to:

    • Access their personal data to confirm whether a controller is processing such data, unless such access would reveal a trade secret of the controller.
    • Correct inaccuracies in their data.
    • Delete their personal data.
    • Obtain a copy of the consumer’s personal data in a portable and readily usable format.
    • Opt out of processing of personal data for targeted advertising, sale, or profiling.
    • Revoke consent to the processing of their data.
    • Non-discrimination in the event they exercise their privacy rights under the law.

Rights for Minors
The personal data of minors cannot be processed for purposes of targeted advertising or sold without consent (ages 13-17) and without parental consent (under age 13).

Time to respond to consumer requests
Controllers will have 45 days to respond to consumer requests, with a 45-day extension upon written notice the consumer.

Consent requirements
A consumer’s consent to use their personal data must be freely given, specific, informed, and unambiguous, and may not be obtained through use of dark patterns.

Required data protection assessments
Controllers will be required to conduct data protection assessments if they are engaged in data processing activities that present a heightened risk of harm to consumers. 

Private Right of Action
Like Colorado and Virginia, there is no private right of action.

Government Enforcement
The CT attorney general provides written notice of a violation with a 60-day cure period. After January 1, 2025, the state attorney general will have discretion whether to provide a cure period.  

This summary is intended to highlight the main requirements of the CTDPA and is not comprehensive. Companies should work with their lawyers to create a compliance program that best suits their needs. If your business is impacted by Connecticut’s CTDPA, it is important to review your privacy policies and practices and prepare for compliance by 2023. We are happy to help. If you have questions about any state privacy laws and how they may impact your company, please contact Virginia Fournier at [email protected].


A member of our California team, Virginia Fournier is a seasoned technology and privacy attorney with over 25 years of legal and business experience in the industry. She regularly handles a wide range of technology-related matters, including negotiating and drafting complex licensing agreements, compliance, data security and privacy, and intellectual property issues. Virginia is also a Certified Information Privacy Professional (CIPP/US).

This publication should not be construed as legal advice or a legal opinion on any specific facts or circumstances not an offer to represent you. It is not intended to create, and receipt does not constitute, an attorney-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal questions you may have. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising.

Subscribe to Our Blog