Many states are grappling with privacy issues and considering data privacy legislation due to the absence of a comprehensive federal data protection law. This effort is being fueled, in large part, by consumers pushing for data privacy protection in the face of businesses’ expanded use and sale of personal data. With the recent passage of a privacy law in Connecticut, 5 states (California, Colorado, Connecticut, Utah and Virginia) now have state privacy laws. At least 13 states and the District of Columbia are currently considering privacy legislation, and another 15 states considered, but did not pass, privacy legislation in the last year. Recently, Connecticut enacted the (CTDPA), which is similar in many respects to the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CPA), which we reported on last year. Most of the provisions of the CTDPA will go into effect on July 1, 2023. The following is a summary of the CTDPA’s notable provisions: Scope Entity exemptions Protected Consumers Covered Personal Data Excluded Data Sensitive Data Requirements Obligations of Data Controllers Consumer Rights Rights for Minors Time to respond to consumer requests Required data protection assessments Private Right of Action Government Enforcement This summary is intended to highlight the main requirements of the CTDPA and is not comprehensive. Companies should work with their lawyers to create a compliance program that best suits their needs. If your business is impacted by Connecticut’s CTDPA, it is important to review your privacy policies and practices and prepare for compliance by 2023. We are happy to help. If you have questions about any state privacy laws and how they may impact your company, please contact Virginia Fournier at [email protected]. A member of our California team, Virginia Fournier is a seasoned technology and privacy attorney with over 25 years of legal and business experience in the industry. She regularly handles a wide range of technology-related matters, including negotiating and drafting complex licensing agreements, compliance, data security and privacy, and intellectual property issues. Virginia is also a Certified Information Privacy Professional (CIPP/US).
The CTDPA applies to entities that (i) conduct business in Connecticut or produce products or services targeted to Connecticut residents, and (ii) during the proceeding calendar year, either processed the personal data of at least 100,000 Connecticut residents or processed the personal data of at least 25,000 Connecticut residents and derived more than 25% of their gross revenue from the “sale” of personal data. The law defines a “sale” of personal data as personal data exchanged for monetary or other valuable consideration, so it’s not necessary for cash to change hands for a “sale” to occur.
The law does not apply to non-profits, any Connecticut state or local agency, institutions of higher education, financial institutions subject to the Gramm-Leach-Bliley Act (“GLB”), and qualifying covered entities and business associates subject to the Health Insurance Portability and Accountability Act (“HIPAA”).
The CTDPA protects only Connecticut residents acting in an individual capacity (i.e., “consumers”); individuals acting in an employment or commercial (B2B) context are not covered.
The law applies to any information that is linked, or reasonably linkable, to an identified or identifiable individual.
Personal data processed solely for payment transactions is specifically excluded. Likewise, the definition of “personal data” does not include deidentified or publicly available information.
Sensitive data may not be processed without consent, and includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship or immigration status; genetic or biometric data used to uniquely identify an individual; personal data collected from a known child; and precise geolocation data.
Among other obligations, data controllers are required to:
Under the CTDPA, consumers have the rights to:
The personal data of minors cannot be processed for purposes of targeted advertising or sold without consent (ages 13-17) and without parental consent (under age 13).
Controllers will have 45 days to respond to consumer requests, with a 45-day extension upon written notice the consumer.
Consent requirements
A consumer’s consent to use their personal data must be freely given, specific, informed, and unambiguous, and may not be obtained through use of dark patterns.
Controllers will be required to conduct data protection assessments if they are engaged in data processing activities that present a heightened risk of harm to consumers.
Like Colorado and Virginia, there is no private right of action.
The CT attorney general provides written notice of a violation with a 60-day cure period. After January 1, 2025, the state attorney general will have discretion whether to provide a cure period.
This publication should not be construed as legal advice or a legal opinion on any specific facts or circumstances not an offer to represent you. It is not intended to create, and receipt does not constitute, an attorney-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal questions you may have. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising.