Connecticut recently joined four other U.S. states in passing a comprehensive consumer privacy law, the Connecticut Data Privacy Act (CTDPA). The new law, signed by Governor Ned Lamont on May 10, 2022, comes into effect July 1, 2023, and gives organizations limited time to comply.
What Is the Connecticut Data Privacy Act (CTDPA)
The Connecticut Data Privacy Act (CTDPA) is a comprehensive data privacy law protecting the personal data of Connecticut residents. It includes many of the same rights, obligations, and exceptions as the consumer privacy acts in place in California, Colorado, Utah, and Virginia. While some areas of the CTDPA mirror these other laws, it also has a few notable distinctions that organizations should factor into their compliance strategies.
This glossary page outlines key provisions of the Connecticut Data Privacy Act, its effects on the business landscape, and how organizations can ensure regulatory compliance at all times.
What Does the Connecticut Data Privacy Act Do?
The Connecticut Data Privacy Act (CTDPA) establishes a comprehensive framework to protect the personal data of Connecticut residents. It defines the responsibilities of companies that process, collect, or store data about Connecticut residents, and provides rights to those same individuals. The CTDPA, for example, prohibits the sale of information derived from personal data, with some exceptions.
The Connecticut Data Privacy Act (CTDPA) applies to entities operating within Connecticut or producing goods or services targeted to Connecticut residents, who during the preceding calendar year either processed personal data from at least 100,000 consumers or generated more than 25% of gross revenue from personal data sales from at least 25,000 consumers. It does not apply to entities processing personal data solely for payment transactions. It does not include an annual revenue threshold, meaning that it does not apply to companies with a certain annual revenue.
Definition of Key Terms Under the Connecticut Data Privacy Act
The CTDPA establishes a set of definitions to explain the scope of the law. It is important to be aware of these definitions in order to understand the responsibilities placed on companies and the rights provided to Connecticut residents.
- Consumer—any Connecticut resident and explicitly excludes individuals acting in a commercial or employment context.
- Controller—a person or entity responsible for the collection and processing of personal data.
- Processor—a person or entity that processes personal data on behalf of a controller.
- Third Party—a person or entity that is not a controller or processor.
- Personal Data—any information that relates to an identifiable individual. However, the Act excludes deidentified data and publicly available data from the definition of personal data.
- Sale of Personal Data—the exchange of personal data for monetary or other valuable consideration by the controller to a third party; however, public disclosures to a processor or a controller’s affiliate do not count.
- Publicly Available Information—information lawfully made available through government records or widely distributed media, and the controller has a reasonable basis to believe the consumer has lawfully made the information available to the public.
- Sensitive Data—any personal data that reveals a person’s race, religious beliefs, health, sexual orientation, criminal background, or biometric information.
- Dark Pattern—any practice used to obfuscate or mislead consumers regarding the collection and processing of their personal data.
What Are the Consumer Rights Under the Connecticut Data Privacy Act?
The Connecticut Data Privacy Act (CTDPA) grants consumers the right to access and control how their data is used. All consumers have the right to confirm whether their data is being processed and to request a copy of the data that has already been provided to the controller. Additionally, consumers have the right to delete their data, opt out of processing for targeted advertising, and to update or correct inaccuracies. Requests for these actions, which must be honored within 45 days, cannot be subject to a fee unless the request is the consumer’s second or subsequent request within the same 12-month period.
The CTDPA also provides consumers the ability to assign an authorized agent that can act on the consumer’s behalf to make requests. The controller must verify the identity of both the consumer and the agent’s authority before honoring the request.
In order to protect the data of consumers, processors must adhere to the instructions of the controller and implement the appropriate security controls. They must also assist the controller in meeting their obligations, ideally agreed upon by a binding contract. This contract should specify the instructions for processing the data, the purpose and duration of processing, and the rights and obligations of both parties. By providing consumers with these rights as well as outlining processor obligations, the CTDPA ensures that consumers have control of and access to their data.
Controllers’ Obligations Under the Connecticut Data Privacy Act
The Connecticut Data Privacy Act (CTDPA) puts responsibility on the controller regarding the collection of data, to operate according to common principles such as purpose limitation and data minimization. Controllers must also obtain consent for secondary use of the data and any disclosure of that data to third parties. To ensure the consumer is aware of their rights and how to exercise them, the controller must make certain disclosures, such as the types of data collected, the purpose of its use, a way to contact the controller, and a secure way for the consumer to exercise their rights. The controller also must not process sensitive data without obtaining the consumer’s consent and must have a mechanism for the consumer to revoke their consent.
Controllers must conduct and document a data protection assessment for their processing activities that have a heightened risk of harm to the consumer, such as targeted advertising or the sale of personal data. When such assessments have been conducted that are similar in scope and effect to the CTDPA’s requirements, they can be used to satisfy the requirement. The CTDPA exists to ensure consumer data is protected, while awareness of consumers’ rights is also increased, creating a secure and reliable data processing environment.
How Will the CTDPA Be Enforced?
The CTDPA will be enforced by the Connecticut Attorney General. The Attorney General may investigate any violation of the CTDPA and, if necessary, bring civil legal action to enforce its requirements. Additionally, the Attorney General may seek damages on behalf of consumers.
What Are the Penalties for Failing to Comply With the CTDPA?
Entities or individuals that violate the CTDPA may face civil penalties up to $5,000 per violation, pursuant to the Connecticut Unfair Trade Practices Act. In addition to civil penalties, the Attorney General can also seek injunctive relief, restitution, or disgorgement.
Sensitive Content Communications and the CTDPA
The Connecticut Data Privacy Act is an important law that establishes a comprehensive framework to protect the personal data of Connecticut residents. It places obligations on companies that process, collect, and store data about Connecticut residents, and provides rights to those same consumers. By understanding the definitions, rights, obligations, and penalties in the Connecticut Data Privacy Act, companies can better ensure compliance with the law and protect the privacy of Connecticut residents.
In order to comply with the CTDPA, businesses must take steps to properly track, control, and secure the digital communications of personally identifiable information (PII) belonging to Connecticut residents. Traditional approaches of siloing communication channels, such as email, file sharing, web forms, and file transfers, have resulted in bifurcated metadata that makes it difficult to centrally govern and manage risk associated with PII.
Thankfully, Kiteworks provides an innovative solution to help businesses address this issue. By consolidating digital communications into a Private Content Network, Kiteworks enables organizations to ensure compliance with the CTDPA while unifying, tracking, controlling, and securing PII shared and sent into, within, and out of the organization. As a result, Kiteworks can be a powerful tool for Connecticut businesses looking to comply with the Connecticut Data Privacy Act (CTDPA).
Get email updates with our latest blogs news