Connecticut has become the second state in 2022 to enact a comprehensive privacy law and the fifth US state overall. By passing the Connecticut Data Privacy Act (CTDPA), Connecticut joins California, Virginia, Colorado, and Utah in regulating businesses that collect, maintain, and/or sell consumers' personal data. It is set to go into effect on July 1, 2023, the same day as the Colorado Privacy Act.
Similar to other state privacy laws, the CTDPA places security and disclosure requirements on businesses that meet certain thresholds. Specifically, the CTDPA applies to businesses that either conduct business in the state or produce products or services targeted to consumers in the same and meets one of the following in the preceding calendar year:
- Processed personal data of at least 100,000 consumers (excluding personal data processed solely for completing a payment transaction), or
- Processed personal data of at least 25,000 consumers and derived at least 25% gross revenue from the sale of personal data.
The CTDPA exempts nonprofit organizations, organizations regulated under GLBA or HIPAA, and employee and business-to-business information.
As we've seen with the other state laws, the CTDPA requires businesses to establish, implement, and maintain reasonable administrative, technical, and physical data security practices. The CTDPA also gives consumers the right to access, delete, and/or correct their personal data, as well as the right to opt out of targeted advertising, the sale of personal data, and/or profiling. Additionally, of note under the CTDPA:
- Businesses must limit the collection of personal data to that which is "adequate, relevant, and reasonably necessary."
- Businesses must obtain consumer consent before collecting or using "sensitive data." "Sensitive data" is defined to include racial or ethnic origin, religious beliefs, health condition or diagnosis, sexual orientation, genetic or biometric data for the purposes of identifying an individual, children's data, and precise geolocation data.
- Businesses must obtain consent before selling the personal data of or conducting targeted advertising relating to consumers between ages 13 and 16, if the business has actual knowledge of the consumer's age.
- Businesses must conduct and document a data protection assessment for each of the business's processing activities that present a "heightened risk of harm" to consumers. This includes processing for targeted advertising, profiling, or sensitive data and the sale of personal data. The Connecticut attorney general may request these assessments in relation to an investigation.
- Consumers must have the right to opt-out of targeted advertising and/or the sale of their personal data.
The CTDPA does not include a private right of action. Rather, it is enforceable solely by action of the Connecticut attorney general. Initially, the CTDPA provides for a 60-day cure period for businesses to correct violations before the attorney general can bring an enforcement action. This cure period expires, however, on December 31, 2024. You can find the full text of the CTDPA here.
Nixon Peabody advises domestic and international companies of every size as they address critical privacy and security issues, including these location-specific regulatory requirements. Subscribe to our mailing list for the latest legal developments and events in data privacy and security.