Connecticut Data Privacy Act Has Been Signed

The Connecticut Data Privacy Act (CTDPA) was signed by Governor Ned Lamont on Tuesday, May 10, 2022. Below is a quick breakdown of what is now the fifith comprehensive state data privacy law in the United States. 

When does the law go into effect?

The CTDPA goes into effect July 1, 2023.

To whom does the CTDPA apply?

The new law applies to businesses that conduct business in the state of Connecticut or produce a product or service that is targeted to Connecticut  residents and that during the preceding calendar year:

• Controlled or processed the personal data of not less than 100,000 consumers (this doesn’t include personal data controlled or processed solely for the purpose of completing a payment transaction), or;
• Controlled or processed the personal data of not less than 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.

What are the penalties and who enforces it?

Connecticut’s law grants the attorney general exclusive enforcement authority. There is not a private right of action.

A 60 day right to cure is available until December 31^st, 2024.

Violations of the Connecticut Data Privacy Act are enforceable under the Connecticut Unfair Trade Practices Act. Civil penalties may be imposed as followed:

Maximum penalty amount for willful violations: $5,000.

Maximum penalty amount for violation of restraining order or injunction: $25,000

What are the Requirements?

Connecticut’s privacy law provides Consumer Access Rights including:

• The consumer has the right to confirm whether a controller is processing the consumer’s personal data and to access the personal data
• The consumer has the right to obtain a copy of the personal data that the consumer previously provided to the controller;
• The right to delete the personal data that the consumer provided to the controller
• The right to opt-out of processing of personal data for targeted advertising or the sale of personal data and profiling that results from solely automated decisions.
• The right to update or correct inaccuracies

These requests must be honored within 45 days, with a 45-day extension available depending on the complexity and volume of requests. If an extension is exercised, the controller must notify the consumer of the extension, the length of the extension, and the reason for the extension.

Further a controller must notify the consumer if it decides not to honor the request and the reasons for not taking actions. The controller must also include instructions surrounding how to appeal the decision.

The controller is not allowed to charge a fee for the information in the request unless the request is the consumer’s second or subsequent request during the same 12-month period. The Connecticut Privacy Act further outlines where a controller may be capable of charging a reasonable fee.

A consumer may also designate an authorized agent to act on the consumer’s behalf. A controller must comply with an opt-out request received from an authorized agent if the controller is able to verify the identity of the consumer and the authorized agent’s authority to act on the consumers behalf.

There are also specific processor obligations, including:

• Adhering to the controller’s instructions; and
• Implementing appropriate security controls; and
• Assisting the controller in meeting their obligations

A binding contract must be in place between a controller and a processor that includes instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of the processing, and the rights and obligations of both parties.

Additional Obligations

Considering the controller’s business size, scope, and type, a controller shall use data security practices that are appropriate for the volume and nature of the personal data at issue.

Controllers are required to ensure they operate from common privacy principles:

• Purpose limitation
• Data minimization
• Consent for secondary use; and,
• Nondiscrimination upon a consumer exercising rights.

Controllers are also required to make disclosures to consumers surrounding but not limited to:

• The categories of personal data processed;
• The purposes for which the personal data are processed;
• How to exercise their rights;
• The categories of personal data the controller shares with third parties, if any;
• The categories of third parties, if any, which the controller shares personal data;
• An email address or other online mechanism that the consumer may use to contact the controller; and,
• A description of one or more secure and reliable means for consumers to submit requests to exercise their rights.

Further, controllers are prohibited from processing sensitive data collected from the consumer without obtaining the consumer’s consent. The mechanism used for consumers to revoke consent must be at least as easy as the mechanism by which the consumer provided consent.

Controllers must conduct and document a data protection assessment for each of the controller’s processing activities that presents a heightened risk of harm to a consumer. Processing that presents a heightened risk of harm to a consumer includes:

• The processing of personal data for the purposes of targeted advertising
• The sale of personal data
• The processing of personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk to the consumer
• The processing of sensitive data

Data Protection Assessments conducted by a controller in compliance with another regulation may be used to satisfy this requirement if the assessment is reasonably similar in scope and effect.

Exceptions

The Connecticut Data Privacy Act does not apply to:

• Non-profits
• GLBA financial institutions and data, and registered national securities associations
• Institutions of higher education and FERPA data
• Covered entities and business associates under HIPAA
• Any body or political subdivision of the state
• Certain FCRA data
• Data subject to Farm Credit Act
• Data maintained for employment records purposes
• Data used by air carriers under the Airline Deregulation Act
• Data subject to Driver’s Privacy Protection Act
• Compliance with COPPA parental consent requirements

As you can see, there is both a data and entity specific exemption for GLBA covered entities which differs from the CCPA.

Please reach out if you have any questions about the CTDPA or any other state data privacy regulations at connect@compliancepoint.com.