The Connecticut Data Privacy Act (CTDPA)

The Connecticut Data Privacy Act (CTDPA) took effect on July 1, 2023, and follows the structure and intent of the Washington Privacy Act model. The CTDPA was amended in June of 2023 to provide additional protections for children’s data and “consumer health data.”

Schedule a Free Consultation

What You Need to Know About Colorado’s Privacy Law

Does the CTDPA Apply to You?

The CTDPA applies to you if your business:

  1. Is for-profit and conducts business in or provides products or services to residents (“consumers”) of Connecticut, and
  2. Annually controls or processes the personal data of either:
    1. 100,000 residents, excluding data solely used for completing payment transactions; or
    2. 25,000 residents, and derives 25%+ of gross revenue from sale of personal data
To Whom and What Does the CTDPA NOT Apply?

  • The CTDPA exempts both certain data types and certain entities entirely. In addition, like almost every other state data privacy law, the CTDPA does not apply to individuals acting in an employment or commercial (B2B) context.

    Exempt Data:  The CTDPA exempts many different types of data from coverage under the law. Below is a list of some of the more commonly held data types that are exempt under the law. For a complete list, refer to the law or reach out to us at Red Clover Advisors, we would be happy to help you understand how your various data types effect your privacy obligations.

    • Protected Health Information (PHI) under HIPAA
    • Various federally and internationally protected health and patient information, including that protected by the Common Rule, human subject data, and more.
    • Various forms of credit data regulated by the FCRA
    • Certain uses of emergency contact data
    • Data covered by a wide variety of other federal laws including FERPA data, FCA data and DPPA data.

    Exempt Entities:  The CTDPA also exempts many different types of entities from coverage under the law. Below is a list of some of the more commonly relevant entity types that are exempt. For a complete list, refer to the law or reach out to us at Red Clover Advisors, we would be happy to help you understand how your entity classification effect’s your privacy obligations.

    • Non-profits;
    • The state government and its various entities;
    • Higher Education Institutions;
    • Air Carriers;
    • GLBA covered entities;
    • HIPAA covered entities and business associates;
    • Tribal nation governments;
    • National securities associations that are registered under the SEC Act of 1934
What Do You Need to Do?
  • Update their privacy notices to reflect the data collection purposes.
  • Assess and, if necessary, obtain consent for processing sensitive personal data.
  • Establish processes to respond to consumer rights requests effectively.
  • Conduct Data Protection Assessments for certain types of data processing activities.
  • Ensure that vendor contracts align with CTDPA requirements.

Key Components of Connecticut’s Data Privacy Law

What Constitutes Personal Data?

“Personal data” is defined as any information that is linked or reasonably linkable to an identified or identifiable individual. “Personal data” does not include de-identified data or publicly available information.

Where a controller processes de-identified data, the CTDPA requires it to take reasonable measures to ensure the data cannot be associated with an individual; publicly commit to maintaining such data without an attempt to re-identify it; and contractually obligate any recipients of the data to comply with the CTDPA.

CTDPA also exempts pseudonymous data where the controller can show it keeps information that would allow the data to be re-identified separate and subject to technical and organizational controls that prevent its use for re-identification.

What Constitutes Sensitive Data?

CTDPA’s definition of Sensitive personal data consists of the following categories of information:

  • Racial or ethnic origin;
  • Religious beliefs;
  • Mental or physical condition or diagnosis;
  • Sex life or sexual orientation;
  • Consumer health data (new term from Connecticut’s amendment)
  • Citizenship or immigration status;
  • personal data about a known child;
  • Precise geolocation data;
  • Data concerning an individual’s status as a victim of crime; and
  • Genetic or biometric data.
Is Consent Needed to Process Sensitive Data?

In a word: Yes!

Is Consent Needed for Any Other Processing?

Parental consent is required to process personal data about a known child (under 13) in accordance with COPPA, and data subject consent is required to sell the personal data of a person between the ages of 13 and 15 or use it for targeted advertising.

What Needs to be Included in the Privacy Notice?

Under the CTDPA, a privacy notice must include (among other requirements):

  • The categories of personal data processed by the controller;
  • the purpose for processing personal data;
  • how consumers may exercise their consumer rights, including how a consumer may appeal a controller’s decision with regard to the consumer’s request;
  • the categories of personal data that the controller shares with third parties, if any;
  • the categories of third parties, if any, with which the controller shares personal data; and
  • an active electronic mail address or other online mechanism that the consumer may use to contact the controller.
What Constitutes Sale of Personal Data?

Connecticut and many other states define “sale” as: Exchange of personal data for monetary or other valuable consideration by the controller to a third party.

There are limits on the definition of “sale” to ensure that certain business functions are not unintentionally impeded by this law. Examples of activities deemed not to be a sale include: the disclosure of personal data to provide a product or service requested by the consumer, the disclosure of personal data that had been intentionally made available to the public, and the disclosure of personal data as part of a merger or bankruptcy. For more, see the statue.

How Will the CTDPA Be Enforced?

Like most state data privacy laws, the attorney general (AG) has sole enforcement authority over the CTDPA. Under the CTDPA the AG may bring an enforcement action after providing a 60-day notice and an opportunity for the business to cure the alleged violation(s).The cure period will end December 31, 2024, with the AG having discretion over whether to grant an opportunity to cure from that point on based on statutorily defined factors. Actions can be brought that seek injunctive relief (the company must stop certain behaviors) and/or civil penalties, with fines up to $5,000 as determined by the CT Unfair Trade Practices Act.

Privacy Rights

 

The individual rights created under CTDPA generally align with those provided under other state laws. If the CTDPA to your business, you must allow consumers to:

  • Right to know whether a business is processing your personal data;
  • Right to access personal data;
  • Right to correct inaccuracies in personal data;
  • Right to delete personal data;
  • Right to obtain a copy of personal data (data portability); and
    • Right to opt out of the sale of personal data, processing for targeted advertising, or profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning the consumer.

The CTDPA requires that businesses respond to individual rights requests within 45 days of receipt of the request, with a permissible 45-day extension in limited circumstances. Responses must be provided free of charge once every 12 months. Businesses may deny a rights request in certain circumstances. When a business denies a request, the business must notify the consumer within the 45-day timeframe and provide the reason for the denial as well as instructions for how to appeal the decision.

As we have seen with subsequent state privacy laws, including Montana, Iowa, Tennessee, and New Jersey, the appeal process must be conspicuously available to the consumer and similar to the process for submitting requests. Businesses must respond to appeals within 60 days of receipt and, if denying an appeal, must provide the consumer with a method to file a complaint with the AG.

Data Protection Assessments (also known as Privacy Impact Assessments aka PIAs) 

 

The CTDPA requires that businesses conduct data protection or privacy impact assessments.

Connecticut requires assessments for processing that presents a heightened risk of harm, including:

  • Processing for targeted advertising;
  • Processing sensitive data;
  • Selling personal data;
  • Processing for the purposes of profiling if it presents a ‘reasonably foreseeable risk’ of:
  • Unfair or deceptive treatment or unlawful disparate impact on consumers;
  • Financial, physical or reputational injury to consumers;
  • Physical or other intrusion on the solitude or seclusion, or private affairs or concerns, which would be offensive to a reasonable person; or
  • Other substantial injury.

Vendor Contracts

 

Like most other state consumer privacy laws, the CTDPA requires a contract between a controller and processor that dictates how a processor (also called service providers or vendor) may process personal data that a controller shares with it. Contracts must have instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties. In addition, the contract must require that the processor:

  • Ensure that each person who processes personal data is subject to a duty of confidentiality;
  • Delete or return all personal data at the controller’s direction or when it has completed the services, unless retention of the personal data is required by law;
  • Make available all information necessary to demonstrate the processor’s compliance with its obligations;
  • Allow and cooperate with audits by the controller, or an independent auditor to review its policies and practices, and provide a report of the assessment to the controller;
  • Provide the opportunity for the controller to object to any sub-processors;
  • And pass along the same obligations to any subcontractors in a written contract.

Data Privacy is Just Good Business

Managing privacy compliance with all these new state privacy laws popping up in the U.S., might seem like a daunting task. But just because the task appears daunting, it doesn’t mean that it’s impossible to handle.

You don’t have to go at it alone! With the right support, you can make data privacy measures a sustainable part of your daily operations. That’s where Red Clover Advisors comes in – to deliver practical, actionable, business-friendly privacy strategies to help you achieve data privacy compliance and establish yourself as a consumer-friendly privacy champion that customers will appreciate.

Book a Free Consultation