In 1788, Connecticut became the fifth state admitted to the Union. In 2022, Connecticut became the fifth state to pass a comprehensive data privacy law.
Let Red Clover Advisors help you be the first company ready for it.
In 2016, the European Union passed the General Data Protection Regulation (GDPR). As the world’s first comprehensive digital privacy law, the GDPR applies to all companies that operate in or collect information from residents of EU member states. The GDPR changed the game by aggressively targeting the lack of transparency and consent that had been the hallmark of most modern consumer data collection practices.
Because the US doesn’t have a federal data privacy law, it was up to individual states to pass laws protecting how consumer information is collected and processed. In 2018, the California Consumer Privacy Act (CCPA) became the U.S.’s first privacy regulation. Since then, Virginia, Colorado, and Utah have all enacted similar bills.
On May 10, 2022, after years of bipartisan effort, Connecticut’s SB 6 became the Connecticut Data Privacy Act (CTDPA), the fifth U.S. privacy law to be enacted. Most similar to the Colorado Privacy Act (CPA), the CTDPA may prove to be a tipping point that forces Congress to get serious about passing a federal statute.
Until then, being proactive about your privacy program is the best way to make sure your company is ready to satisfy its legal obligations and meet your clients’ expectations for data privacy and protection. Red Clover Advisors has the knowledge and experience you need to do both.
Here’s the 411 on privacy in the 203 (and the 475, 860, and 959):
The CTDPA applies to entities that conduct business in OR control or process the personal data of consumers in Connecticut. Specifically, the Privacy Act applies to entities that, during the preceding year:
(Unlike the CCPA and the UCPA, there are no annual revenue thresholds for these obligations.)
(Unlike the CCPA, there is no private right of action for consumers.)
Businesses in Connecticut have until July 1, 2023 to prepare for the CTDPA, which means one of the most important advantages you have in your journey toward compliance is time. Rather than waiting until enforcement is looming on the horizon, start now to find the best solutions for your business.
Here are the top five recommendations we give our clients who are taking their first privacy compliance steps.
A data map, also known as a data inventory, follows data records on their entire journey through your system, from collection through deletion. But data maps do more than document data flows.
Done correctly, a data inventory will show you what types of information you’re collecting and why, who has access to it, how and how long you’re storing it, and where it's at risk. A good data map will also help to identify current processes that don’t align with your existing privacy policy.
While related, data privacy and data security are not the same. Whereas data security focuses more on technology, data privacy focuses on processes and people.
You need both to comply with statutory requirements.
Like most privacy laws, the CTDPA stipulates that businesses take “reasonable” security measures to protect consumer data. What constitutes “reasonable” can vary by industry and size, but best practices include steps like:
RCA’s privacy experts excel at identifying vulnerabilities and finding creative but pragmatic solutions to increase data protection without sacrificing efficiencies.
New laws almost always mean new workflows, but you don’t need to reinvent the wheel. Privacy laws aren’t the same, but they also share more similarities than differences. That means there are at least six years’ worth of established best practices you can draw from when setting up your privacy program.
And we know them all.
It may be tempting to buy an off-the-shelf privacy solution and hope for the best, but these programs often struggle to efficiently address nuances in privacy law. Working with a privacy consultant is usually the best way to optimize your processes.
Your privacy policy needs to accurately reflect your data collection and processing practices. If you’ve completed tips 1-3. Remember—the best privacy policies are short and easy to understand. Ditch pages of legal jargon and instead talk to your users in a way they can understand.
One mistake from an employee can take down your program. An annual privacy training day isn’t enough to create a culture of privacy at your company. Instead of one incredibly long session where you bombard your team with privacy information, include privacy education in weekly emails, monthly staff meetings, quarterly retreats, etc.
Connecticut is the most recent state to pass a privacy law, but it won’t be the last one. It may not even be the last state to pass a privacy law this year. If your company isn’t subject to a regulation yet, you will be soon.
And if you’re only subject to one right now but have customers in multiple jurisdictions, odds are high you’ll be managing compliance for more than one in the next few years.
Don’t wait until you have to choose the quickest solution instead of the best one. Proactive privacy is the best kind. And we can help you do it.
Are there any exemptions for the CTDPA?
Good question! There are several categories that the CTDPA doesn’t apply to. First and foremost, it doesn’t apply to employee or B2B personal information. Moreover, there are entity-level exemptions. The CTDPA doesn’t apply to:
At the data-level, there are also exemptions to keep in mind—but they line up with other privacy laws, such as HIPAA, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Airline Deregulation Act.
What are the specific consumer rights and opt-outs available under CTDPA?
Consumer rights are the cornerstone of privacy laws. Thanks to consumer privacy rights, consumers gain and maintain control over their data and their relationship with you. As per the CTDPA, residents in Connecticut have the right to do the following:
How does the CTDPA define “personal data?”
Personal data has specific definitions depending on which privacy law you’re talking about. Under CTDPA, “personal data” means any information that is linked to an “identified or identifiable individual.” This doesn’t include information that is de-identified or publicly available, which can be considered information that is:
What about sensitive data? What does that mean under CTDPA?
Sensitive data is also a concept whose definition may vary depending on privacy regulation. CTDPA considers “sensitive data” to be any data disclosing:
