Publications

On May 10, 2022, Connecticut Governor Ned Lamont signed “An Act Concerning Personal Data Privacy and Online Monitoring” (also known as the Connecticut Data Privacy Act (CTDPA)) making Connecticut the fifth state to pass a comprehensive data privacy law, along with California, Virginia, Colorado and Utah. The new law goes into effect on July 1, 2023 and only protects Connecticut consumers, not individuals acting in a business-to-business relationship. 

Who is Covered?

The CTDPA applies to individuals and entities conducting business in Connecticut or producing products or services targeted to Connecticut residents that, during the preceding calendar year, either “Controlled” or “Processed” (i) the Personal Data (as defined below) of at least 100,000 consumers, or (ii) the Personal Data of at least 25,000 consumers, deriving more than 25% of their gross revenue from the sale of Personal Data. Similar to the EU General Data Protection Regulation (“GDPR”), the CTDPA uses the term “Controller” to mean the entity that determines the purpose and means of processing Personal Data and the term “Processor” to mean the entity that performs an operation (e.g., collection, use, storage, etc.) on Personal Data on behalf of a Controller. The new law exempts certain entities, including nonprofit organizations, institutions of higher learning, financial institutions subject to the Gramm-Leach-Bliley Act and “Covered Entities” or “Business Associates” subject to the Health Insurance Portability and Accountability Act (“HIPAA”).

What is Personal Data?

The CTDPA defines “Personal Data” as any information that is linked or reasonably linkable to an identified or identifiable natural person but excludes from its definition de-identified data or publicly available information. Additionally, the new law also exempts from the definition of “Personal Data” several specific types of information and data, including, among other things, (i) protected health information under HIPAA, (b) personal data regulated by the Family Education Rights and Privacy Act and (c) personal data collected, processed, sold or disclosed in compliance with the Driver’s Privacy Protection Act. The full list of exclusions is set forth in SB 6 §3(b) of the CDPA.

What Rights will Consumers Have?

Under the CTDPA consumers will have the right to:

• confirm whether or not a Controller is processing the consumer’s Personal Data,
• access Personal Data processed by a Controller or Processor,
• correct inaccuracies in the consumer’s Personal Data,
• delete Personal Data provided by, or obtained about, the consumer,
• obtain a copy of the consumer’s Personal Data processed by the Controller in a portable and readily usable format, and
• opt out of the processing of Personal Data for purposes of (i) targeted advertising, (ii) the sale of Personal Data, or (iii) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

Controllers must respond to consumer requests without undue delay, but not later than forty-five (45) days after receipt of the request.

What Obligations are Imposed?

Upon taking effect the CTDPA will require:

• Controllers must: (1) limit the collection of Personal Data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed; (2) not process Personal Data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such Personal Data is processed, unless the Controller obtains the consumer’s consent; (3) establish, implement and maintain reasonable administrative, technical and physical data security practices; and (4) not process “sensitive data” concerning a consumer without obtaining the relevant consumer’s consent, or in the case of the processing of sensitive data concerning a known child, without processing the data in accordance with the Children’s Online Privacy Protection Act (“COPPA”).
• Controllers may not discriminate against a consumer for exercising any rights under the CTDPA.
• Controllers will be required to conduct and document a data protection assessment for each of the Controller’s data processing activities that presents a heightened risk of harm to a consumer.
• Controllers must also have a contract with each of its Processors that governs that Processor’s data processing on behalf of the Controller.

What Disclosures are Required?

Similar to other comprehensive state privacy laws, the CTDPA requires Controllers to provide consumers with a reasonably accessible, clear and meaningful privacy notice that informs consumers of: (1) the categories of Personal Data processed by the Controller; (2) the purposes for processing Personal Data; (3) how consumers may exercise their consumer rights (i.e., active e-mail address or other online mechanism); (4) (if applicable) the categories of Personal Data shared with third parties; (5) (if applicable) the categories of third parties with whom Personal Data that has been shared; and (6) (if applicable) whether there was a sale of Personal Data to third parties or the processing of Personal Data for targeted advertising, as well as the method by which a consumer may exercise the right to opt out of such processing.

How will the CTDPA be Enforced?

The CTDPA does not provide a private right of action. A violation of the CTDPA will constitute an unfair trade practice and be enforced solely by the Connecticut Attorney General. Beginning on July 1, 2023, and ending on December 31, 2024, in the event of a violation the Connecticut Attorney General will issue a notice of violation to the Controller and allow sixty (60) days to cure such violation. Beginning on January 1, 2025, the Connecticut Attorney General may consider various factors in determining whether or not to allow the Controller the ability to cure.

For more information and advice regarding the CTDPA or any other privacy-related issues, please contact Mark Heaphy at 203.498.4356 or mheaphy@wiggin.com.