Connecticut Data Privacy Act (CTDPA)

In May 2022, the Connecticut House of Representatives and Senate approved an Act Concerning Personal Data Privacy and Online Monitoring. It came into effect on 1 July 2023.

What is the CTDPA about?

The Act is quite comprehensive with strict provisions on a data subject’s rights to request data deletion data and withdraw their consent. The law also has a provision giving a data subject an explicit right to request that data collected about them, and not from them, be deleted.

Important definitions in the CTDPA

  1. Consumer rights: Consumers have the following rights under the CTDPA:
    • Right to know/confirm.
    • Right to access.
    • Right to correct.
    • Right to delete.
    • Right to opt-out of certain processing (profiling/targeted advertising).
    • Right to portability/transfer.
    • Right to opt out of sales.
    • Right to opt-in for sensitive data processing.
  2. Controller: A controller is defined as an individual or legal entity that, independently or jointly with others, collects and processes personal data and is responsible for responding to consumer requests about the collection and processing of personal data.
  3. Personal data: Personal data is defined as any information that can be linked to an identifiable individual, excluding publicly available information.
  4. Processing: Processing refers to any action a business may take with respect to personal data, including collecting, using, storing, selling, sharing, analysing, or modifying the data.
  5. Sensitive data: personal information which includes:
    • Racial or ethnic origin.
    • Religious beliefs.
    • Mental/physical health diagnosis, condition, and diagnosis made by HCP.
    • Sexual orientation.
    • Sex life.
    • Citizenship or citizenship status.
    • Genetic or biometric data.
    • Personal data of a known child.
    • Precise geolocation.
    • Consumer health data.
    • Status as a victim of crime

Obligations on businesses

The CTDPA regulates all businesses that conduct business in the state or produce products or services targeted to consumers in the state. The CTDPA establishes one of two thresholds in the preceding calendar year:

  1. Processed personal data of at least 100,000 consumers (excluding personal data processed solely for completing a payment transaction), or
  2. Processed personal data of at least 25,000 consumers and derived at least 25% of gross revenue from the sale of personal data.

How does Connecticut’s Privacy Law compare to other Data Protection Regulations?

Connecticut’s Privacy law is like Colorado’s and Virginia’s Privacy Acts. The law has similar personal data security and disclosure requirements for businesses that meet prescribed thresholds. However, Connecticut’s Privacy law has two shortcomings:

  1. It does not require controllers or processors to perform Data Protection Impact Assessments (DPIAs) when processing minors’ data. The DPIA is also not required when processing data for the purpose of profiling.
  2. The Privacy law does not include any provisions for data breach notifications. However, Connecticut’s General Statute regarding data privacy breaches was updated late last year with a time period of 60 days for notification. Colorado, in comparison, only allows 30 days for data subject notification. 

Finding out more

You can read the full text of the Act Concerning Personal Data Privacy and Online Monitoring on the Connecticut General Assembly’s website.