Connecticut Privacy Law

In May 2022, the Connecticut House of Representatives and Senate approved an Act Concerning Personal Data Privacy and Online Monitoring.

What is the Connecticut Privacy Law about?

The law is quite comprehensive with strict provisions on a data subject’s rights to request data deletion data and withdraw their consent. The law also has a provision giving a data subject an explicit right to request that data collected about them, and not from them, be deleted.

Obligations on businesses

Once enacted, Connecticut’s Privacy law will regulate all businesses that conduct business in the state or produce products or services targeted to consumers in the state. The law establishes one of two thresholds in the preceding calendar year:

  1. Processed personal data of at least 100,000 consumers (excluding personal data processed solely for completing a payment transaction), or
  2. Processed personal data of at least 25,000 consumers and derived at least 25% gross revenue from the sale of personal data.

The Connecticut Privacy Law commencement date

The Law is set to come into effect in July 2023.

Finding out more

You can read the full text of the Act Concerning Personal Data Privacy and Online Monitoring on the Connecticut General Assembly’s website.

How does Connecticut’s Privacy Law compare to other Data Protection Regulations?

Connecticut’s Privacy law is like Colorado’s and Virginia’s Privacy Acts. The law has similar personal data security and disclosure requirements for businesses that meet prescribed thresholds. However, Connecticut’s Privacy law has two shortcomings:

  1. It does not require controllers or processors to perform Data Protection Impact Assessments (DPIAs) when processing minors’ data. The DPIA is also not required when processing data for the purpose of profiling.
  2. The Privacy law does not include any provisions for data breach notifications. However, Connecticut’s General Statute regarding data privacy breaches was updated late last year with a time period of 60 days for notification. Colorado, in comparison, only allows 30 days for data subject notification.