Connecticut Data Privacy Act (CTDPA): An Overview

Connecticut was the fifth US state to pass a consumer privacy law, which has an effective date of July 1st, 2023. It is technically the “Personal Data Privacy and Online Monitoring Act”, but more broadly known as the Connecticut Data Privacy Act or CTDPA. The law shares the most similarities with Colorado’s CPA and Virginia’s CDPA, having a bit more of a “consumer-friendly” focus, as opposed to Utah’s more business-friendly law.

The Connecticut Data Privacy Act (CTDPA) was signed into law on May 10th, 2022, giving companies doing business in the state less than two years to prepare for compliance by mid-2023. The law protects the privacy rights of residents of Connecticut and establishes data privacy responsibilities for companies doing business in the state (i.e. processing the data of Connecticut residents).

The CTDPA applies to the sale of personal data, and defines a sale as: “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.”

Like the CCPA and CPA, but unlike Utah, the Connecticut privacy law includes language that a sale can also occur “in exchange for other valuable consideration”, i.e. not strictly direct monetary exchange.

Additionally, unlike California’s Privacy Rights Act (CPRA), Connecticut’s law does not apply to the sharing of data.

Like the other US state laws, the CTDPA uses an opt-out model, which means that personal data can be collected without requiring consumers’ consent, but consent must be obtained before the data can be sold (with some exceptions).

The CTDPA applies to “controllers” and “processors” of data, which is fairly standard language in consumer privacy laws. A controller is “an individual who, or legal entity that, alone or jointly with others determines the purposes and means of processing personal data”.

A processor is “an individual who, or legal entity that, processes personal data on behalf of a controller.” Personal data is: “any information that is linked or reasonably linkable to an identified or identifiable individual.”

While the law’s language refers to “a person”, for the most part compliance responsibilities will fall to companies and other organizations looking to sell personal data.

A consumer, as defined by the law, refers to an individual who is a Connecticut resident acting as a private person. So individuals “acting in a commercial or employment context” are explicitly excluded, and any personal data collected in an employment or business to business relationship is not covered by the CTDPA.

Exclusions to the definition of personal data

Under the Connecticut privacy law, the data that has been de-identified/anonymized and cannot reasonably be used to identify a person or infer identity, and the data that is publicly available are not classified as personal data.

Definition of sensitive personal data

There is also a more granularly specified and more regulated category of personal data, classified as “sensitive”. It includes personal data that could reveal the following, or be used to cause harm based on these revelations:

• racial or ethnic origin
• religious beliefs
• mental or physical health condition or diagnosis
• sex life or sexual orientation
• citizenship or immigration status
• genetic or biometric data for the purpose of uniquely identifying an individual
• personal data collected from a known child
• precise geolocation data

Personal data of children

The CTDPA takes its definition of “child” from the Children’s Online Privacy Protection Act (COPPA), referring to individuals under the age of 13. To comply with the CTDPA, controllers and processors must also comply with parental consent requirements outlined by COPPA.

However, under Connecticut’s privacy law, if a controller has “actual knowledge” that a consumer is between 13 and 15 years of age, they may not “willfully disregard” this information and process the consumer’s personal data for targeted advertising or sell it without first obtaining consent. This is in line with CPRA requirements as well.

The CDTPA requires opt-in consent for collection and processing of sensitive data, so consent must be obtained before or at the time of collection. A consent management platform can enable controllers to obtain valid consent for the collection and processing of sensitive personal data.

Like Virginia and Colorado, the CTDPA does not have a revenue threshold. For example, by comparison, in California and Utah it’s US $25 million annual gross revenue.

For Connecticut’s privacy law to apply, an organization has to:

• control or process the personal data of 100,000 or more consumers annually
  • unless the personal data is controlled or processed solely for the purpose of completing a payment transaction

  or

• derive over 25 percent of their gross revenue from the sale of personal data, and
  • control or process the personal data of 25,000 or more consumers

   

The 25 percent threshold of gross revenue obtained from data sales is significantly lower than the 50 percent threshold in Virginia and Utah’s laws, and thus will likely apply to more and smaller organizations.

Organizational exemptions

The Connecticut data privacy law also exempts the following entities from compliance requirements:

• state and local government entities
• nonprofits
• institutions of higher education
• certain national security associations
• financial institutions covered by the Gramm-Leach-Bliley Act (GLBA)
• “covered entities” and “business associates” as defined under the Health Insurance Portability and Accountability Act (HIPAA)

In addition to HIPAA-related exceptions, organizations processing relevant kinds of data should ensure that they familiarize themselves with additional health and life sciences-related exemptions outlined in the CTDPA.

Data Exemptions

In addition to the data exemptions for de-identified and publicly available data, or data collected and processed in the course of an employment or business relationship, data exemptions under the CTDPA also include data regulated under the following regulations:

• Fair Credit Reporting Act (FCRA)
• Driver’s Privacy Protection Act (DPPA)
• Family Educational Rights and Privacy Act (FERPA)
• Farm Credit Act (FCA)
• Airline Deregulation Act (ADA)

Employment exemptions

Like Virginia and Utah, Connecticut exempts personal data processed or maintained:

• in the course of an individual applying to, or acting as an employee, agent, or independent contractor of a controller, processor, or third party, to the extent that the data is collected and used within the context of that role

or

• as emergency contact information for an individual and used for emergency contact purposes

or

• to administer benefits for another individual and used to administer those benefits

As noted, the CTDPA is more “user-friendly” than Utah’s law, for example, and consumers residing there have more rights. There are some restrictions on these rights, however, for example relating to preventing the revelation of trade secrets.

The primary rights are:

• Access – the right to confirm whether a controller is processing their personal data and to have access to such data, with some exceptions
• Correction – the right to have inaccuracies in their collected personal data corrected, with some limitations
• Deletion – the right to have personal data that was provided by or about them deleted by the controller or processor
• Portability – the right to obtain a portable copy of their personal data, to a technically feasible extent and with some restrictions
• Opt-out – the right to opt out of the processing of their personal data for the purposes of:
  • targeted advertising
  • sale
  • profiling in connection with automated decision-making that could have legal or comparably significant effects

Under the CTDPA, controllers must respond to consumer requests within 45 days. This period can be extended by an additional 45-day period if “reasonably necessary”, for example if the controller has a high volume of requests or the consumer’s request is particularly complex.

Consumers also have the right to appeal controllers’ denials of their requests, which isn’t the case under all US privacy laws. They also have the ability to designate another person as an authorized agent who can exercise their right to opt out on the consumer’s behalf.

Connecticut’s data privacy law does not provide consumers with private right of action (suing controllers in the case of a violation that affects them). To date, among the US privacy laws, only California provides that right.

Requirements for valid consent

Like the European Union’s General Data Protection Regulation (GDPR), the CTDPA requires consent to be “freely given, specific, informed and unambiguous”.

Consent must be obtained before processing sensitive personal data or the data of children. Where children’s data is concerned, consent must be obtained from a verifiable parent or legal guardian.

Consumer consent must first be obtained, if a controller wants to process personal data for a purpose other than that communicated to consumers, or for a period of time longer than that communicated to consumers.

Dark patterns and consent

The CTDPA also explicitly excludes dark patterns in the definition of consent, i.e. if they are used, consent is not valid because it violates one or more of the requirements that consent needs to be freely given, specific, informed and unambiguous.

Revocable consent

Controllers must provide consumers with a method to revoke their consent that is as accessible and easy to use as the method used to provide consent. If consent is revoked, the controller must cease processing the consumer’s personal data “as soon as practicable but no later than 15 days after receipt of the request.”

Consumers must be provided with a “reasonably clear and meaningful” privacy notice that includes:

• categories of personal data processed
• purpose(s) of processing the data
• instructions to exercise consumers’ rights, including:
  • how to submit a rights-related request
  • how to appeal a rejection of a request
• categories of personal data shared with third parties
• online means of contact for the controller, e.g. email address

Controllers must limit collection of personal data to what is “adequate, relevant and reasonably necessary” for the disclosed processing purposes.

Controllers may not process personal data for purposes that are “neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed”, unless consumers’ consent has been obtained prior to collection and processing.

Controllers must “establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data.” These practices have to take the volume and nature of the personal data collected and processed into account. (Greater amounts of data or data of greater sensitivity should be subject to more stringent processes and protections.)

Controllers are prohibited from discriminating against consumers for exercising their rights under Connecticut’s privacy law, or from violating other state or federal laws that prohibit unlawful discrimination against consumers.

The law does note that if a consumer opts out of processing, but that decision conflicts with their privacy settings or voluntary participation in a loyalty or rewards program, the controller may notify the consumer of the conflict and ask them to reconfirm their privacy setting or program participation.

Controllers must conduct a data protection assessment (DPA) for personal data processing activities that present “heightened risk of harm to a consumer.” These DPAs must identify and weigh risks and benefits of the processing to consumers, the controller, other stakeholders and the public at large. Activities of heightened risk include:

• processing personal data for targeted advertising
• selling personal data
• processing sensitive data
• processing personal data for profiling where it involves a foreseeable risk of:
  • unfair or deceptive treatment or unlawful disparate impact on consumers
  • financial, physical or reputational injury to consumers
  • intrusion upon the solitude or seclusion or private affairs of consumers
  • other substantial injury to consumers

   

If an investigation into an alleged violation is launched by the Connecticut Attorney General, the controller must provide the DPAs for compliance evaluation.

DPAs are not retroactive under the CTDPA, so will need to be created and maintained from July 1st, 2023 onward. However, similar to Virginia and Colorado, if the controller already creates DPAs to satisfy the requirements of another law, and the assessments are “reasonably similar,” then those pre-existing DPAs can be used to satisfy CTDPA requirements.

Similar to the requirements of the CCPA/CPRA, if a controller sells personal data to third parties or processes it for targeted advertising, the controller must provide a “clear and conspicuous link” on their website that enables consumers to opt out of either of those activities. Exact text requirements for the link are not specified, but it would likely be similar to the CCPA/CPRA’s required “Do Not Sell or Share My Personal Information”.

As of January 1st, 2025, controllers must allow consumers to opt out of personal data collection to be used for targeted advertising, or the sale of their personal data, via an “opt-out preference signal”. Consumers would send this signal, which would include consent preference, via a platform, technology or mechanism like a consent management platform. The Global Privacy Control (GPC) is a prominent variant of this browser-based signal, and it is respected by the Usercentrics Consent Management Platform (CMP).

Similar to the requirements for valid consent, the CTDPA requires that this opt out signal must:

• • rely on consumers’ affirmative unambiguous choice rather than a default setting
  • not unfairly disadvantage another controller
  • be consumer-friendly and easy to use
  • be as consistent as possible with other similar mechanisms required by other laws
  • enable the controller to accurately determine if a consumer is a resident of the state and thus making a legitimate opt out request

Under the CTDPA, the Attorney General has exclusive enforcement authority (as noted, there is no private right of action). Violations of the law are considered unfair trade practices under the Connecticut Unfair Trade Practices Act (CUTPA). As such, the Connecticut data privacy law does not outline specific penalties itself, financial or otherwise.

Under the CUTPA, courts can impose civil penalties of up to US $5,000 for willful violations and award actual and punitive damages, costs, and attorneys’ fees. Courts can also issue restraining orders, which could lead to a cease of data collection. Violation of a restraining order could result in a US $25,000 penalty.

From when the CTDPA comes into effect on July 1st, 2023, companies that are provided with a notice of alleged violation(s) will receive a 60-day cure period, if it is determined that a cure is possible, to enable them to stop and repair the violation. This cure period is twice as long as that under some other laws, like Utah’s. However, the provision of this cure period will only last from July 1st, 2023 to December 31st, 2024.

The CTDPA has a sunset provision, so as of January 1st, 2025, there will no longer be a right to cure. The Attorney General will no longer have to issue notice and provide 60 days to cure, though they will still have that option, with the decision based on:

• the number of violations
• the size and complexity of the controller or processor
• the nature and extent of the controller’s or processor’s processing activities
• the substantial likelihood of injury to the public
• the safety of persons or property
• whether the alleged violation was likely caused by human or technical error

If the Attorney General decides not to provide notice and a cure period (e.g. for a particularly large or damaging violation), they can pursue penalties for the violation right away.

The Connecticut Attorney General has to submit a report to the Connecticut General Assembly (government) by February 1st, 2024, reporting on:

• how many notices of violations were given
• the nature of each violation
• the amount cured
• any other matter the Attorney General deems relevant

Starting September 1st, 2022, the Connecticut General Assembly convened a task force to study data privacy topics, including:

• information sharing among health care and social care providers to make recommendations aimed at eliminating health disparities and inequities across sectors
• algorithmic decision-making and recommendations to reduce related bias
• the possibility of legislation on complying with parent deletion requests under COPPA
• age verification of children on social media
• data colocation issues
• possible expansion of CTDPA

The task force will have until January 1st, 2023 to submit findings and recommendations. This information will, no doubt, be influential on future amendments and expansions of the CTDPA.

The CTDPA requires obtaining consumers’ consent under more circumstances than some of the other state-level data privacy laws passed before it, particularly Utah’s.

Controllers must also notify consumers about data collection and processing under all circumstances on their websites, using a privacy notice/page. This enables the requirement that when consent is required, it be “freely given, specific, informed and unambiguous”.

Consent must be obtained before collection and processing of children’s data, sensitive data, if the controller wants to collect and process additional data beyond what they have provided notification about, or if the purpose for the data processing changes from what is stated.

Changing or revoking consent must also be as accessible and easily done as giving consent, and consumers can opt out of the processing of their data at any time for the purposes of targeted advertising, sale, or use of automated decision-making technologies.

A consent management platform like the Usercentrics CMP can enable compliance with the CTDPA for all of these requirements. It can help automatically populate a privacy policy and keep it up to date to ensure consumer notification is always accurate. It can collect consent for the circumstances when it’s needed, and enable consumers to opt out of data processing. It can also work with preference signals like the GPC.

With geolocation services, different configurations of the CMP can be displayed to users in different places, enabling compliance with any or all of the US state-level laws, and/or those abroad (like the GDPR).

As individual states continue to draft and pass privacy laws, it shows the evolution of thought around data privacy, and the influence of changing consumer attitudes. Inclusions like “opt out preference signal” show that technologies that are still relatively new are gaining traction among consumers, tech companies, and governments.

The Connecticut Data Privacy Act shows a “user-centric” aspect on many fronts, and provides residents of Connecticut with a variety of ways to control their privacy and the use of their data.

The Connecticut General Assembly is clearly looking to the future with the law, with plans and mandates for reporting and recommendations already set out. By 2025 there should be plenty of information to influence beneficial amendments to the law. Because of a lack of inclusion of privacy right of action, unlike in California, consumer class-action lawsuits will not be a potential influence on future amendments to the CTDPA.

The Connecticut data privacy law provides a number of consumer rights, as well as requirements for notification and circumstances under which consent must be obtained before collecting and processing data. Consulting qualified legal counsel is recommended to determine your organization’s potential responsibilities, actions needed to ensure privacy compliance when the law comes into effect, and at the close of sunset periods. Proactive efforts to protect user privacy are also always a good idea to help build user trust and secure high-quality data for marketing operations.

If you have questions or interest in implementing a consent management platform to help achieve compliance with privacy laws in the United States and around the world, talk to one of our experts.