The Connecticut Data Privacy Act (CTDPA) comes into effect July 1, 2023 and will protect the personal data of residents of Connecticut. Companies doing business in the state and collecting personal data need to be clear on their compliance responsibilities.
The apps market has come under increasing scrutiny, and there are regular headlines in the news about children online and concerns about their data and privacy. It’s important for companies to have a reliable compliance solution to mitigate risks and enable them to focus on their core business.
While the CTDPA was influenced by California’s Consumer Privacy Rights Act (CCPA) and other US state-level data privacy laws passed before it, data privacy thought and legislation continue to evolve rapidly. There are differences between the CTDPA and the other state-level data privacy laws, and there is no such thing as “one size fits all” compliance with US data privacy law.
The CTDPA has different thresholds for compliance, different consumer rights, and some differences in types of data included and excluded. It’s important to understand organizations’ compliance responsibilities specific to each law that’s relevant to their business.
User data is critical to marketing operations and revenue goals, but privacy compliance is necessary to avoid the risk of fines, data loss, and damage to brand reputation. It’s also a competitive advantage that helps build user trust, develop higher engagement long term, and boost revenue.
This toolkit provides a step-by-step guide to help bring your marketing strategy into alignment with the CTDPA.
Compliant data is a critical business resource
These steps will help you achieve compliance with the Connecticut Data Privacy Act (CTDPA), which applies to and protects residents of Connecticut. The checklist also includes recommended best practices for data privacy-related user experience.
Step 1: Determine if your company is required to comply.
If your for-profit organization:
- processes the personal data from at least 100,000 Connecticut consumers, or
- processes the personal data from at least 25,000 Connecticut consumers, and
- derives at least 50% of annual revenue from selling personal data
Important to know: The CTDPA is in effect as of July 1, 2023. It applies from that date forward and does not apply retroactively.
Step 2: Create a comprehensive Privacy Policy
- Purpose: Inform consumers at or before the point of data collection:
- categories of personal data processed by the controller
- purposes for which data is processed
- categories of personal data that the controller shares with third parties, if any
- categories of third parties the controller shares personal data with, if any
- Rights: Inform website visitors of their privacy rights and how to exercise them.
- Language: Ensure the Privacy Policy is clear and easy to understand.
- Implementation: Make information about privacy and user options, like consent opt out, available via a banner or pop-up for when users visit your site, e.g. with a Consent Management Platform.
Step 3: Inform users about their rights
Consumers’ rights under the CTDPA:
- Right to Access
- inquire and receive confirmation whether personal data is processed and receive access to it
- Right to Correction
- updates or corrections to inaccuracies in personal data collected
- Right to Deletion
- personal data that has been collected about them (with exceptions)
- Right to Data Portability
- copy of personal data must be provided in a portable and readily useable format
- Right to Opt Out
- of processing of personal data for the purposes of sale, targeted advertising, or profiling in connection with automated decision-making that could have legal or comparably significant effects
- Right to Non-discrimination
- for exercising privacy rights
- Right of Minors
- consent must be obtained from a parent/guardian if the data subject is a child (under age 13) as regulated by the Children’s Online Privacy Protection Act (COPPA)
- Right to Restrict Use of Sensitive Personal Information
- limit or refuse the collection or use of personal data the law classifies as sensitive
Step 4: As a best practice, review and update your Privacy Policy or Notice every 12 months
- Review your operations and potential changes in the law every 12 months. Update your Privacy Policy information and the effective date. Effective date should be updated even if you don’t make any other changes to the Policy.
- Transparency: Ensure that the information that users must be notified about is clear, comprehensive and up to date. Ensure that the date of the last update is clearly visible.
- Data sold: List all the categories of personal information that your business has sold in the past 12 months.
Step 5: Enable clear options when consent is required
- When: If the personal data collected is sensitive or that of a child.
- Availability: Easily accessible on your website.
- Method: Via the use of a Consent Management Platform (CMP).
Step 6: Authenticate consent for collection of sensitive personal data or data from minors
- Sensitive Personal Data: Provide clear options to opt out and store preferences for processing of sensitive personal data.
- Consent for Children: Obtain consent from a parent or legal guardian for collection of personal data if the data subject is 13 or younger.
Step 7: Enable consumers to make Data Subject Access Requests (DSARs)
- Provide one or more contact options, e.g. email, toll-free phone number, web form.
- Set up a system to enable submission of DSARs.
Step 8: Set up a system to verify Data Subject Access Requests (DSARs)
- Enable consumers to attach documentation when submitting a request, to enable secure verification of their identity and residency.
- Set up a system to enable submissions for verification requests.
- If your business cannot reasonably verify the consumer’s identity to the appropriate degree of certainty, it must inform the consumer and explain why the request could not reasonably be verified, and enable the consumer to rectify.
Step 9: Keep track of Data Subject Access Requests (DSARs)
- Set up a system to track all requests.
- Time period: keep records of all requests and your business responses for 2 years.
Step 10: Fulfill Data Subject Access Requests (DSARs)
- Standard time period: within 45 days.
- Extended time period: up to 90 days.
