Connecticut was the fifth US state to pass a consumer privacy law, which has an effective date of July 1st, 2023. It is technically the \u201cPersonal Data Privacy and Online Monitoring Act\u201d, but more broadly known as the Connecticut Data Privacy Act or CTDPA. The law shares the most similarities with Colorado\u2019s CPA<\/a> and Virginia’s CDPA<\/a>, having a bit more of a \u201cconsumer-friendly\u201d focus, as opposed to Utah\u2019s more business-friendly law.<\/p>\n\n\n The Connecticut Data Privacy Act (CTDPA<\/a>) was signed into law on May 10th, 2022, giving companies doing business in the state less than two years to prepare for compliance by mid-2023. The law protects the privacy rights of residents of Connecticut and establishes data privacy responsibilities for companies doing business in the state (i.e. processing the data of Connecticut residents).<\/p>\n The CTDPA applies to the sale of personal data, and defines a sale as: \u201cthe exchange of personal data for monetary or other valuable consideration by the controller to a third party.\u201d<\/em><\/p>\n Like the CCPA and CPA, but unlike Utah, the Connecticut privacy law includes language that a sale can also occur \u201cin exchange for other valuable consideration\u201d<\/em>, i.e. not strictly direct monetary exchange.<\/p>\n Additionally, unlike California\u2019s Privacy Rights Act (CPRA<\/a>), Connecticut\u2019s law does not apply to the sharing of data.<\/p>\n Like the other US state laws, the CTDPA uses an opt-out model, which means that personal data can be collected without requiring consumers\u2019 consent, but consent must be obtained before the data can be sold (with some exceptions).<\/p>\n The CTDPA applies to \u201ccontrollers\u201d and \u201cprocessors\u201d of data, which is fairly standard language in consumer privacy laws. A controller is \u201can individual who, or legal entity that, alone or jointly with others determines the purposes and means of processing personal data\u201d<\/em>.<\/p>\n A processor is \u201can individual who, or legal entity that, processes personal data on behalf of a controller.\u201d<\/em> Personal data is: \u201cany information that is linked or reasonably linkable to an identified or identifiable individual.\u201d<\/em><\/p>\n While the law\u2019s language refers to \u201ca person\u201d, for the most part compliance responsibilities will fall to companies and other organizations looking to sell personal data.<\/p>\n A consumer, as defined by the law, refers to an individual who is a Connecticut resident acting as a private person. So individuals \u201cacting in a commercial or employment context\u201d<\/em> are explicitly excluded, and any personal data collected in an employment or business to business relationship is not covered by the CTDPA.<\/p>\n Exclusions to the definition of personal data<\/strong><\/p>\n Under the Connecticut privacy law, the data that has been de-identified\/anonymized<\/a> and cannot reasonably be used to identify a person or infer identity, and the data that is publicly available are not classified as personal data.<\/p>\n Definition of sensitive personal data<\/strong><\/p>\n There is also a more granularly specified and more regulated category of personal data, classified as \u201csensitive\u201d. It includes personal data that could reveal the following, or be used to cause harm based on these revelations:<\/p>\n Personal data of children<\/strong><\/p>\n The CTDPA takes its definition of \u201cchild\u201d from the Children\u2019s Online Privacy Protection Act (COPPA<\/a>), referring to individuals under the age of 13. To comply with the CTDPA, controllers and processors must also comply with parental consent requirements outlined by COPPA.<\/p>\n However, under Connecticut\u2019s privacy law, if a controller has \u201cactual knowledge\u201d that a consumer is between 13 and 15 years of age, they may not \u201cwillfully disregard\u201d this information and process the consumer\u2019s personal data for targeted advertising or sell it without first obtaining consent. This is in line with CPRA requirements as well.<\/p>\n The CDTPA requires opt-in consent for collection and processing of sensitive data, so consent must be obtained before or at the time of collection. A consent management platform can enable controllers to obtain valid consent for the collection and processing of sensitive personal data.<\/p>\n\n\n Like Virginia and Colorado, the CTDPA does not have a revenue threshold. For example, by comparison, in California and Utah it\u2019s US $25 million annual gross revenue.<\/p>\n For Connecticut\u2019s privacy law to apply, an organization has to:<\/p>\n or<\/li>\n <\/li>\n<\/ul>\n The 25 percent threshold of gross revenue obtained from data sales is significantly lower than the 50 percent threshold in Virginia and Utah\u2019s laws, and thus will likely apply to more and smaller organizations.<\/p>\n\n\n Organizational exemptions<\/strong><\/p>\n The Connecticut data privacy law also exempts the following entities from compliance requirements:<\/p>\n In addition to HIPAA-related exceptions, organizations processing relevant kinds of data should ensure that they familiarize themselves with additional health and life sciences-related exemptions outlined in the CTDPA.<\/p>\n Data Exemptions<\/strong><\/p>\n In addition to the data exemptions for de-identified and publicly available data, or data collected and processed in the course of an employment or business relationship, data exemptions under the CTDPA also include data regulated under the following regulations:<\/p>\n Employment exemptions<\/strong><\/p>\n Like Virginia and Utah, Connecticut exempts personal data processed or maintained:<\/p>\n or<\/p>\n or<\/p>\n As noted, the CTDPA is more \u201cuser-friendly\u201d than Utah\u2019s law, for example, and consumers residing there have more rights. There are some restrictions on these rights, however, for example relating to preventing the revelation of trade secrets.<\/p>\n The primary rights are:<\/p>\n Under the CTDPA, controllers must respond to consumer requests within 45 days. This period can be extended by an additional 45-day period if \u201creasonably necessary\u201d, for example if the controller has a high volume of requests or the consumer\u2019s request is particularly complex.<\/p>\n Consumers also have the right to appeal controllers\u2019 denials of their requests, which isn\u2019t the case under all US privacy laws. They also have the ability to designate another person as an authorized agent who can exercise their right to opt out on the consumer\u2019s behalf.<\/p>\n Connecticut\u2019s data privacy law does not provide consumers with private right of action (suing controllers in the case of a violation that affects them). To date, among the US privacy laws, only California provides that right.<\/p>\n\n\n Requirements for valid consent<\/strong><\/p>\n Like the European Union\u2019s General Data Protection Regulation (GDPR<\/a>), the CTDPA requires consent to be \u201cfreely given, specific, informed and unambiguous\u201d.<\/p>\n Consent must be obtained before processing sensitive personal data or the data of children. Where children\u2019s data is concerned, consent must be obtained from a verifiable parent or legal guardian.<\/p>\n Consumer consent must first be obtained, if a controller wants to process personal data for a purpose other than that communicated to consumers, or for a period of time longer than that communicated to consumers.<\/p>\n Dark patterns and consent<\/strong><\/p>\n The CTDPA also explicitly excludes dark patterns<\/a> in the definition of consent, i.e. if they are used, consent is not valid because it violates one or more of the requirements that consent needs to be freely given, specific, informed and unambiguous.<\/p>\n Revocable consent<\/strong><\/p>\n Controllers must provide consumers with a method to revoke their consent that is as accessible and easy to use as the method used to provide consent. If consent is revoked, the controller must cease processing the consumer\u2019s personal data \u201cas soon as practicable but no later than 15 days after receipt of the request.\u201d<\/em><\/p>\n Consumers must be provided with a \u201creasonably clear and meaningful\u201d privacy notice that includes:<\/p>\n Controllers must limit collection of personal data to what is \u201cadequate, relevant and reasonably necessary\u201d<\/em> for the disclosed processing purposes.<\/p>\n Controllers may not process personal data for purposes that are \u201cneither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed\u201d<\/em>, unless consumers\u2019 consent has been obtained prior to collection and processing.<\/p>\n Controllers must \u201cestablish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data.\u201d<\/em> These practices have to take the volume and nature of the personal data collected and processed into account. (Greater amounts of data or data of greater sensitivity should be subject to more stringent processes and protections.)<\/p>\n Controllers are prohibited from discriminating against consumers for exercising their rights under Connecticut\u2019s privacy law, or from violating other state or federal laws that prohibit unlawful discrimination against consumers.<\/p>\n The law does note that if a consumer opts out of processing, but that decision conflicts with their privacy settings or voluntary participation in a loyalty or rewards program, the controller may notify the consumer of the conflict and ask them to reconfirm their privacy setting or program participation.<\/p>\n Controllers must conduct a data protection assessment (DPA) for personal data processing activities that present \u201cheightened risk of harm to a consumer.\u201d These DPAs must identify and weigh risks and benefits of the processing to consumers, the controller, other stakeholders and the public at large. Activities of heightened risk include:<\/p>\n <\/li>\n<\/ul>\n If an investigation into an alleged violation is launched by the Connecticut Attorney General, the controller must provide the DPAs for compliance evaluation.<\/p>\n DPAs are not retroactive under the CTDPA, so will need to be created and maintained from July 1st, 2023 onward. However, similar to Virginia and Colorado, if the controller already creates DPAs to satisfy the requirements of another law, and the assessments are \u201creasonably similar,\u201d then those pre-existing DPAs can be used to satisfy CTDPA requirements.<\/p>\n Similar to the requirements of the CCPA\/CPRA<\/a>, if a controller sells personal data to third parties or processes it for targeted advertising, the controller must provide a \u201cclear and conspicuous link\u201d on their website that enables consumers to opt out of either of those activities. Exact text requirements for the link are not specified, but it would likely be similar to the CCPA\/CPRA\u2019s required \u201cDo Not Sell or Share My Personal Information\u201d.<\/p>\n As of January 1st, 2025, controllers must allow consumers to opt out of personal data collection to be used for targeted advertising, or the sale of their personal data, via an \u201copt-out preference signal\u201d. Consumers would send this signal, which would include consent preference, via a platform, technology or mechanism like a consent management platform. The Global Privacy Control<\/a> (GPC) is a prominent variant of this browser-based signal, and it is respected by the Usercentrics Consent Management Platform (CMP).<\/p>\n Similar to the requirements for valid consent, the CTDPA requires that this opt out signal must:<\/p>\nWhat is the Connecticut Data Privacy Act?<\/h2>\n
Definitions in the Connecticut Data Privacy Act<\/h4>\n
\n
Who does the Connecticut Data Privacy Act apply to?<\/h2>\n
\n
\n
\n
Exemptions to Connecticut Data Privacy Act compliance<\/h2>\n
\n
\n
\n
\n
\n
What are the consumer rights under the Connecticut Data Privacy Act?<\/h2>\n
\n
\n
Consumer requests, appeals, and litigation<\/h2>\n
What are companies\u2019 obligations under the Connecticut Data Privacy Act?<\/h2>\n
The Connecticut Data Privacy Act and consent<\/h4>\n
Consent for additional or alternative data processing purposes<\/h4>\n
Transparency and purpose specification<\/h4>\n
\n
\n
<\/h4>\n
Data minimization<\/h4>\n
Avoid secondary use<\/h4>\n
Security<\/h4>\n
Nondiscrimination<\/h4>\n
Data protection assessment<\/h4>\n
\n
\n
Notification link requirements for consumer data processing opt-out<\/h4>\n
\n
\n
What are the penalties for noncompliance under the Connecticut Data Privacy Act?<\/h2>\n
Enforcement authority<\/h4>\n