Connecticut recently became the fifth state with a comprehensive consumer privacy law when Governor Ned Lamont signed An Act Concerning Personal Data Privacy and Online Monitoring, which we will refer to as the Connecticut Data Privacy Act (CTDPA). The other state laws are the California Consumer Privacy Act of 2018 (CCPA) and California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (CDPA), the Colorado Privacy Act (CPA), and the Utah Consumer Privacy Act (UCPA).

In comparison to its predecessors, the CTDPA follows the relatively more consumer-friendly approach reflected in the CPA despite becoming law about two months after Utah adopted a more business-friendly statute. But the CTDPA’s core requirements are still generally aligned with the CDPA, CPA, and UCPA and will look familiar to practitioners familiar with those statutes.

This post summarizes several key takeaways from the CTDPA.

Application and scope is similar to the Virginia and Colorado statutes.

The CTDPA applies to persons that:

(a)   conduct business in Connecticut or otherwise produce products or services targeted at Connecticut residents; and

(b) meet either of the following thresholds:

(i) in a calendar year control or process personal data of 100,000 or more Connecticut residents excluding “personal data controlled or processed solely for the purpose of completing a payment transaction,” or

(ii) control or process personal data of at least 25,000 Connecticut residents and derive over 25% of gross revenue from the sale of Connecticut residents’ personal data.

The “payment transaction” exclusion to the first threshold is a unique element of the CTDPA in comparison to the CDPA and CPA. Depending on the interpretation of “payment transactions,” that exclusion could remove businesses who merely collect personal information to fulfill sales to Connecticut residents from the scope of the law.

The law also includes broad entity-level exceptions for Connecticut government entities, financial institutions subject to Title V of the Gramm-Leach-Bliley Act, covered entities and business associates governed by HIPAA, nonprofit organizations, and institutions of higher education.

Like the CDPA, CPA, and UCPA, the CTDPA also defines personal data as “information that is linked or reasonably linkable to an identified individual or an identifiable individual,” with similar exclusions for deidentified and publicly-available information.

The CTDPA grants certain Connecticut residents rights similar to those provided under the Virginia and Colorado statutes.

The CTDPA provides several rights to Connecticut consumers—a term defined to exclude individuals acting in commercial, employment, and business-to-business transaction contexts—similar to those provided in the CDPA, CPA, and UCPA. In particular, the statute gives Connecticut consumers rights to: (1) confirm whether a controller processes their personal data and obtain access to such data, (2) correct inaccuracies in their personal data, (3) delete personal data provided by or obtained about the consumer, and (4) obtain copies of their personal data in a portable and readily-usable format, to the extent technically feasible.

But unlike the UCPA, the Connecticut law aligns with the CDPA and CPA by providing rights to opt-out of targeted advertising personal data processing, sales of personal data, and profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer. The CTDPA also aligns with the CPA by requiring controllers to allow consumers to opt-out of the processing or sale of their personal data for targeted advertising through an “opt-out preference” signal by January 1, 2025.

The CTDPA imposes consumer notice requirements on controllers that generally align with those of the Virginia, Colorado, and Utah laws. Controllers are required to make disclosures about the categories of personal data processed and disclosed to third parties, personal data processing purposes, how consumers can exercise their rights, including a mechanism to appeal decisions about consumer rights requests, and the categories of third parties who receive personal data. The CTDPA also adds a requirement that the notice include an active email address or other online mechanism to contact the controller.

Contracting requirements similar to those imposed by the Virginia, Colorado, and Utah laws will also be required for Connecticut.

Like the Virginia, Colorado, and Utah laws, the CTDPA also requires that processor contracts contain GDPR-style processing details, and provide that the processor will ensure each person processing personal data is subject to a duty of confidentiality and flow the same written contractual obligations regarding personal data down to its subcontractors. The CTDPA also incorporates other provisions tracking the CDPA and CPA that require processors to agree to return and delete all personal data, provide information requested by controllers to demonstrate the processor’s legal compliance, and allow for and cooperate with assessments by controllers.

The CTDPA requires data protection assessments like the Virginia and Colorado laws.

The CTDPA requires data protection assessments for various activities such as targeted advertising, personal data sales, sensitive data processing, and profiling purposes that present a heightened risk of harm to consumers. These assessment requirements align with the CDPA and CPA, though the UCPA notably does not require such assessments.

CTDPA’s definition of “sales” of personal data aligns with the broad definitions in the California and Colorado laws.

The CTDPA’s definition of “sales” includes both personal data exchanges for “monetary consideration” and for “other valuable consideration.” That approach aligns with the California and Colorado definitions of that term and is significantly broader than the Virginia and Utah definitions that limit “sales” to personal data exchanges for “monetary consideration.”

Controllers have various additional obligations under the CTDPA.

The statute includes a laundry list of other requirements that apply to controllers, which include provisions that:

1. Limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for processing disclosed to the consumer;
2. Require consent before processing personal data for purposes that are not reasonably necessary for and compatible with the processing purposes disclosed to the consumer;
3. Require reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data;
4. Require consent to process “sensitive data”;

1. Prohibit personal data processing in violation of federal and state antidiscrimination laws;

6. Require controllers to offer mechanisms to withdraw consent that operate as easily as the methods to provide consent and that cease relevant data processing within fifteen days of consent withdrawal; and
7. Prohibit the sale of personal data or processing of personal data for purposes of targeted advertising without the consumer’s consent, where a controller has actual knowledge and willfully disregards that a consumer is 13-15 years old.

Effective on July 31, 2023.

Organizations will have a little over a year to address the requirements of the CTDPA, which becomes effective on July 31, 2023.

The CTDPA has no private right of action and limited rights to cure.

The CTDPA does not include a private right of action—enforcement authority is exclusively granted to the Connecticut attorney general.

The law also includes a qualified right to cure, for at least a while: between July 1, 2023 and December 31, 2024, the attorney general must, before initiating an action for violation of the CTDPA, issue a notice of violation to the controller if the attorney general “determines that a cure is possible.” The attorney general can then bring an enforcement action if the violation is not cured within 60 days. From January 1, 2025 onwards, however, the attorney general has discretion as to whether to issue a notice of violation and provide an opportunity to cure.

Violations of the CTDPA will constitute unfair and deceptive trade practices under Connecticut law, which are subject to civil penalties up to $5,000 per willful violation.

***

The patchwork of US state privacy legal requirements continues to expand with the adoption of the CTDPA. While the CTDPA is very similar to the previously adopted CPA, it is nonetheless an example of a state adopting relatively consumer-favorable requirements, in contrast to Utah’s adoption of a more business-friendly model.