Connecticut Becomes the Fifth State to Enact A Comprehensive Consumer Privacy Law (the “CTDPA”), Following The Rest Of The Alphabet (CCPA, CPRA, VCDPA, CPA and UCPA)

Scope

Covered Businesses. Covered businesses are persons that conduct business in Connecticut or produce products or services targeting Connecticut residents and during the preceding calendar year:

• Controlled or processed Personal Data of at least 100,000 Consumers, excluding Personal Data controlled or processed for the purpose of completing a payment transaction[1]; or
• Controlled or processed the Personal Data of at least 25,000 Consumers and derived more than 25% of their gross revenue from the sale of Personal Data.

Consistent with most other states that have enacted a comprehensive consumer privacy law, the CTDPA exempts institutions and data that are already subject to the Gramm-Leach-Bliley Act and/or the Health Insurance Portability and Accountability Act (HIPAA). The CTDPA also does not apply to several other kinds of businesses and data, such as nonprofit entities, many schools, and consumer reports.

Consumers. Connecticut defines Consumers as residents of the state not acting in an employment or commercial context, thereby recognizing employee and “business-to-business” exceptions consistent with the Virginia, Colorado, and Utah laws.

Personal Data. The CTDPA defines Personal Data as any information that is linked or reasonably linkable to an identified or identifiable individual. Personal Data does not include de-identified data or publicly available information. 

Sensitive Data. The CTDPA imposes additional obligations related to “Sensitive Data”—which it defines as Personal Data that reveals racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship, or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; Personal Data collected from a known child (i.e., under age 13); or precise geolocation data.

Targeted Advertising. Consistent with other states, the CTDPA defines “targeted advertising” as displaying to a consumer an advertisement that is selected based on personal data obtained or inferred over time from the consumer’s activities across nonaffiliated websites, applications, or online services to predict consumer preferences or interests. It does not include, among other things, advertisements based on activities within a controller’s own websites or online applications, or the context of a consumer’s current search query, visit to a website, or online application. 

Consumer Rights.

Consumers are given the right to access, correct, delete, obtain, and confirm their Personal Data, and to opt out from certain uses of their Personal Data, including: processing of Personal Data for targeted advertising; sale of Personal Data (subject to certain exceptions); and automated profiling to make legal or similarly significant decisions concerning the Consumer.

Like the other state laws, the CTDPA prevents Covered Businesses from discriminating against a Consumer for exercising these rights.

Obligations on Controllers and Processors

Data minimization

The CTDPA imposes data minimization obligations on controllers, meaning that they may only collect the minimum amount of Personal Data necessary for the purpose of the collection, and may only use the Personal Data for the purposes disclosed to the consumer.

Notice

A controller must provide Consumers with a reasonably accessible, clear, and meaningful privacy notice that contains the information and components enumerated in the CTDPA, including the categories of Personal Data processed and the purpose for processing. Importantly, the privacy notice must include a description of the manner by which Consumers can exercise their aforementioned rights.

Consent

Controllers may not process Sensitive Personal Data without obtaining a Consumer’s Consent. Nor may controllers process Personal Data for purposes not previously disclosed, unless the controller first obtains the Consumer’s Consent. Notably, the CTDPA’s definition of Consent expressly excludes an agreement obtained using “dark patterns.”

Opt-Out

Controllers must allow consumers to exercise their opt-out rights through a clear and conspicuous link on their website and eventually through an opt-out preference signal by January 2025.

Data Protection Impact Assessment.

Like California, Virginia, and Colorado, Connecticut requires data controllers to conduct data protection impact assessments (DPIAs) for certain high-risk processing activities, including: processing Personal Data for targeted advertising purposes; selling Personal Data; processing Personal Data for automated profiling to make legal or similarly significant decisions concerning the Consumer, as enumerated in the statute; and processing Sensitive Data.

Security

Controllers are required to establish, implement, and maintain reasonable administrative, technical, and physical practices to protect the confidentiality, integrity, and accessibility of Personal Data, appropriate to the volume and nature of the data at issue.

Contracts

Similar to other state laws, a controller may only disclose personal data to a processor pursuant to a written contract that clearly states the instructions for processing and identifies the Personal Data subject to processing, amongst other things. The contract must also impose certain obligations on the processor, as set forth in the CTDPA, such as by including a provision that ensures that the individuals processing the Personal Data are subject to a duty of confidentiality.

Enforcement

Like most other state laws (aside from California), the CTDPA does not provide for a private right of action. It will instead be enforced by the Connecticut Attorney General, who can impose monetary penalties under the Connecticut Unfair Trade Practices Act. The CTDPA provides, during the period of July 1, 2023 through December 31, 2024, for a 60-day cure period upon written notice from the Attorney General of an alleged violation, if the Attorney General determines that a cure is possible. Beginning on January 1, 2025, the Attorney General has discretion to grant an alleged violator an opportunity to cure.

[1] Connecticut is the first to include an explicit carve-out for payment transaction data.