Connecticut may have been one of the smallest of the 13 original colonies, but its size belies its impact on the Revolutionary War.

Known as the Provision State, Connecticut delivered outsized but critical support to the revolution through food, ammunition, goods, and soldiers. Privateers dedicated to capturing British ships and cargo hid along its shores, and more troops in the Continental Army came from Connecticut than any other colony besides Massachusetts.

With the state’s history as a leader among peers, it shouldn’t be surprising that Connecticut is only the fifth state in the U.S. to pass comprehensive consumer digital privacy legislation. 

When signing the Connecticut Personal Data Privacy and Online Monitoring Act (CTDPA), Governor Ned Lamont discussed issues that are at the core of modern data privacy advocacy:

“Digital commerce is now a way of life for nearly all of us, and . . . our actions are being logged and frequently sold and shared with others. Consumers have a right to know what information of theirs is being collected, have the ability to correct any false data that is collected, and have the right to delete that data if they don’t want it collected.”

Like most other privacy legislation, the CTDPA is loosely based on the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). But like the other laws passed in Virginia, Colorado, and Utah, the CTDPA has unique provisions and requirements.

Keep reading to learn the ins and outs of the newest star in U.S. consumer privacy’s legislative flag.

What businesses are impacted by the CTDPA?

The CTDPA is kind of like an old-fashioned teeter-totter whose balance is constantly tilting between the Virginia Consumer Data Protection Act (VCDPA) on one seat and the Colorado Privacy Act (CPA) on the other. On July 1, 2023, when the CTDPA goes into effect, organizations (both data controllers and processors) that meet the following specifications will be subject to compliance with its stipulations:

  • Conducts business in, produces a product or service targeted to, or collects data from residents of Connecticut
  • Satisfies one or more of the following thresholds:
    • Controls or processes the personal data of 100K+ consumers per calendar year
    • Derives over 25% of gross revenue from the sale of personal data and controls or processes the data of more than 25K consumers

Unlike Utah’s law, which sets an annual revenue threshold before compliance becomes mandatory, the CTDPA has a lower trigger than Virginia but a higher trigger than Colorado for revenue derived from the sale of data. 

Somewhat uniquely, the CTDPA explicitly excludes data used only to process credit or debit card payments to complete a sale from these thresholds. 

How is data protected under the CTDPA?

The CTDPA defines personal data broadly, stipulating that any information that is “linked or reasonably linked to an identified or identifiable individual” is protected as long as that information doesn’t include de-identified or publicly available information. While that may seem like a huge swath of data, its impact is somewhat limited by the definition of “publicly available” (information made available via public records or widely distributed media). 

Similar to the more consumer-friendly California and Colorado laws, the CTDPA includes both “monetary or other valuable considerations” as qualifiers for the “sale of personal data.” This differentiates the law from its sister legislative acts in Virginia and Utah, which only consider data “sold” if money exchanges hands. 

Sensitive personal data

It has now become standard for privacy laws to require extra protection for certain categories of information usually defined as “sensitive data.” By law, this type of information includes anything that reveals:

  • Race, religious beliefs, sexual orientation, citizenship or immigration status, medical history, mental health diagnoses, or treatment plans
  • Genetic or biometric data
  • Specific geolocation information
  • Data collected from a known child (under the CTDPA, parental consent is required before collecting any information from children younger than 16)

While opt-out methodologies are standard for many U.S. businesses, building an opt-in privacy program that requires clear and affirmative action from a user before data collection (i.e., no pre-ticked boxes) is a privacy best practice. U.S. laws are currently split on this topic, with the CTDPA joining the opt-in crew where sensitive data is concerned.

What rights do consumers have under the CTDPA?

Consumer digital privacy rights are starting to coalesce around a standard group of principles, and the CTDPA is similar to most other state laws in this regard. Under the CTDPA, consumers have the right to:

  • Confirm whether or not a controller is processing personal data and access such personal data (right to know, right to access)
  • Correct inaccuracies in personal data (right to correct)
  • Delete personal data they’ve provided to the controller (right to delete)
  • Obtain a copy of the data they’ve provided in a way that’s easy to transfer and use (right to data portability)
  • Opt-out of having their data processed for targeted advertising, sold, or used in automated profiling decisions (right to opt-out)

One unique feature of the Connecticut statute is that several of these rights (right to access, right to data portability) are void if it requires a controller to reveal a trade secret.

How will the CTDPA be enforced?

Another practice that is rapidly becoming standard operating procedure for U.S. privacy laws is to place responsibility for enforcing the law within the office of the state attorney general. Connecticut plays follow the leader in this regard. 

The Connecticut Office of the Attorney General must notify a controller of a violation before an action can be taken, and controllers are then given 60 days to cure any issues. 

But note—this cure time has its own cure time. 

As written, the law stipulates that this grace period will only be available during the first eighteen months the CTDPA is enforceable. After January 1, 2025, the attorney general will no longer be required to allow violators to regain compliance before initiating actions.

Violations of the CTDPA are considered unfair trade practices and are subject to penalties of up to $5,000 for each uncured and/or willful violation. While there’s no private right of action or criminal liability delineated in Connecticut’s law, other possible remedies include restitution, disgorgement, and injunctive relief.

What do businesses have to do to comply with the CTDPA?

Any business that has already had to establish compliance with other data privacy laws will likely find that the CTDPA’s obligations look and sound fairly similar. That’s because the principles these laws are based on—transparency, accountability, security, and consumer control—are the gold standard for privacy best practices.

When it comes to users, the CTDPA requires businesses to:

  • Limit collection to adequate, relevant, and reasonably necessary information
  • Clearly explain what types of information are being collected and why
  • Disclose who has access (both internally and externally) to collected information
  • Only use collected information for the reasons disclosed at collection
  • Specify how consumers can enforce their rights and contact the business if needed

When it comes to internal practices, CTDPA obligations include:

  • Providing reasonable “administrative, technical, and physical” measures to secure data
  • Establishing contracts with all processors to ensure privacy standards are met
  • Completing data protection assessments for any activity that puts data at risk of exposure

Looking to the future

State legislators in Connecticut have been trying to get a law on the books since 2017. It took a great deal of coalition building to get enough consensus across the aisle and across industries to get a bill over the finish line, but in the proud tradition of the Provision State, lawmakers found a way for their small state to make a big impact.

If you have questions about Connecticut’s new privacy law or if you need help with any part of your company’s privacy journey, the experts at Red Clover Advisors are here to help. Contact us today to get started.

The post Connecticut Personal Data Privacy and Online Monitoring Act appeared first on Red Clover Advisors.

Jodi Daniels

Jodi Daniels is Founder and CEO of Red Clover Advisors, a privacy consultancy, helping companies from startup to Fortune 100 create privacy programs, build customer trust and achieve GDPR, CCPA, and privacy law compliance. Jodi as a Certified Informational Privacy Professional with the…

Jodi Daniels is Founder and CEO of Red Clover Advisors, a privacy consultancy, helping companies from startup to Fortune 100 create privacy programs, build customer trust and achieve GDPR, CCPA, and privacy law compliance. Jodi as a Certified Informational Privacy Professional with the daily privacy operations such as data mapping, individual rights, training, policies, etc. and also serves as a fractional chief privacy officer. Jodi Daniels is a national keynote speaker, host of the She Said Privacy / He Said Security Podcast, and also has been featured in The Economist, Forbes, Inc., Authority Magazine, ISACA, and more. Jodi holds a Masters of Business Administration and a Bachelor of Business Administration from Emory University’s Goizueta Business School.