Connecticut Data Privacy Act sets the guidelines for managing consumer data and helps you protect your customers’ privacy rights. By complying with the CTDPA, you’ll show your commitment, amongst many other things, to safeguarding the privacy of your customers which is essential in today’s digital landscape.
In this article, I’ll share some key information with you about the Connecticut Data Privacy Act. I’ll break down what it means for your business and provide practical advice on how to follow the rules.
- The Connecticut Data Privacy Act sets rules for managing consumer data, and compliance is key for businesses. It demonstrates a commitment to safeguarding customer privacy in the digital age.
- The CTDPA imposes responsibilities on businesses, including timely responses to consumer requests, clear data usage explanations, and obtaining permission for sensitive data.
- The CTDPA applies to businesses dealing with Connecticut residents’ data and grants consumers various rights, including access, correction, deletion, and opt-out options.
Table of Contents
What Is the Connecticut Data Privacy Law (CTDPA)?
The Connecticut Data Privacy Act (CTDPA), also known as Senate Bill 6, was signed into law by Governor Ned Lamont on May 10, 2022. It sets the standards for the responsible handling of customer data and for protecting the privacy of Connecticut residents.
The CTDPA lays down some important rules for online businesses. For example, you need to respond to consumer requests within 45 days. You should also be very clear about how you use and keep data safe, especially sensitive info. Plus, you need to ask for permission before collecting that sensitive stuff.
The CTDPA takes effect on July 1, 2023. What’s interesting about this consumer data privacy law is that it doesn’t expect you to follow every rule right away. Instead, it’s taking a step-by-step approach. As time passes, you will need to follow different parts of the law.
This gradual process makes it easier for you to adjust and make the needed changes, which makes the process to full CTDPA compliance smoother.
What Are the General Definitions of the CTDPA?
In the CTDPA, you’ll come across some general definitions that lay the groundwork for understanding the law. Here are a few key ones:
- Controller: A controller is an entity that determines the purposes and means of the processing of personal data. In other words, they are the ones who decide why and how personal data is collected and used. For example, if you run an online store and decide how customer data is used for orders, you’re the controller.
- Processor: A processor is an entity that processes personal data on behalf of the controller. They act under the instructions of the controller and handle the technical aspects of processing personal data. Imagine a cloud service that stores your customer data for you – that’s a processor.
- Personal Data: Personal data refers to any information that relates to an identified or identifiable natural person. This can include names, addresses, email addresses, phone numbers, social security numbers, and more. Essentially, any data that can be used to identify an individual falls under the category of personal data.
- Sensitive Data: Sensitive data includes information or data revealing racial or ethnic origin, religious beliefs, genetic or biometric data, health information, and more. This type of personal data collected requires extra protection due to its potential impact on an individual’s privacy and well-being.
- Processing: Processing refers to any operation or set of operations performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, and more. It includes a wide range of activities involved in handling personal data. From the moment you collect data to its eventual deletion, every step falls under the umbrella of processing.
- Consumer: A consumer is an individual who is a resident of Connecticut. In the context of the CTDPA, consumers are the individuals you serve whose personal data is being collected and processed.
Getting to know these terms is important for understanding what the CTDPA expects from your business. It helps you understand this privacy protection act and make sure you’re following the rules.
PRO TIP: If you use third-party data processors to handle personal data, ensure that they also comply with the CTDPA. Review your contracts with these processors to include data protection clauses.
Who Does the CTDPA Apply To?
The CTDPA applies to people and businesses doing business in Connecticut or providing products or services targeted to Connecticut residents.
Specifically, it applies to you if you have, in the past year, either (i) controlled or processed personal data from at least 100,000 Connecticut consumers (excluding data just for payment transactions), or (ii) made more than 25% of their money from selling personal data and controlled or processed personal data from at least 25,000 Connecticut residents.
Keep in mind that this online privacy protection act applies to businesses both within and outside of Connecticut if they meet these criteria. So, if you’re gathering and using personal data from folks in Connecticut, you’ve got to follow the CTDPA rules.
Are There Any Special Cases Where the CTDPA Doesn’t Apply?
The CTDPA doesn’t apply to you if you are:
- Nonprofit organizations
- State and local governments
- Higher education institutions
- Financial institutions regulated by the Gramm-Leach-Bliley Act (GLBA)
- National securities associations registered under the Securities Exchange Act of 1934
- Entities following the Health Insurance Portability and Accountability Act (HIPAA) regulations.
Additionally, the CTDPA doesn’t cover certain types of personal data that are handled in line with other laws, such as GLBA, HIPAA, the Fair Credit Reporting Act, and the Family Educational Rights and Privacy Act.
Key Principles and Provisions of CTDPA
The CTDPA is a comprehensive consumer privacy law that imposes obligations on you if you collect and process personal data. Here are some of the key principles and provisions of the CTDPA that you should be aware of:
- Consumer Rights: The CTDPA gives consumers the right to access, correct, delete, and obtain a copy of their personal data. They can also opt out of targeted advertising, the sale of personal data, and automated decision-making profiling. These rights allow your consumers to have more control over their personal information.
- Data Protection Assessments: You are required to conduct data protection assessments for certain processing activities. This helps ensure that you are aware of the potential risks associated with processing personal data and take appropriate measures to protect it.
- Universal Opt-Out Mechanisms: The CTDPA requires you to honor universal opt-out mechanisms. This allows consumers to easily opt out of the sale of their personal data to third parties.
- Consent for Sensitive Data: You must collect valid consent from consumers before processing sensitive data. This ensures that sensitive information, such as health data or biometric data, is handled with extra care and only processed with explicit consent.
What Are the Data Subject Rights Under the CTDPA?
The CTDPA grants consumers several important data subject rights, so they can have control over their personal information. Here are the data subject rights under the CTDPA:
Right to Access
Your customers have the right to see the data that your business is using. They can ask what data you’ve collected, how you’re using it, and who you’re sharing it with. When they make such requests, you’re required to respond within 45 days.
Right to Correction
If customers find inaccuracies in the data that you’re processing, they can ask you to fix it. This ensures that the information or consumer’s personal data you use is up-to-date and accurate.
Imagine a customer who spots an error in their data, perhaps their shipping address is outdated. They’ll exercise their right to correction, ensuring their information is up to date for future interactions.
Right to Deletion
Customers can request that you delete their data, including personal data you acquire through third-party sources, if it’s no longer needed for the reasons you collected it, or if it was collected without proper consent.
For example, a customer decides to end their engagement with your business or service. In this case, they’ll request the deletion of their data from your records. It could be because they no longer find your newsletter relevant and wish to be removed from your mailing list.
Right to Data Portability
Customers can ask for a copy of their data in a format that’s easy to use. This way, they can move their data to another controller or business if they want to.
Think about a customer looking to switch to a different online platform but wanting to take their purchase history and preferences with them. This consumer may exercise the right to data portability, which allows them to request a copy of their data in a format that’s easy to transfer.
Right to Opt-Out
Customers have the power to say no to things like targeted ads, selling their data, and decisions made by computers about them. It lets them decide how their data is used and shared.
For instance, many customers prefer not to have their browsing habits used for personalized advertising. They might opt out of tracking to maintain their privacy.
How Can Businesses Comply With the CTDPA?
If you collect and handle personal data from residents in Connecticut, you need to keep up with the CTDPA and make sure you’re protecting the privacy of Connecticut residents. Here’s how you can make sure you’re on the right track:
- Understand the Law: First things first, understand what the CTDPA says and how it relates to your business. This means grasping the terms used, the rights customers have, and what the law expects from you.
- Take a Data Inventory: Think of this as taking stock. Find out what personal data you’re gathering, why you’re collecting it, and who you’re sharing it with. This helps you see where you need to tighten up data protection.
- Boost Data Protection: Make sure your data is safe from unauthorized eyes. This includes encrypting data when it’s moving around or sitting quietly in your storage. Set up controls for who can access it and regularly check that everything’s secure.
- Share a Privacy Notice: Give your customers a clear and easy-to-understand privacy notice. This notice should spell out how you gather, use, and share their data. It should also explain how they can use their rights under the CTDPA.
- Set Up Data Request Procedures: Be ready to handle data requests from customers. This includes requests to see, fix, delete, or move their data. You should respond within 45 days and make sure the person making the request is who they say they are.
- Train Your Team: Make sure everyone on your team knows what the CTDPA requires. Teach them how to handle personal data in line with the law. This way, everyone in your business can play their part in keeping data safe.
- Conduct Regular Compliance Checks: Periodic compliance checks are important to ensure that your business continues to meet the CTDPA’s requirements over time. Laws and regulations can evolve, so staying up to date is essential. Regular audits and assessments of your data handling practices can help identify any areas that may need adjustment to remain in compliance.
- Create an Incident Response Plan: Develop a detailed incident response plan in case of a data breach or privacy incident. This plan should outline the steps to take if a breach occurs, including notifying affected individuals and authorities as required by law.
- Implement Documentation and Record-Keeping Practices: Good documentation can be necessary for demonstrating your commitment to compliance if ever questioned. So, consider maintaining comprehensive records of your data processing activities, consent records, and compliance efforts. Also, document data protection assessments to provide a clear trail of your diligence in safeguarding data.
PRO TIP: An actionable compliance timeline for your business ensures a smooth transition to full CTDPA compliance. So, be sure to identify key milestones and deadlines for different aspects of the law. This way, you can stay organized, minimize disruptions, and demonstrate your commitment to data privacy.
Who Enforces the CTDPA?
The CTDPA is watched over by the Connecticut Attorney General. This office has the power to look into complaints and issues related to the law. If you don’t follow the CTDPA, the Attorney General’s Office can take you to court. They’re in charge of making sure people in Connecticut are safe when it comes to their personal info. They also give advice and guidance on privacy and data security laws and other related matters.
Starting from July 1, 2023, when the Connecticut data privacy law kicks in, and until December 31, 2024, the Attorney General will send you a warning if you don’t follow the rules. You will then have 60 days to fix the issue.
This time period is intended to give you a chance to get used to the new regulations. However, after January 1, 2025, the Attorney General’s office won’t automatically provide this 60-day fix-it period. Instead, they’ll decide whether to offer it based on factors like the number of rule breaks, how big and complex your business is, and other things.
In 2025, the law will also require you to let customers say “no” to targeted ads or the selling of their data using simple “opt-out” tools.
What Are the Penalties for Violating the CTDPA?
If you don’t follow the rules of the CTDPA, you can face some serious consequences. For each rule you break, you could face civil penalties of up to $5,000 per violation.
But it doesn’t stop there. If someone gets hurt because you didn’t follow the CTDPA, that person has the right to take you to court and ask for money to make up for the harm they suffered.
So, it’s really important that you stick to the CTDPA. Not doing so could lead to legal trouble and harm your reputation.
In addition to these penalties, violating the CTDPA may also lead to reputational damage, loss of customer trust, and potential business disruption, all of which, of course, will translate into financial losses.
How Does the CTDPA Compare to Other Data Privacy Laws?
While the CTDPA may not be as wide-reaching as some other global and state privacy laws, it introduces unique elements and solid consumer rights. Understanding these differences is important, so you can follow the rules and gain your customers’ trust.
One significant difference lies in the revenue threshold required for compliance. Unlike Virginia and Utah, which demand at least 50 percent of gross revenue to come from the sale of personal data, Connecticut’s CTDPA sets a smaller gross revenue amount. However, it exceeds Colorado, which doesn’t impose a threshold at all.
Additionally, unlike the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), the CTDPA doesn’t establish an independent overriding revenue threshold. This means that even large revenue-generating companies must meet the minimum consumer requirements to be subject to its regulations.
Another notable aspect is the CTDPA’s unique exclusion of data collected solely for payment transaction purposes. This sets it apart from other laws.
The CTDPA’s definition of “sale of personal data” also deserves attention. It defines this as “the exchange of personal data for monetary or other valuable consideration” to a third party. This aligns with the Colorado Privacy Act (CPA), California’s CCPA, and CPRA, but it goes beyond the definitions in the Utah Consumer Privacy Act (UCPA) and the Virginia Consumer Data Protection Act (VCDPA) by including “valuable consideration.”
Furthermore, it’s worth noting that certain entities and data are exempt from the CTDPA’s scope, including government bodies, nonprofit organizations, and higher education institutions. The law also provides exceptions for specific types of data and organizations, such as those under the GLBA, and certain information like protected health information under HIPAA.
In terms of consumer rights, the CTDPA mirrors many other state privacy statutes, using the “controller” and “processor” terminology, similar to the General Data Protection Regulation in Europe. However, it does have some distinctions. For example, it gives consumers the right to access and confirm whether a controller processes their personal data, but it provides an exception if revealing such information would expose a trade secret.
In addition, the CTDPA’s provisions regarding the right to opt-out are broad. It allows consumers to opt out of various data processing purposes, such as targeted advertising, the sale of personal data, or automated decision-making that produces significant effects. This aligns with other states’ laws and underscores the growing importance of giving consumers control over their data.
Frequently Asked Questions
What is the Connecticut Data Privacy Act (CTDPA)?
The CTDPA sets data protection standards and privacy rules for businesses handling Connecticut residents’ data.
When does the CTDPA take effect?
The CTDPA becomes effective on July 1, 2023, with a phased compliance approach.
Who does the CTDPA apply to?
It applies to businesses in and outside Connecticut if they control/process data from Connecticut residents and meet certain criteria.
How can businesses comply with the CTDPA?
Businesses should understand the law, conduct data inventories, enhance data protection, share privacy notices, and train their team.
What are the penalties for CTDPA violations?
Violations can result in civil penalties of up to $5,000 per breach, legal actions, and harm to reputation.
Who enforces the CTDPA?
The Connecticut Attorney General enforces the CTDPA, overseeing complaints, issuing warnings, and ensuring compliance.