Preparing Your Business for The Connecticut Data Privacy Act (CTDPA)
The Connecticut Data Privacy Act was enacted on May 10, 2022, to regulate the handling of personal data by businesses. The Act aims to protect data subjects' privacy and gives them rights and control over their user data. It also requires companies to provide data users with a privacy notice explaining what information is collected, how it is used, and how long it's stored. Let's take a closer look into this new regulation and what it means for businesses.
What is the Connecticut Data Privacy Act?
Connecticut has now joined the states of California, Virginia, Colorado, and Utah as the fifth state in the US to pass privacy legislation in recent years. The new bill passed in Connecticut is identical to the laws in the other four states since it lets users opt out of targeted advertising, sales, and profiling.
The law will require organizations to acknowledge opting out of targeted advertising and sales with a single click by 2025.
Who is subject to the CTDPA?
The Connecticut Data Privacy Act (CTDPA) applies to both data processors and controllers. It imposes obligations on controllers that;
- Conduct business in Connecticut or provide goods or services targeted at Connecticut’s data subjects.
- Process the user data of over 100,000 Connecticut data users.
- Have customer data belonging to at least 25,000 residents of Connecticut if they derive more than 25% of their revenue from selling personal data.
CTDPA exemptions
Some entities are exempt from complying with the CTDPA. Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), entities specified by the Health Insurance Portability and Accountability Act (HIPAA), and non-profit entities are exempted from this act's scope.
State and local government, National securities associations, and institutions of higher education also fall under a legal exemption.
Consumer rights provided by the Connecticut Data Privacy Act
Right to access
This act grants consumers the right to access data from data controllers.
Right to correct
The Connecticut Data Privacy Act provides consumers with the right to correct any inaccuracies in their data.
Right to data portability
Connecticut consumers can ask for a copy of the user data their company has saved and move it to another company.
Right to delete
The CTDPA gives consumers the right to delete personal data that they have provided to companies.
Right to opt-out
The law provides consumers with the right to opt-out of having their data processed for profiling, sale of data, and targeted advertising. The law requires companies to provide a universal opt-out mechanism for consumers.
How the Connecticut Data Privacy Act differs from other state privacy laws
The CTDPA is similar to other privacy acts like the CCPA/CPRA (The California Consumer Privacy Act), CPA, UCPA, and VCDPA, but it most resembles the Virginia Consumer Data Protection Act (VCDPA) and Colorado’s CPA - these two are especially consumer-friendly. However, even though the CTDPA may seem similar at first glance, there are some features that make it different from other acts.
More rigid biometric data definition
The CPA did not include a definition of what constitutes biometric data, but the CTDPA did. The act defines biometric data as any video, photographic, or audio data with which a consumer can be identified.
Consumers’ rights
Consumers in Connecticut enjoy five rights. Unlike other laws that offer no exceptions to the right to access, the CTDPA specifies that confirmation or giving access to personal data would only be refused if it causes harm to the data controller's trade secrets.
Cure period
Privacy laws like the VCDPA give entities 30 days to address any infringements after being notified of such by the Attorney General. This is called a 'cure period.' The CTDPA, however, allows businesses to fix any alleged privacy breach incidents within 60 days.
Opt-out and data deletion
The CTDPA will start requiring universal opt-outs by January 1, 2025. While the CPA and CTDPA require a universal opt-out option, CCPA and VCDPA permit multiple mechanisms for users to completely opt-out.
CTDPA enforcement
The state’s Attorney General has the sole enforcement authority to prosecute CTDPA violators, but there is no way for individuals to sue them.
Until December 31, 2024, the Attorney General has to give entities notice and a cure period of 60 days before taking any legal action. The CTPA will not require notice and a chance to cure as of January 1, 2025. Instead, the Attorney General will have the prosecutorial discretion to give entities an opportunity to fix issues.
How to prepare for the CTDPA
Businesses have a lot to be concerned about as the enforcement date for CTDPA approaches. While it will not go into effect until July 1, 2023, it is important to start preparing now. Taking certain steps now can ensure compliance before the deadline arrives.
To comply with the act, businesses should take the following steps to get started:
1. Understand the requirements of the CTDPA and how it applies
This act has a broad scope, and it applies to any business that collects personal information from at least 100,000 Connecticut residents. It also enforces new obligations on any company with 25,000 or more customers and derives more than 25% of profits from selling user data to third parties.
If this applies to your business, you are required by law to comply with all aspects of CTDPA.
2. Update your privacy policy
It’s important for businesses to take the time to update their privacy policy to abide by new privacy regulations. Companies must proactively update their privacy policy to ensure compliance with the new data protection legislation. This is because they are subject to fines if they don’t comply with the new laws.
3. Implement a data retention policy
Companies need to have a data retention policy that complies with the CTDPA guidelines before the regulation takes effect. The policy should include how long they store customer data, what type of information they retain, and how they dispose of it when it is no longer needed.
4. Provide opt-out for targeted advertising and sales
In the wake of CTDPA, businesses operating in Connecticut must take a proactive approach to privacy by providing an opt-out for targeted advertising and sales. This will help them avoid any legal trouble in the future. Companies can implement new technologies that make their workflows easier, leading to better returns like saving time and money.
With the increasing amount of data regulations alongside consumer awareness, data privacy is becoming a big deal, no matter where you conduct your business. Ensure your company has the best practices in place to ensure the safety of your users’ data. Establishing internal guidelines and implementing technologies like automated data mapping and privacy request management can help avoid complex regulatory issues, ensure compliance, and avoid reputation damage.