The Full Guide to Connecticut's Data Privacy Law
Connecticut became the 5th American state to pass comprehensive data privacy regulation in May 2022. The Connecticut Data Privacy Act (CTDPA) takes effect July 1, 2023, the same day as Colorado’s CPA and California’s CPRA regulations, making it a milestone in data protection history.
Connecticut’s data privacy law is more similar to Colorado’s than California’s, but it most closely resembles Virginia’s VCDPA, which was the 2nd comprehensive law passed in the country. Here’s a detailed look into the CTDPA, including who needs to comply and how.
Connecticut Data Privacy Law at a Glance
The Connecticut data privacy law borrow’s Virginia’s framework, forgoing any revenue thresholds in favor of the amount of data processing.
Organizations doing business in Connecticut need to comply with the CTDPA if:
- It handles the personal data of over 100,000 Connecticut residents per calendar year OR
- Handles the data of at least 25,000 Connecticut residents AND earns +25% revenue from the sale of personal data
CTDPA explicitly notes the personal data of residents, and does not apply to employees within the state. It also does not include de-identified data or publicly available information, as is standard for American data privacy regulations.
More importantly, the Connecticut data privacy law largely runs on opt-outs, counter to how the GDPR works. Opt-outs are seen as more business-friendly in regulations, since organizations can practice data processing behaviors until an individual requests they stop, rather than the stronger opt-in, which requires a person to allow an organization to practice any data processing in the first place.
One notable exception for Connecticut’s law is sensitive data. Sensitive data covers:
- Racial or ethnic origins;
- Religious beliefs;
- Sexual orientation, citizenship, or immigration status;
- Mental or physical health conditions or diagnoses;
- Genetic personal data or biometric data (if the processing is used to identify a specific individual);
- Personal data collected from a known child under the age of 18(SB3)*;
- Precise geolocation data
- *Consumer health data (added in Senate Bill 3, see more below)*
Just like Virginia’s law, businesses need to receive opt-ins from people when processing sensitive data, adding an extra layer of security and rights.
Connecticut Data Privacy Law Exemptions
Most American data privacy laws have numerous exemptions, largely because of decades of patchwork laws regulating the financial and healthcare sectors.
The exemptions in the Connecticut data privacy law are no different, with carve outs for these institutions:
- State government and administrative organizations
- Nonprofit organizations
- Higher education institutions
- National securities institutions
- Entities and associates covered by HIPAA
- Institutions subject to the Gramm-Leach-Billey Act (GLBA)
As well as these types of data:
- Protected health data (the way health data was originally defined within CTDPA)
- Employee data, including job applicant data
- De-identified data or publicly available information
- Aggregate information
- Personal information collected for research of human subjects or as part of a clinical trial
Connecticut Consumer Data Rights
The CTDPA gives Connecticut residents the standard set of data rights:
- Right to opt out – consumers have the right to opt out of the processing of their personal data gathered for targeted advertising, sale to a third party, or profiling
- Right of access – consumers have the right to know if a controller is processing their personal data and may access it at any time;
- Right to correction – consumers have the right to correct inaccuracies in their personal data;
- Right to deletion – consumers have the right to have controllers delete their personal data;
- Right to data portability – a consumer has a right to obtain their data in a portable and accessible format to transmit it to other businesses
The bill does not grant people private right of action, meaning individuals cannot bring lawsuits against companies for noncompliant behavior.
More interestingly however, Connecticut does give people the right to revoke consent, meaning they can ask a data controller or processor to stop processing their personal data even after giving consent to do so.
Connecticut was the first state to put this right in the initial passing version of the bill, as Colorado later added it via amendment and Montana became the 3rd state to feature this right in May 2023.
The CTDPA also features a common clause stating that organizations cannot discriminate against those exercising their data rights, establishing the notion of a right to non-discrimination as well.
Connecticut Data Privacy Law Requirements
In order to help enforce the best data privacy practices, the Connecticut data privacy law establishes several requirements organizations must fulfill.
For consumer rights requests (aka DSRs), organizations have 45 days to reply and can file for an additional 45 day extension.
Businesses must provide notice about the full scope of data processing activities, including what’s collected, why it’s collected, and who it is shared with or sold to (if applicable).
Privacy notices must also clearly display how people can exercise their data rights.
Other business requirements:
- Data minimization: limiting data collection to only what is necessary to fulfill specific purposes
- Clear and freely given consent
- Conduct data protection assessments, especially when processing personal data for targeted advertising, profiling, the sale of data, or processing sensitive data
- Establish reliable and reasonable data safeguards
- Contracts between data controllers and processors laying out the full and explicit scope of data processing activities
- Comply with COPPA when processing children’s data (with children defined as those under the age of 16 in the original CTDPA and now under 18 with SB3)*
CTDPA and Dark Patterns
Dark patterns have recently emerged as a serious issue that data privacy regulation and regulators are trying to tackle, with California leading the way in combating the practice.
Connecticut’s data privacy law similarly addresses dark patterns head on, unlike other state regulations. First, the CTDPA defines dark patterns as, “a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making or choice.”
This essentially means companies tricking users into giving consent or using other underhanded tactics to get around data compliance requirements. Connecticut has explicitly written into the CTDPA that consent gained through dark patterns is not considered valid and could open organizations up to punishment for noncompliance.
Connecticut’s CTDPA & Senate Bill 3 Amendments
The Connecticut legislature is hard at work even with the law imminently becoming effective. The state just passed Senate Bill 3 as an amendment to CTDPA, beefing up two particular areas:
- Children’s data
Regarding children’s data, SB3 raises the age of an individual identified as a child from 16 to 18, bringing more people under its umbrella and significantly widening the scope of the law.
While data protection impact assessments are required universally in the CTDPA, organizations that handle data from people they know are children will be placed under increased scrutiny for DPIAs.
Controllers are now also barred from both collecting any precise geolocation data from known minors (unless that information is proven as necessary to operate the service) and from implementing any features that would significantly increase or extend the usage of the service/product.
The latter takes aim at dopamine-juicing systems many mobile games, social media platforms, etc. have come to rely on for engagement metrics. It’s a broad clause and may be hard to regulate, but to put it in writing is a step forward.
- Consumer health data
The rewording of sensitive data categories to include “Consumer health data” brings a higher bar for compliance. The term now also includes gender-affirming health data and reproductive or sexual health data, both of which have become hot topics of debate in political discourse in America.
The original bill always required opt-ins to process sensitive data, but now extends to those categories. SB3 also Imposes a duty of confidentiality on employees who handle consumer health data and prohibits the use of geofencing technology to track, collect data, or send health-related notifications to consumers who visit mental, reproductive, or sexual health facilities.
Connecticut Data Privacy Enforcement
This leads us to the scope of enforcement of the CTDPA, which like most states, falls entirely on the shoulders of the Attorney General, as there is not a data protection commission to lead the charge.
The financial penalty for a violation is lower than most states, with the fine for each sitting at $5000 instead of the $7500 figure used for most state data privacy regulations.
The law enters into force on July 1, 2023, but contains a 60-day cure period that runs through December 31, 2024, giving organizations a year and a half to avoid any major fines.
Starting on January 1, 2025, a cure period is not guaranteed for alleged violations, and businesses will also be required to allow consumers to opt out of targeted advertising or the sale of personal data through universal opt-out mechanisms, such as the Global Privacy Control, which have gained popularity in recent years.
The goal of this is to help people exercise their data rights more easily without implementing any clauses that are not business-friendly into the CTDPA.