On May 10, 2022, Connecticut Governor Ned Lamont signed into law the Connecticut Data Privacy Act (the “CTDPA”) after the Connecticut legislature demonstrated its near-unanimous support for this legislation. Connecticut has now become the fifth state in the nation to enact a comprehensive data privacy law, following California, Colorado, Virginia, and Utah. The CTDPA will become effective on July 1, 2023.

Applicability

The CTDPA applies to for-profit businesses that conduct business in Connecticut or produce products or services targeted to Connecticut residents and that, during the prior calendar year, either:

• controlled or processed the personal data of at least 100,000 consumers (excluding personal data controlled or processed solely for the purpose of completing a payment transaction); or
• controlled or processed the personal data of at least 25,000 consumers and derived over 25% of their gross revenue from the sale of personal data.

The CTDPA does not apply to Connecticut governmental entities, nonprofit organizations, higher education institutions, national securities associations, financial institutions subject to Title V of the Gramm-Leach-Bliley Act, or covered entities or business associates subject to the Health Insurance Portability and Accountability Act (“HIPAA”). Certain categories of information and data are also excluded from the CTDPA’s scope.

Consumer Rights

The CTDPA provides consumers with rights to protect their personal data that are very similar to those granted under the Virginia and Colorado laws: the rights of access, correction, deletion, portability (i.e., the right to obtain a copy of the data in a portable and readily usable format), and to opt out of (i) the use of personal data for targeted advertising and certain types of profiling and (ii) most sales of personal data. By January 1, 2025, businesses that control personal data must be able to receive opt-out preference signals that consumers send via a “platform, technology or mechanism” (such as a user-enabled browser control).

Required Privacy Notice

Businesses subject to the CTDPA must provide consumers with “a reasonably accessible, clear and meaningful privacy notice” that includes: (i) the types of personal data the business collects; (ii) the purpose for which they use the data; (iii) how consumers can exercise their consumer rights; (iv) the types of personal data the business shares with third parties; (v) the types of third parties with which they share personal data; and (vi) an e-mail address or other online mechanism the consumer can use to contact the business.

Other Obligations On Businesses

Under the CTDPA, businesses must also: (i) limit their collection of personal data to what is adequate, relevant, and reasonably necessary for their disclosed purposes; (ii) if applicable, clearly and conspicuously disclose to consumers that they sell personal data or use it for targeted advertising and how the consumer can opt out; (iii) establish, implement, and maintain reasonable data security practices; and (iv) heed specific requirements relating to biometric data, data relating to minors, and other sensitive data.

Vendor Relationships

The CTDPA also governs the relationship between businesses and third parties that process personal data on their behalf (“processors”). Among other things, the CTDPA requires that a business enter into a binding contract with each of its processors that addresses the processor’s data processing procedures and contains certain enumerated provisions.

Enforcement

The CTDPA does not provide for a private right of action (i.e., a right for an individual consumer to sue for a violation of the law); the Connecticut Attorney General has exclusive authority to enforce any violations. Until December 31, 2024, the Attorney General must provide a 60-day cure period for alleged violations (provided the Attorney General determines a cure is possible). Beginning in 2025, the Attorney General is not required to provide a cure period, but may continue to do so. A violation of the CTDPA also constitutes an unfair trade practice under Connecticut law, although the private right of action under the unfair trade practice law does not apply.

Special Task Force

The CTDPA requires that a task force be convened by September 1, 2022 to study topics relating to data privacy, such as algorithmic decision-making, issues concerning data colocation, and social media use by children. This task force must submit a report on its findings and recommendations for any statutory amendments by January 1, 2023. The Connecticut Attorney General is not granted any rulemaking authority under the CTDPA.

Conclusion

Businesses that have already begun preparing for the California, Virginia, and/or Colorado privacy laws will have a head start on preparing for the CTDPA. However, the CTDPA introduces more stringent provisions with respect to certain opt-out rights and other consumer protections. As such, businesses should carefully review the CTDPA to ensure their privacy policies and practices are in compliance by January 1, 2023.

This article is only a summary of the CTDPA and the text of the statute should be consulted for further information. Please call your Hinckley Allen lawyer if you would like our assistance with your privacy policy, data security, vendor contracts, or other privacy or data security needs.