What is the Connecticut Data Privacy Act (CTDPA)?

The Connecticut State Government signed the Connecticut Data Privacy Act (CTDPA) into law on May 10, 2022, and the law became effective on July 1, 2023. The CTDPA joins the ranks of other US state privacy laws, like the California Consumer Privacy Act (CCPA) and the Colorado Privacy Act, providing Connecticut consumers with robust data privacy rights and protections. Both data controllers and processors (and their relevant business associates) must comply with the CTDPA, with the former receiving the strictest obligations.

This article thoroughly explores the Connecticut Data Privacy Act, providing an overview of the law’s scope, consumer rights, regulations, and penalties for non-compliance. Keep reading to learn if your organization needs to add the CTDPA to the growing list of US state privacy laws it needs to comply with, primarily if you process consumer data or sell products or services throughout Connecticut.

Scope of the Connecticut Data Privacy Act

Following the roadmap originally outlined in the European Union’s General Data Protection Regulation (GDPR) and followed by other state privacy laws in the US, the CTDPA applies to data controllers and processors who target Connecticut residents for data collection or the sale of products and services. Any organization that meets either of the following thresholds must comprehensively comply with the CTDPA:

• Processing threshold: Entities that controlled or processed the personal data of at least 100,000 resident consumers in the preceding calendar year (excluding data collected solely for processing payment transactions)
• Revenue threshold: Entities that controlled or processed the personal data of at least 25,000 resident consumers in the previous year and derived more than 25% of their gross revenue from the sale of personal data

Like the Oregon Consumer Privacy Act (OCPA), the CTDPA does not outline a strict revenue threshold for organizations that process consumer data. This distinction makes the OCPA and CTDPA more consumer-friendly than the California Privacy Rights Act (CPRA) and other state privacy laws since entities that process significant amounts of consumer data must comply with the law even if they don’t make a certain amount of revenue. 

CTDPA exemptions

While the CTDPA applies to entities of varying sizes and revenues, it also outlines exemptions for several groups of organizations and categories of data. The Connecticut Data Privacy Act explicitly outlines exemptions for the following entities:

• State government agencies
• Nonprofit organizations
• Institutions of higher education
• National securities agencies registered under the Exchange Act
• Financial institutions regulated by the Gramm-Leach-Bliley Act (GLBA)
• Entities regulated by the Health Insurance Portability and Accountability Act (HIPAA)

The CTDPA also outlines specific exemptions for personal data regulated by the following laws and regulations:

• Fair Credit Reporting Act
• Driver’s Privacy Protection Act
• Family Educational Rights and Privacy Act
• Federal Farm Credit Act
• Airline Deregulation Act

As noted in the previous section of this article, the Connecticut Data Privacy Act also disregards data collected solely to carry out payment transactions, excluding restaurants and other consumer shops from its scope.

What rights does the CTDPA grant to consumers?

The consumer provisions included throughout the CTDPA resemble the rights granted by many other state privacy regulations. Under the Connecticut Data Privacy Act, resident consumers have the following rights: 

• Access: The CTDPA grants resident consumers the right to access the catalog of data a controller has collected from them. 
• Correction: The CTDPA grants resident consumers the right to request a data controller to correct inaccuracies found throughout the catalog of data it possesses. 
• Deletion: The CTDPA grants resident consumers the right to request a data controller to delete data found throughout the catalog of data it possesses.
• Data portability: The CTDPA grants resident consumers the right to obtain a portable copy of the data catalog a controller has collected from them.
• Opt-out: The CTDPA grants resident consumers the right to opt out of collecting their data for targeted advertising, sale (for monetary gain or other valuable considerations), or profiling.

To activate their rights under the CTDPA, consumers must submit an authenticated request to the data controller responsible for collecting their data. After a consumer submits a request, the data controller has 45 days to respond, detailing the process it will take to honor the request or why it has decided to deny the request. If a controller denies a consumer’s request, the controller must also provide the consumer with instructions on how to appeal the decision. Under certain circumstances, such as an increased number of requests or with complex requests, the controller can extend the response period by an additional 45 days.

Important note: The CTDPA only grants rights to data subjects operating as an independent consumer or on behalf of their household. The law excludes individuals operating in an employment context from its definition of a consumer.

What obligations does the CTDPA impose on controllers?

In addition to requiring data controllers to timely and effectively respond to all consumer requests, the Connecticut Data Privacy Act also requires entities to comply with the following obligations:

• Limited collection: The CTDPA requires data controllers to limit their data collection activities to what is reasonable, necessary, and adequate to complete the purpose for which it is collecting the data.
• Data security controls: The CTDPA requires data controllers to safeguard the confidentiality and integrity of consumer data by installing data security controls. 
• Consumer consent: The CTDPA requires data controllers to obtain consent before processing a consumer’s sensitive data. Regarding personal data, the CTDPA consent requirements operate on an opt-out preference signal, requiring consumers to notify controllers if they don’t want their data collected.
• Privacy notice: The CTDPA requires data controllers to create, maintain, and distribute a clear and comprehensive privacy notice that lists the categories of personal data it will collect, how consumers can exercise their rights, and the data it will share with third-party vendors and service providers. 
• Universal opt-out mechanism: The CTDPA requires data controllers to provide a simple opt-out mechanism consumers can use to withdraw their consent. 
• Data protection assessments: The CTDPA requires data controllers to conduct ongoing data protection assessments for any processing activity that poses a heightened risk of harm to the consumer, such as targeted advertising, profiling, or the processing of sensitive data.   
• COPPA: The CTDPA requires data controllers to follow all regulations outlined in the Children’s Online Privacy Protection Act (COPPA) when involved in the processing of personal data of a minor.

The Connective Data Privacy Act distinguishes between personal and sensitive data, requiring controllers who collect sensitive data to comply with additional requirements. Here’s how the CTDPA defines personal and sensitive data:

• Personal data: The CTDPA defines a consumer’s data as any information linked to an identifiable individual, excluding publicly available information.
• Sensitive data: The CTDPA defines sensitive data as any type of personal information that reveals an individual’s racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship or immigration status, the processing of genetic or biometric data to identify an individual uniquely, children’s data and precise geolocation data.

The CDPA primarily imposes obligations on data controllers. However, the act also applies a few specific obligations to data processors. 

Connecticut Data Privacy Act regulations for processors

Data processors, providers that complete data processing activities for or on behalf of data controllers, are also subject to specific provisions of the CTDPA. Under Connecticut’s data privacy law, data processors are legally responsible for assisting data controllers with achieving compliance. This responsibility includes collaborating and cooperating with controllers to complete and respond to consumer requests (including opt-out requests).

CTDPA penalties, fines, and enforcement

The CTDPA grants the Connecticut Attorney General the sole authority and responsibility to enforce the act, and the law does not afford consumers the private right of action. If the Attorney General discovers a CTDPA violation, it must first notify the controller if there is an opportunity to rectify the issue. If the controller doesn’t fix the violation within 60 days, the Attorney General is responsible for proceeding with enforcement, including imposing fines of up to USD 5,000 per violation (Connecticut Unfair Trade Practices Act). This grace period provision will expire after December 31, 2024. 

After January 1, 2025, the Connecticut Attorney General has the right to consider several factors related to a controller's good standing and compliance history before granting the controller a grace period. The factors the Attorney General can consider during its decision-making include:

• Previous violations
• Complexity of the controller
• Nature of collection 
• Likelihood of consumer harm
• Whether  the offence was an act concerning human or technical error

As of February 1, 2024, the Attorney General must submit an annual enforcement report to the state General Assembly. This report must include the number of violations, a breakdown of violations by nature, and the number of violations resolved within the 60-day cure period.

List of US state privacy regulations

• California Privacy Rights Act
• Colorado Privacy Act
• Connecticut Personal Data Privacy and Online Monitoring Act
• Delaware Personal Data Privacy Act
• Indiana Consumer Data Protection Act
• Iowa Consumer Data Protection Act
• Kentucky Consumer Data Protection Act
• Montana Consumer Data Privacy Act
• New Hampshire Senate Bill 255
• New Jersey Senate Bill 332
• Oregon Consumer Privacy Act
• Tennessee Information Protection Act
• Texas Data Privacy and Security Act
• Utah Consumer Privacy Act
• Virginia Consumer Data Protection Act

Streamline your organization’s CTDPA compliance with UpGuard

More and more US states are creating data privacy laws, each with unique scopes, obligations, and compliance requirements. This comprehensive coverage is excellent for residential consumers but troubling for organizations that process personal data. If your organization needs help with its compliance management program, you should consider using UpGuard.   

UpGuard helps organizations eliminate the hassle of compliance management, streamlining workflows and alleviating headaches related to vendor compliance management. Here’s what a few UpGuard customers have said about how UpGuard helps them with compliance management and robust TPRM: 

• Mattress Firm: “When I add a new vendor in UpGuard, I see their ratings and download the report as a baseline. I can also identify any outstanding remediation issues on existing vendors and ensure they’re resolved.”
• Rimi Baltic: “Before UpGuard, conducting proper research for each vendor would consume a lot of time – Does it comply with our requirements? Where is their data located? Do they have privacy policies? UpGuard has saved us a significant amount of time with its automation process. I would say it saves us a few days per month. For example, in initial research that would have taken me 1-2 hours, I can get that answer in 5-10 minutes.” 
• Wesley Mission Queensland: “One of the best features of the platform is bringing all our vendors into one place and managing it from there. We can also set reassessment dates, so we don’t have to manage individual calendar reminders for each vendor.”

These and other UpGuard customers have elevated their TPRM programs with the Vendor Risk Management tool, which offers powerful features and tools:

• Vendor risk assessments: Fast, accurate, and comprehensive view of your vendors’ security posture‍
• Security ratings: Objective, data-driven measurements of an organization’s cyber hygiene‍
• Security questionnaires: Flexible questionnaires that accelerate the assessment process and provide deep insights into a vendor’s security‍
• Reports library: Tailor-made templates that support security performance communication to executive-level stakeholders  ‍
• Risk mitigation workflows: Comprehensive workflows to streamline risk management measures and improve overall security posture‍
• Integrations: Application integrations for Jira, Slack, ServiceNow, and over 4,000 additional apps with Zapier, plus customizable API calls‍
• Data leak protection: Protect your brand, intellectual property, and customer data with timely detection of data leaks and avoid data breaches‍
• 24/7 continuous monitoring: Real-time notifications and new risk updates using accurate supplier data‍
• Attack surface reduction: Reduce your attack surface by discovering exploitable vulnerabilities and domains at risk of typosquatting‍
• Trust Page: Eliminate having to answer security questionnaires by creating a trust Page‍
• Intuitive design: Easy-to-use first-party dashboards‍‍
• World-class customer service: Plan-based access to professional cybersecurity personnel that can help you get the most out of UpGuard

Streamline compliance with third-party risk assessment software today. The CTDPA went into effect on July 1, 2023.