The Connecticut Data Privacy Act (CTDPA): what businesses need to know

From January 2025, the Connecticut Data Privacy Act (CTDPA) will become fully enforceable. With this deadline looming, businesses must familiarize themselves with the requirements of this law to ensure compliance and avoid penalties.

Signed into law in May 2022, the CTDPA enforces new obligations on businesses, especially those that manage a lot of data. 

The Act applies to entities that: 

  • Conduct business in Connecticut or produce products or services targeting Connecticut residents, 

  • Control or process the personal data of more than 100,000 Connecticut consumers annually (excluding data processed solely for payment transactions), or

  • Control or process data of at least 25,000 consumers and derive over 25% of their gross revenue from selling personal data. 


Consumer rights and business obligations under the CTDPA

The CTDPA grants consumers several data rights, including:

  • Right to access: consumers can request access to their personal data.

  • Right to correct: consumers can correct inaccuracies in their personal data.

  • Right to delete: consumers can request the deletion of their personal data.

  • Right to data portability: consumers can obtain and reuse their personal data across different services.

  • Right to opt-out: consumers can opt out of data sales and targeted advertising.

Businesses must adhere to specific obligations to comply with the CTDPA, including:

  • Data minimization: limit data collection to what is necessary for the specified purpose.

  • Data security: implement measures to protect data integrity, confidentiality, and accessibility.

  • Consent requirements: obtain explicit consent for processing sensitive data, including for targeted advertising.

  • Privacy notices: provide clear and accessible information about data processing activities and consumer rights.

  • Data protection assessments: for activities posing a heightened risk of harm, including targeted advertising and profiling.

Processing sensitive data, such as health information, racial or ethnic origin, and biometric data, requires explicit opt-in consent. 

Notably, the CTDPA also prohibits the use of "dark patterns" to manipulate consumer consent - meaning consent must be informed, and actively given.  


Enforcement and compliance

The Connecticut Attorney General (AG) holds the reins when it comes to enforcing the CTDPA and has opted for a phased approach to ensure a smooth transition. 

During the initial phase, from July 1, 2023, to December 31, 2024, businesses will receive a 60-day notice to correct any violations. 

However, come January 1, 2025, the rules get stricter. 

The AG will have the power to issue fines of up to $5,000 per violation. Additionally, the AG can order businesses to stop violating the law, require them to make restitution for any harm caused, or disgorge any profit made from illegal activities.

In February 2024, the Attorney General released a report reflecting on the first six months of the Act. This followed over 30 complaints from consumers, primarily about the right to delete personal data, and provided insights into enforcement priorities going forward - such as curating robust privacy policies, handling sensitive data with care, protecting teen data, and regulating data brokers

He also suggests several amendments to strengthen the CTDPA, including a reduction in exemptions for non-profits and entities under GLBA and HIPAA, and the implementation of a "one-stop-shop" deletion mechanism similar to California's Delete Act. He also mentioned improving "right to know" disclosures, expanding the definition of biometric data, and clarifying protections for teen data - particularly regarding targeted advertising. These changes aim to align the CTDPA more closely with other state data privacy laws and enhance overall consumer protection.


How to comply with the CTDPA

There are also clear and manageable steps businesses can take going forward:

  • Conduct data audits: perform thorough audits to document data processing activities.

  • Develop Policies: implement data minimization and robust security policies.

  • Consumer requests: establish processes to handle requests for data access, correction, and deletion.

  • Opt-out mechanisms: implement clear opt-out mechanisms for data sales and targeted advertising.

By following these steps, businesses can ensure they are compliant with the CTDPA and ready for 2025. 


How does it compare with other state laws?

The Connecticut Act aligns closely with consumer rights in states like California, Virginia, and Colorado. However, the CTDPA stands out in a few notable ways. 

Firstly, there is no revenue threshold; unlike California’s CPRA, which applies to businesses with over $25 million in revenue, the CTDPA does not set a financial bar for compliance. This makes the CTDPA particularly consumer-focused for broader protection across various business sizes.

The CTDPA also introduces a unique phased compliance period, which allows businesses to adapt gradually and fine-tune their compliance strategies. Businesses should seize this opportunity to get their compliance measures in place. By acting proactively during this grace period, they can ensure they meet all requirements, avoid future penalties, as well as demonstrate a commitment to data privacy.


Need to start compliance with CTDPA?

Previous
Previous

The NHDPA: New Hampshire's stand for consumer data privacy

Next
Next

The European Health Data Space (EHDS): A new era for EU health data management