Connecticut Will Soon Have Its Own Privacy Law | Connecticut Data Privacy Act – CTDPA
Data privacy is a very 21st-century issue, and is likewise one that’s only becoming more pertinent as time goes on. Every day, new technologies and digital tools make way for novel risks to consumers’ privacy and data security.
Yet, at the same time, there is a heightened public awareness of these risks – and a corresponding demand for better protection. In response, lawmakers and regulators around the world are starting to take action, imposing new rules and regulations on how companies can collect, use, and protect consumers’ data.
The State Of Privacy Laws
The effort to support online privacy and regulate consumer data use has been a long and confusing one to date. So far, it’s been mainly administered through means of patchwork-like systems, which cover different geographical and political areas and have their own specific set of guidelines. You’ve probably already seen this in the likes of some of the more popular regulations to be released – such as the GDPR, which protects EU citizens, and the PDPA which covers those of Thailand and Singapore.
The United States is in a unique situation when it comes to honing this type of policy however, with several different regulatory systems making up its position. Unlike regions such as the EU and countries like Singapore, it does not have broader comprehensive guidelines on consumer data protection. Despite a few national laws that touch on the issue, the US largely leaves this responsibility to individual states.
As a result, we’ve seen a less cohesive approach, with four states being the most prominent in terms of implemented guidelines.
Connecticut has most recently become the fifth state in the country to pass its own data privacy law. The Connecticut Data Privacy Act (CTDPA), which is set to come into effect July 2023, follows California (CCPA), Virginia (CDPA), Colorado (CPA) and Utah in instituting statewide policy on the matter.
Background Information On The CTDPA
The Connecticut Data Privacy Act was created with the aim of establishing a framework for the state’s broader privacy protections. It’s the result of years of efforts and discussions on the matter, and has been working its way through the legislature since the beginning of the year.
Proponents of the bill cite it as one of the strongest privacy protections of its kind in the country. Connecticut Governor Ned Lamont signed the Act on May 10, 2022, formally instituting it into law. It’s set to take effect July 1, 2023, leaving those under its provisions only 14 months to prepare.
What the CTDPA Covers And How It’s Unique
The scope of the CTDPA follows a framework very similar to its counterparts in Virginia and Colorado, with some slight variations.
It applies to any entities conducting business in the State of Connecticut or producing products or services targeted to its residents that fall under the following conditions.
- Controlling or processing the personal information of at least 100,000 citizens (this notably excludes personal data managed or processed solely for the purpose of payment transactions)
- Controlling or processing the personal information of at least 25,000 citizens and deriving over 25% of organizational gross revenue from the sale of personal data.
Those who meet the aforementioned thresholds are subject to these provisions.
Limits On Collection And Use
Similarly to the CCPA and other state regulations, under the CTDPA data controllers are required to limit their collection of personal information to only what is reasonably necessary in relation to the reasons for which it is processed. This means that organizations are expected to minimize the amount of data they acquire from consumers and use only what is necessary, and do not seek personal information that is not relevant to their operations.
The CTDPA expects data controllers to establish and maintain a reasonable extent of administrative, physical and technical data security practices in protecting the integrity of the data they collect.
CTDPA & Consent Requirements
Connecticut’s new law, like those of Colorado and Virginia, prohibits data controllers from processing sensitive data without user consent. In this context, a consumer’s consent is defined as being concise and full informed, and cannot be acquired through the use of things like dark patterns. Data controllers are also required to institute a proper mechanism that allows consumers to revoke this consent as easily as they gave it.
The CTDPA states that if a user chooses exercise any rights provided by the law, data controllers are prohibited from using it as a basis for discrimination. This means that if a consumer were to not provide consent to the use of their personal data, the entity requesting it would not be allowed to provide them a different quality of goods or services as a result.
Like many other bills of its kind, Connecticut’s new privacy law requires data controllers to provide users with a reasonably accessible and meaningful privacy notice upon interacting with them.
This must include:
- The types of personal information they process
- The purposes for which personal information is processed
- How consumers may exercise their privacy rights
- The types of third-parties they share collected personal information with, if any
- An active electronic means of contact through which consumers can inquire for further details.
Consumer Request Response
Data controllers are required to respond to a consumer’s request without unnecessary delay and within 45 days of receiving it. This may be extended another 45 days in cases where it is deemed reasonably necessary.
CTDPA & Data Processing Contracts
Like many of its predecessors, the CTDPA requires a contractual agreement between data controllers and processors to govern their shared use of consumer data. These contracts must clearly state the parameters under which information is to be processed, the type of processing to be performed, the purpose and length of processing, as well as each party’s rights and obligations.
Data Protection Assessments
Controllers are required to conduct and record a data protection assessment in conditions where a processing activity can be considered to pose a heightened risk of harm to users.
Processing activities that fall under this jurisdiction include:
- Processing user information for the purpose of targeted advertising
- Selling personal information
- Processing personal information for the purpose of profiling that presents a reasonable risk of substantial injury to users
- Processing sensitive information
What The CTDPA Means For The Future
As can be seen, the CTDPA is a far-reaching piece of law that has a lot of implications for organizations across the board. Compliance with these new standards is expected very soon, as the law goes into effect July 1, 2023.
This means that now is the time for data controllers in Connecticut to get their houses in order and ensure that they are taking the necessary steps to protect user information and adhere to the principles laid out in the CTDPA.
Failure to do so could result in some very hefty penalties, including fines of up to $5,000 per willful violation and a slew of other remedies.
This new law is to be exclusively enforced by the Connecticut attorney general’s office, which boasts a nationally-revered data privacy unit. It will also introduce a standing work group that will actively assess emerging data security threats that the law may need to be amended to cover.