On May 10, 2022, Connecticut Governor Ned Lamont signed into law Senate Bill No. 6, An Act Concerning Personal Data Privacy and Online Monitoring, also known as the Connecticut Data Privacy Act (CTDPA), joingin California(CCPA), (CPA), Virginia (VCDPA), Utah (UCPA), and, Connecticut (CTDPA), with comprehensive data privacy laws
The CTDPA will go into effect on July 1, 2023 and will affect persons that do business in Connecticut or provide products/services to residents of Connecticut. In other words, your organization does not need to be located in Connecticut to be affected by the CTDPA.
⏰ Short on time? Jump to what you need to do to prepare for the CTDPA →
The CTDPA is a new comprehensive privacy law in Connecticut that was signed into law on May 10, 2022, and becomes effective on July 1, 2023.
This law requires you to provide consumers with clear and meaningful privacy notices that include information on personal data processing, purposes, consumer rights, and third-party sharing, among other requirements. The law also requires you to obtain prior consent for the processing of sensitive data, the processing of personal data for targeted advertising or sale (whenever the consumer is at least 13 but younger than 16), and to provide consumers with opt-out links for targeted advertising or sale.
Consumers in Connecticut will have enhanced rights to, among others, access, correct and delete, their personal data under this law, and you must conduct data protection assessments and provide an easy way for consumers to withdraw their consent.
The law also sets a deadline of January 1, 2025 for businesses to respect consumer opt-out preference signals.
The CTDPA is similar to other comprehensive privacy laws in other states, such as the Virginia Consumer Data Privacy Act (VCDPA), and focuses on protecting consumer data privacy and giving consumers control over their personal information.
🔎 Keep reading to learn more about the upcoming changes in Connecticut, or jump to what you need to do to prepare for the CTDPA →
Under the Connecticut Data Privacy Act (CTDPA), “personal data” is defined as any information that is linked or reasonably linkable to an identified or identifiable individual. This includes any data that can be used to identify an individual, such as a name, address, phone number, email address or social security number. However, the definition of personal data does not include de-identified data or publicly available information.
Whether your organization will be affected by the Connecticut Data Privacy Act (CTDPA) depends on whether it meets certain criteria. Specifically, the provisions of the Act apply to persons that conduct business in Connecticut or produce products or services that are targeted to Connecticut’s residents and that during the preceding calendar year:
If your organization meets either of these criteria, then it will be subject to the provisions of the CTDPA.
Simply click “Enable disclosures for Users residing in the United States” to activate the new US-specific clauses.
Under Connecticut’s new privacy law, consumers have several rights when it comes to their personal data. The following is a list of the consumer rights included in the law:
⚠️ If the personal data being processed belongs to a known child, the parent or legal guardian may exercise these consumer rights on behalf of the child.
You must provide your consumers with clear and accessible ways to exercise these rights.
This means that you must have a mechanism in place for consumers to request access to, correction of, or deletion of their personal data. Additionally, you must provide consumers with a clear and accessible way to opt-out of the processing of their personal data for the purposes of targeted advertising, sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
Sensitive data refers to personal data that requires extra protection due to its potential impact on an individual’s privacy and fundamental rights. The Connecticut law recognizes the following types of sensitive data:
⚠️ You are required to obtain consumer’s prior consent for the processing of consumers:
Opt-out links and a universal mechanism for submitting opt-out requests are important features of the CTDPA. Specifically, the Act requires you to provide a “clear and conspicuous link” on your website for consumers to opt out of the sale or targeted advertising of their personal data. This requirement takes the CTDPA a step closer to the CPRA model with reference to the processing for sale and targeted advertising.
Effective January 1, 2025, you must also allow consumers to opt out of the processing of their personal data for targeted advertising or sale through an opt-out preference signal sent via a platform, technology, or mechanism, with the consumer’s consent.
This mechanism must:
It is essential that you comply with these opt-out requirements to ensure consumers have the ability to control their personal data and protect their privacy. If your business hasn’t started doing so already, you must respect opt-out preference signals, by January 1, 2025.
the Connecticut Data Privacy Act (CTDPA) is a comprehensive privacy law that will significantly impact the way businesses collect, process, and share personal data of Connecticut residents. As the CTDPA comes into effect on July 1, 2023, businesses operating in Connecticut must start preparing now to comply with the new law.