Overview of the Connecticut Data Privacy Act (CTDPA)

1. Introduction

In the absence of a comprehensive federal data privacy law, states within the United States are enacting their own data privacy laws. Connecticut is the latest addition to the growing list of US states that have recently successfully enacted legislation around consumer data privacy and protection.

The Connecticut Senate Bill 6: An Act Concerning Personal Data Privacy and Online Monitoring (CTDPA) is broadly modeled on the recently enacted Colorado Privacy Act (CPA); however, there are certain differences that set CTDPA apart, such as greater privacy rights for children. Similar to most other privacy legislations, the CTDPA will enable consumers to have greater control over the transparency and processing of their personal data, including better visibility into who processes and shares their personal data.

The act was signed into law by Gov. Ned Lamont, D-Conn. On 10th May 2022 and will go into effect on 1 July 2023. Let’s take a quick look at the important provisions of CTDPA along with the underlying rights and obligations.

2. Who Needs to Comply With the CTDPA

Like most other state privacy laws, the CTDPA also defines its scope, outlining certain types of data and entities which are exempt from the application of its provisions.

2.1 Material Scope

The law applies to all personal data that can be identified or linked to an identifiable individual, with the exception of de-identified data or publicly available information.

However, the following types of data are exempt from its application:

• Medical data: Protected health information regulated under HIPAA, including personal information that can be used to identify patients as well as identifiable personal information for purposes of the federal policy for the protection of human subjects. Personal data that is used or shared in research and information used for public health services is also exempted.
• Data covered under the Gramm-Leach-Bliley Act (GLBA): Personal Information maintained by a covered entity or business associate; or
• Fair Credit Reporting Act (FCRA) covered data: Personal information collected, maintained, disclosed, sold, or used by a consumer reporting agency only to the extent of such activity being regulated by and authorized under the Fair Credit Reporting Act.
• Driver data: Personal information that is subject to compliance with the Driver’s Privacy Protection Act.
• Family Educational Rights and Privacy Act (FERPA) data: Personal data regulated by the Family Educational Rights and Privacy Act.
• Employment data: Personal information pertaining to employment or emergency contact information.
• Airline data: Personal data collected, processed, sold, or disclosed as per the Airline Deregulation Act by air carriers.

2.2 Territorial Scope

The law applies to businesses that are operating in the state of Connecticut or offering goods and services targeted to Connecticut residents and that during the preceding year:

• controlled or processed the personal data of no less than 100,000 consumers, excluding the personal data controlled or processed solely for the purpose of completing a payment transaction or,
• controlled or processed the personal data of 25,000 consumers, deriving 25% or more of their gross revenue from selling that data.

2.3 Exceptions

The provisions of the law do not apply to:

1. Government or federal agencies;
2. Higher educational institutions;
3. Non-profit organizations, hospitals;
4. National security associations registered under the Securities Exchange Act;
5. Covered entities or business associates and financial institutions that are subject to the Gramm-Leach-Bliley Act (GLBA);
6. Covered entities and business associates as defined by the Health Insurance Portability and Accountability Act (HIPAA).

3. Definition of Key Terms

3.1 Consumer

Consumer means any resident of the state of Connecticut whose personal data or sensitive personal data is collected or processed.

3.2 Controller

It includes any individual or legal entity that determines the purpose and means of processing a consumer’s personal or sensitive personal data.

3.3 Processor

It is an individual or entity that processes personal or sensitive personal data on a controller’s behalf.

3.4 Third Party

It could include any individual or entity other than the consumer, controller, or processor.

3.5 Personal Data

It includes any data that is reasonably linked to any identified or identifiable natural person. It doesn’t include any de-identified data or publicly available information.

3.6 Sensitive Data

It includes personal data such that:

• data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, or citizenship or immigration status;
• the processing of genetic or biometric data for the purpose of uniquely identifying any individual; personal data collected from a known child; or
• precise geolocation data.

3.7 Dark Pattern

Dark pattern refers to:

1. user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice, and
2. includes, but is not limited to, any practice the Federal Trade Commission refers to as a "dark pattern".

4. Obligations for Organizations Under the CTDPA

The law provides for several obligations that controllers and processors must duly comply with. Here’s a quick overview of some of the key obligations:

4.1 General Principles of Processing

Under the law, the organizations or data controllers must make sure that the personal data or sensitive personal data of a consumer is processed while complying with the following guidelines:

• Organizations must practice data minimization and limit the collection of personal data to what is reasonably necessary and adequate for the purpose it was intended;
• Personal data shouldn’t be processed for purposes that are not reasonably necessary unless the consumer has provided their explicit consent;
• Organizations must ensure adequate technical and physical security measures are in place for the protection of consumers’ personal data;
• Organizations must not process the sensitive personal data of consumers without consent;
• Organizations are prohibited from treating a consumer unfairly if the consumer exercises any of his or her rights under the bill;
• Where an organization has actual knowledge and wilfully disregards, that the consumer is at least thirteen years of age but younger than sixteen years of age, it cannot process the personal data of the consumer for purposes of targeted advertising, or sell the consumer's personal data without his/her consent;
• Similarly, to process the personal data of minors, consent of their parents or guardians is to be obtained as outlined by the Children's Online Privacy Protection Rule;
• Organizations should not process personal data in violation of the state or federal laws that prohibit unlawful discrimination against consumers.

4.2 Non-Discrimination

The controllers should not discriminate against a consumer for exercising any of their rights contained in the act by denying them goods or services, charging them different prices, or providing a different level of quality of goods and services.

However, this requirement does not prohibit a controller from offering a distinct rate (including discounts or product/service at no fee), quality, or selection of a product or service to the consumer, if the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts or club card program.

4.3 Consent Requirements

Under the law, the consent of a consumer must be affirmative, freely given, clear, informed, and unambiguous. Also, data controllers must provide an effective mechanism for a consumer to revoke the consent under the law that is as easy as the mechanism through which the consumer provided consent. Upon revocation of the consent, the controller should cease to process the data as soon as practicable, but no later than fifteen (15) days after the receipt of such request.

Moreover, the law prohibits organizations from using any dark patterns for consent. It defines dark patterns as user interfaces designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.

Consent will not be deemed valid if it is acceptance of general or broad terms of use. Lastly, hovering, muting, pausing, or closing a given piece of content will also not be considered consent.

4.4 Privacy Notice Requirements

The controllers are required to present a clear and accessible privacy notice on their website or application, including the following information:

1. the categories of personal data collected on them;
2. the purpose for processing their personal data;
3. the categories of personal data shared with any third party;
4. the process through which the consumers can exercise their rights, including the appeal process regarding the refusal of a consumer request;
5. An active electronic mail address through which the consumer can contact the controller.

4.5 Processor/Service Provider Agreements

The law mandates that there should be an agreement between a controller and a processor governing the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract should be binding and clearly set forth instructions for processing data, the nature, and purpose of processing, the type of data subject to processing, the duration of the processing, and the rights and obligations of both parties.

Also, the contract must also require that the processor:

1. ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
2. at the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
3. upon the reasonable request of the controller, to make available to the controller all information in its possession necessary to demonstrate the processor's compliance with the obligations in the act;
4. after providing the controller an opportunity to object, to engage any subcontractor in line with a written contract to meet the obligations of the processor with respect to the personal data; and
5. to allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor using an appropriate and accepted control standard or framework and assessment procedure for such assessments and subsequently provide a report of such assessment to the controller upon request.

4.6 Data Protection Assessment

The law requires the controllers to conduct data protection impact assessment (DPA) for processing activities that present a heightened risk of harm to consumers, including the following:

• the processing of personal data for targeted advertising;
• the sale of personal data;
• the processing of personal data for the purposes of profiling presents a reasonably foreseeable risk, such as unfair or deceptive treatment, intrusion in the private affairs of the consumer which would be considered offensive to a reasonable person, or a financial, physical, or reputational injury to a consumer;
• the processing of sensitive data.

The DPA may take into account any reasonable expectation of the consumer, use of any de-identified data, or the context of processing and relationship between the controller and the consumer whose personal data is to be processed.

The law further requires data controllers to maintain a record of DPAs for auditing purposes by the Attorney General. However, such records must remain confidential and exempt from any disclosure under the Freedom of Information Act. In the case where any information contained in a data protection assessment that is disclosed to the Attorney General includes information subject to the attorney-client privilege or work product protection, such disclosure would not constitute a waiver of such privilege or protection.

The requirement to conduct DPA is only applicable for processing activities created or generated after July 1, 2023.

5. Data Subject Rights Under the CTDPA

Data subject rights are one of the most important components of every privacy law. The CTDPA provides the following rights to the consumers:

5.1 Right to Confirm Processing and Access

The consumers have a right to confirm whether or not a controller is processing their personal data and accessing such personal data unless such confirmation or access would require the controller to reveal a trade secret.

5.2 Right to Correct

The consumers have a right to request the controller to fix any inaccuracies in the personal data they have collected on the consumer. However, this right is subject to the nature of the personal data which is collected and the purpose of its processing.

5.3 Right to Delete

The consumers have a right to delete their personal data, which is provided to or obtained about them by the controller.

5.4 Right to Obtain a Copy of Personal Data

The consumers have a right to obtain a copy of their personal data from the controller in a portable and readily usable format, and in a manner that makes it feasible for the consumer to forward the data to any other controller or business without any hindrances.

5.5 Right to Opt-Out

The consumers have a right to opt-out from the processing of their personal data for any or all of the following purposes:

• Targeted advertising,
• Sale of personal data,
• Automated profiling.

A consumer can also designate an authorized agent to exercise their right to opt-out from the processing of the personal data on their behalf.

The controllers must be able to recognize and honor a global opt-out preference signal received from a platform, technology, or mechanism with the consumer's consent. It is to be noted, however, that these platforms should:

• Not unfairly disadvantage another controller and be consumer-friendly and easy to use by an average consumer; or
• Not use any default setting but rather require an affirmative, freely given, and unambiguous choice to opt-out of any processing of such consumer’s personal data;
• Be consistent with any other similar platform required by any federal or state law;
• Allow the consumer to easily determine the residency of the consumer and whether the consumer has made a legitimate request to opt-out of the sale of their personal data or targeted advertising.

Time Period to Fulfill DSR Request:
A controller must respond to all DSR requests within forty-five (45) days after receiving them. A further extension of forty-five (45) days is possible when reasonably necessary, considering the complexity and number of the consumer's requests, so long as the controller informs the consumer of the extension within the initial forty-five (45) days period.

Charges for DSR Request Fulfillment:
Information provided in response to a consumer request must be provided by a controller, free of charge, once per consumer during any 12-month period. If the consumer requests are manifestly unfounded, excessive, or repetitive, then the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request.

Denial of DSR Request:
If a controller is unable to authenticate a request to exercise any of the rights listed in this act, by using commercially reasonable efforts, the controller is not obligated to comply with a request and should provide notice to the consumer of such a situation. Similarly, a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that such a request is fraudulent. In this case, the controller should send a notice to the consumer disclosing that the controller believes such request is fraudulent, why the controller believes such a request is fraudulent and that the controller shall not comply with such request.

Appeal Against Refusal:
The process established for the consumer to appeal the controller's refusal to take action must be available in a conspicuous manner, without causing additional cost to the consumer, while also being similar to the process of making other consumer requests. The controller must inform the consumer of any action taken or not taken concerning their appeal within sixty (60) days of receiving the appeal, alongside a written explanation of the reasons behind the decision. If the appeal is denied, the controller shall ensure they communicate an online mechanism to the consumer allowing them to contact the Attorney General's office to submit an official complaint.

6. Regulatory Authority

The Connecticut Attorney General (AG) is the exclusive regulatory authority responsible for the enforcement of the law.

Between July 1, 2023, and December 31, 2024: the Attorney General must send a notice of violation to the controller if the AG believes that a cure is possible, before taking any action pursuant to the provisions of the law. If the controller fails to cure the violation within a 60-day period, the AG may proceed with the enforcement actions.

Moreover, after February 1, 2024: The AG shall submit a report to the General Assembly detailing the number of notices of violation the AG has sent, the nature of the violation, and the number of cured violations during the 60-day cure period.

Further, from January 1, 2025, the AG may, in determining whether to grant a controller or processor the opportunity to cure an alleged violation, consider the following:

• the number of violations;
• the size and complexity of the controller or processor;
• the nature and extent of the controller's or processor's processing activities;
• the substantial likelihood of injury to the public;
• the safety of persons or property; and
• whether such alleged violation was likely caused by human or technical error.

7. Any Important Exemptions

The Act includes some substantive exemptions, where no provisions in the act can be used to restrict a controller's or processor's ability to:

• Comply with federal, state, or municipal ordinances or regulations;
• Cooperate with law enforcement agencies concerning conduct or activity;
• Investigate, establish, exercise, prepare for or defend legal claims;
• Provide a product or service specifically requested by a consumer;
• Perform contractual obligations with a consumer, including fulfilling the terms of a written warranty;
• Protect an interest that is essential for the life or physical safety of the consumer or another individual;
• Prevent, detect, protect against or respond to security incidents, identity theft, fraud, harassment, and malicious activities;
• Engage in public or peer-reviewed scientific or statistical research in the public interest that, provides substantial benefits that do not exclusively accrue to the controller, or has expected benefits that outweigh privacy risks, and whether the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with re-identification;
• Assist another controller, processor, or third party with the fulfillment of any of the obligations under this act;
• Process personal data for reasons of public interest in the area of public health, community health, or population health;
• Collect, use or retain data for internal use to improve or repair products, services, or technology, effectuate a product recall, or identify and repair technical errors that impair existing or intended functionality.

Moreover, the obligations imposed on controllers or processors under the law shall not apply where compliance by the controller or processor would violate an evidentiary privilege under the laws of the State of Connecticut.

8. Penalties For Non-Compliance

Any violation of the law is an unfair trade practice under the Connecticut Unfair Trade Practices Act (CUTPA) and the violator may face civil penalties of up to $5,000 per willful violation as well as other equitable remedies pursuant to the CUTPA, including restitution, disgorgement, and injunctive relief.

9. How an Organization Can Operationalize the Law

Following are some of the important steps that businesses should take to bolster the foundation for compliance with the law:

• Streamline and automate your DSR fulfillment framework to speed up consumer verification, personal data linking to its owner, and timely fulfillment processes;
• Conduct a regular data protection impact assessment to avoid any significant harm to the consumers via the processing of their personal data;
• Have pre-built privacy notice templates ready, built on the relevant jurisdictional laws that are applicable to the business; and
• Provide clear opt-out signals on the official website for consumers who wish to exercise their right to opt-out of sharing or disclosing their personal information.

10. How Securiti Can Help

Securiti is a global leader in privacy management, enabling organizations to streamline their compliance practices, optimize data security, and strengthen governance. With its AI-driven robotic automation, Securiti helps you automate your data protection impact assessments, real-time data mapping, DSR fulfillment, privacy notice management, breach notification management, and universal consent management.

Request a demo to see Securiti in action and learn more about how the solution can assist you in meeting compliance.