IDC Names Securiti a Worldwide Leader in Data Privacy
ViewListen to the content
In the absence of a comprehensive federal data privacy law, states within the United States are enacting their own data privacy laws. Connecticut is the latest addition to the growing list of US states that have recently successfully enacted legislation around consumer data privacy and protection.
The Connecticut Senate Bill 6: An Act Concerning Personal Data Privacy and Online Monitoring (CTDPA) is broadly modeled on the recently enacted Colorado Privacy Act (CPA); however, there are certain differences that set CTDPA apart, such as greater privacy rights for children. Similar to most other privacy legislations, the CTDPA will enable consumers to have greater control over the transparency and processing of their personal data, including better visibility into who processes and shares their personal data.
The act was signed into law by Gov. Ned Lamont, D-Conn. On 10th May 2022 and will go into effect on 1 July 2023. Let’s take a quick look at the important provisions of CTDPA along with the underlying rights and obligations.
Like most other state privacy laws, the CTDPA also defines its scope, outlining certain types of data and entities which are exempt from the application of its provisions.
The law applies to all personal data that can be identified or linked to an identifiable individual, with the exception of de-identified data or publicly available information.
However, the following types of data are exempt from its application:
The law applies to businesses that are operating in the state of Connecticut or offering goods and services targeted to Connecticut residents and that during the preceding year:
The provisions of the law do not apply to:
Consumer means any resident of the state of Connecticut whose personal data or sensitive personal data is collected or processed.
It includes any individual or legal entity that determines the purpose and means of processing a consumer’s personal or sensitive personal data.
It is an individual or entity that processes personal or sensitive personal data on a controller’s behalf.
It could include any individual or entity other than the consumer, controller, or processor.
It includes any data that is reasonably linked to any identified or identifiable natural person. It doesn’t include any de-identified data or publicly available information.
It includes personal data such that:
Dark pattern refers to:
The law provides for several obligations that controllers and processors must duly comply with. Here’s a quick overview of some of the key obligations:
Under the law, the organizations or data controllers must make sure that the personal data or sensitive personal data of a consumer is processed while complying with the following guidelines:
The controllers should not discriminate against a consumer for exercising any of their rights contained in the act by denying them goods or services, charging them different prices, or providing a different level of quality of goods and services.
However, this requirement does not prohibit a controller from offering a distinct rate (including discounts or product/service at no fee), quality, or selection of a product or service to the consumer, if the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts or club card program.
Under the law, the consent of a consumer must be affirmative, freely given, clear, informed, and unambiguous. Also, data controllers must provide an effective mechanism for a consumer to revoke the consent under the law that is as easy as the mechanism through which the consumer provided consent. Upon revocation of the consent, the controller should cease to process the data as soon as practicable, but no later than fifteen (15) days after the receipt of such request.
Moreover, the law prohibits organizations from using any dark patterns for consent. It defines dark patterns as user interfaces designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision-making, or choice.
Consent will not be deemed valid if it is acceptance of general or broad terms of use. Lastly, hovering, muting, pausing, or closing a given piece of content will also not be considered consent.
The controllers are required to present a clear and accessible privacy notice on their website or application, including the following information:
The law mandates that there should be an agreement between a controller and a processor governing the processor's data processing procedures with respect to processing performed on behalf of the controller. The contract should be binding and clearly set forth instructions for processing data, the nature, and purpose of processing, the type of data subject to processing, the duration of the processing, and the rights and obligations of both parties.
Also, the contract must also require that the processor:
The law requires the controllers to conduct data protection impact assessment (DPA) for processing activities that present a heightened risk of harm to consumers, including the following:
The DPA may take into account any reasonable expectation of the consumer, use of any de-identified data, or the context of processing and relationship between the controller and the consumer whose personal data is to be processed.
The law further requires data controllers to maintain a record of DPAs for auditing purposes by the Attorney General. However, such records must remain confidential and exempt from any disclosure under the Freedom of Information Act. In the case where any information contained in a data protection assessment that is disclosed to the Attorney General includes information subject to the attorney-client privilege or work product protection, such disclosure would not constitute a waiver of such privilege or protection.
The requirement to conduct DPA is only applicable for processing activities created or generated after July 1, 2023.
Data subject rights are one of the most important components of every privacy law. The CTDPA provides the following rights to the consumers:
The consumers have a right to confirm whether or not a controller is processing their personal data and accessing such personal data unless such confirmation or access would require the controller to reveal a trade secret.
The consumers have a right to request the controller to fix any inaccuracies in the personal data they have collected on the consumer. However, this right is subject to the nature of the personal data which is collected and the purpose of its processing.
The consumers have a right to delete their personal data, which is provided to or obtained about them by the controller.
The consumers have a right to obtain a copy of their personal data from the controller in a portable and readily usable format, and in a manner that makes it feasible for the consumer to forward the data to any other controller or business without any hindrances.
The consumers have a right to opt-out from the processing of their personal data for any or all of the following purposes:
A consumer can also designate an authorized agent to exercise their right to opt-out from the processing of the personal data on their behalf.
The controllers must be able to recognize and honor a global opt-out preference signal received from a platform, technology, or mechanism with the consumer's consent. It is to be noted, however, that these platforms should:
Time Period to Fulfill DSR Request:
A controller must respond to all DSR requests within forty-five (45) days after receiving them. A further extension of forty-five (45) days is possible when reasonably necessary, considering the complexity and number of the consumer's requests, so long as the controller informs the consumer of the extension within the initial forty-five (45) days period.
Charges for DSR Request Fulfillment:
Information provided in response to a consumer request must be provided by a controller, free of charge, once per consumer during any 12-month period. If the consumer requests are manifestly unfounded, excessive, or repetitive, then the controller may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request.
Denial of DSR Request:
If a controller is unable to authenticate a request to exercise any of the rights listed in this act, by using commercially reasonable efforts, the controller is not obligated to comply with a request and should provide notice to the consumer of such a situation. Similarly, a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that such a request is fraudulent. In this case, the controller should send a notice to the consumer disclosing that the controller believes such request is fraudulent, why the controller believes such a request is fraudulent and that the controller shall not comply with such request.
Appeal Against Refusal:
The process established for the consumer to appeal the controller's refusal to take action must be available in a conspicuous manner, without causing additional cost to the consumer, while also being similar to the process of making other consumer requests. The controller must inform the consumer of any action taken or not taken concerning their appeal within sixty (60) days of receiving the appeal, alongside a written explanation of the reasons behind the decision. If the appeal is denied, the controller shall ensure they communicate an online mechanism to the consumer allowing them to contact the Attorney General's office to submit an official complaint.
The Connecticut Attorney General (AG) is the exclusive regulatory authority responsible for the enforcement of the law.
Between July 1, 2023, and December 31, 2024: the Attorney General must send a notice of violation to the controller if the AG believes that a cure is possible, before taking any action pursuant to the provisions of the law. If the controller fails to cure the violation within a 60-day period, the AG may proceed with the enforcement actions.
Moreover, after February 1, 2024: The AG shall submit a report to the General Assembly detailing the number of notices of violation the AG has sent, the nature of the violation, and the number of cured violations during the 60-day cure period.
Further, from January 1, 2025, the AG may, in determining whether to grant a controller or processor the opportunity to cure an alleged violation, consider the following:
The Act includes some substantive exemptions, where no provisions in the act can be used to restrict a controller's or processor's ability to:
Moreover, the obligations imposed on controllers or processors under the law shall not apply where compliance by the controller or processor would violate an evidentiary privilege under the laws of the State of Connecticut.
Any violation of the law is an unfair trade practice under the Connecticut Unfair Trade Practices Act (CUTPA) and the violator may face civil penalties of up to $5,000 per willful violation as well as other equitable remedies pursuant to the CUTPA, including restitution, disgorgement, and injunctive relief.
Following are some of the important steps that businesses should take to bolster the foundation for compliance with the law:
Securiti is a global leader in privacy management, enabling organizations to streamline their compliance practices, optimize data security, and strengthen governance. With its AI-driven robotic automation, Securiti helps you automate your data protection impact assessments, real-time data mapping, DSR fulfillment, privacy notice management, breach notification management, and universal consent management.
Request a demo to see Securiti in action and learn more about how the solution can assist you in meeting compliance.
Get all the latest information, law updates and more delivered to your inbox
September 21, 2023
Introduction The emergence of Generative AI has ushered in a new era of innovation in the ever-evolving technological landscape that pushes the boundaries of...
September 15, 2023
The wealth of data available to organizations globally has brought tremendous improvements in their ability to target and cater to their customers' needs. Organizations...
September 13, 2023
Kuwait didn’t have any data protection law until the Communication and Information Technology Regulatory Authority (CITRA) introduced the Data Privacy Protection Regulation (DPPR). The...
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2023 Securiti · Sitemap · XML Sitemap
[email protected]
300 Santana Row Suite 450. San Jose,
CA 95128