Securiti leads GigaOm's DSPM Vendor Evaluation with top ratings across technical capabilities & business value.

View
Contact Us See a demo

Connecticut Data Privacy Act

Operationalize CTDPA Compliance with PrivacyOps Platform

Last Updated on November 8, 2023

Schedule Your
Personal Demo

Learn how you can leverage Securiti’s Data Command Center to address data security, privacy, governance, and compliance.

See a demo
Schedule your demo today

In the absence of a comprehensive federal data privacy law within the United States, states have taken it upon themselves to provide appropriate protection for their residents' data. In May 2022, Connecticut became the fifth state after California, Colorado, Virginia, and Utah to pass its own comprehensive data privacy regulation.

Senate Bill 6, known as Public Act No. 22-15 and "An Act Concerning Personal Data Privacy and Online Monitoring," was signed into law by Connecticut Governor Ned Lamont. The Connecticut Data Privacy Act (CTDPA), as it has come to be known since then, will come into effect on July 1, 2023, with additional obligations such as the requirement to recognize universal opt-out becoming effective on January 1, 2025.

The CTDPA shares several similarities with its sister regulations passed in Colorado, Virginia, Utah, and California. It applies to data controllers and processors who offer products and services to Connecticut residents and control or process the personal data of at least 100,000 consumers annually or derive over 25 percent of their gross revenue from the sale of personal data while controlling or processing the personal data of 25,000 or more consumers.

The Connecticut Attorney General has exclusive enforcement authority of CTDPA, with violations constituting unfair trade practices under the Connecticut Unfair Trade Practices Act (CUTPA).

The Solution

Securiti promises thorough compliance with the Connecticut Privacy Act thanks to its PI data discovery, DSR automation, documented accountability, and AI-process automation features, among others.

These data solutions and a plethora of similar solutions, backed up by state-of-the-art artificial intelligence and machine-learning-based algorithms, make Securiti an ideal option for organizations that want to achieve effective and efficient compliance with the CTDPA.

Connecticut Data Privacy Act Compliance

Request a demo today to learn how Securiti can aid you and your organization's compliance efforts.

 

Assess Readiness

Sections: 2, 6(a), 6(b), 10(f)

Automate and schedule regular internal assessments of various internal data-related activities and mechanisms to maintain a real-time update related to their effectiveness and identify potential gaps and blindspots, allowing for timely adjustments if necessary.

CTDPA assessment
CTDPA Data Subject Request Workbench

Automate Consumer Data Request Handling

Sections: 4, 5

Organizations can easily automate the process related to data access requests while being compliant with the law.

Secure Fulfillment of Data Access & Porting Requests

Sections: 4(a)(1), 4(a)(4)

Automate the fulfillment of any and all users' data access requests while maintaining real-time updates on the status of each request via the central dashboard.

CTDPA Data Access Request Management
CTDPA data rectify request

Automate Processing of Rectification Requests

Sections:4(a)(2)

Automate the fulfillment of any and all users' data rectification requests while maintaining real-time updates on the status of each request via the central dashboard.

Automate Erasure/Destroy/Anonymize Requests

Section: 4(a)(3)

Automate the fulfillment of any and all users' data deletion requests while maintaining real-time updates on the status of each request via the central dashboard.

CTDPA data erasure request
CTDPA Cookie Consent Configuration

Automate Opt-out/GPC Requests

Sections: 4(c)(4), 6(e)(1)(A)(i), 6(e)(1)(A)(ii), 6(e)(1)(B), 6(e)(2)

Automate the fulfillment of any and all users' opt-out requests while maintaining real-time updates on the status of each request via the central dashboard and honoring the browser preference settings enabled by the user.

Automate Data Protection Impact Assessment (DPIA)

Sections: 7(a)(3), 8

Automate the execution of a data protection impact assessment (DPIA) to ensure it is conducted at regular intervals, giving you ample time, data, and insights to take appropriate actions.

CTDPA Data Protection Impact Assessment
CTDPA Universal Consent Management

Monitor & Track Consent

Sections: 1(6), 6(a)(2), 6(a)(4), 6(a)(6), 6(a)(7)

Organizations can monitor users' consent for various data processing activities via the central dashboard. This ensures that all data collection complies with the data protection requirements while guaranteeing no illegal transfers, sharing, or selling of data not consented to by the user occurs.

Automate Records of Processing Activities

Section: 4(c)(5)(A)

Automate the recording of all internal processing activities to aid in future DPIA and regulatory documentation needs.

CTDPA Records of Processing
CTDPA breach response notification

Automate Data Breach Response Notifications

Sections: 7(a)(2), 9(e)

Connecticut General Statutes Section 36a-701b
Organizations can implement and automate every step of their data breach incident response plan to ensure a proactive approach is adopted, resulting in minimal damage.

Manage Vendor Risk

Sections: 6(d), 7, 10(d)

Organizations can easily track all their vendors' data processing activities to ensure their practices comply with the law.

CTDPA manage vendor risk
CTDPA Privacy Notice Management

Privacy Policy & Notice Management

Sections: 4(b), 6(c), 6(e)

Generate privacy policies that comply with the appropriate data protection laws in informing the users about the data collection practices of the organization while also automating any notice requirements.

Assess Data Protection Measures & Enable Appropriate Security Controls

Sections: 6(a)(3), 7(a)(2), 10(a)(9)

Assess all implemented internal data protection measures' effectiveness and make any relevant changes, additions, and adjustments necessary for the appropriate degree of protection.

CTDPA data protection assessment
ctdpa data mapping overview

Map Data to Discover & CatalogSensitive Personal Information

Sections: 1(27), 8(a)(4)

Automate all incoming and outgoing data transfers in real-time to ensure all transfers are compliant with the appropriate data protection requirements.

Automate Data Classification & Labeling

Sections: 1(13), 8(b), 9(a), 9(b), 9(e)

Automate the data classification and labeling process to get better insights related to all personal and sensitive data assets.

ctdpa data classification

Key Rights Under CTDPA

Here are the rights guaranteed to all Connecticut residents by the CTDPA:

Right to Access

All consumers have the right to know and confirm whether or not a controller is processing the consumer's personal data and accessing this personal data unless such confirmation or access would require the controller to reveal a trade secret.

Right to Correction

All consumers have the right to correct inaccuracies in their personal data that may have become outdated/incomplete/obsolete since its collection, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data.

Right to Deletion

All consumers have the right to request the deletion of all their data collected for the purposes of the processing.

Right to Copy

All consumers have the right to obtain a copy of the consumer's personal data processed by the controller in a portable and, to the extent technically feasible, readily usable format that can be used to transmit the data to another controller without any unnecessary hindrance.

Right to Opt-Out of the Processing

All consumers have the right to opt out of any processing of their data related to targeted advertising, sale of their personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

Facts To Know About the CTDPA

Here are something important facts to know about the CTDPA:

1

Non-profit organizations, higher education institutes, national securities associations, financial institutions subject to the Gramm–Leach–Bliley Act (GLBA), and state bodies, authorities, boards, bureaus, commissions, districts, and agencies are exempt from the CTDPA;

2

CTDPA does not apply to certain information such as protected health information, patient identification, information used for public health activities, personal data regulated by Family Educational Rights and Privacy Act, and data processed and controlled under Farm Credit Act, etc.;

3

A controller must respond to all consumer rights requests without undue delay but not later than forty-five (45) days after receiving the request;

4

The controller may request forty-five (45) additional days extension if reasonably necessary to respond to consumer rights requests;

5

A controller may charge the consumer a reasonable fee to cover the administrative costs of complying with consumer requests if they are manifestly unfounded, excessive, or repetitive;

6

All controllers are required to have a privacy policy on their website that includes the categories of personal data processed by the controller, the purpose for processing personal data, how consumers may exercise their consumer rights, the categories of personal data that the controller shares with third parties, the categories of third parties, if any, with which the controller shares personal data, and an active electronic mail address or other online mechanisms that the consumer may use to contact the controller;

7

All controllers must conduct and document a data protection assessment for each of the controller's processing activities that presents a heightened risk of harm to a consumer;

8

During the period beginning on July 1, 2023, and ending on December 31, 2024, the Attorney General shall, before initiating any action for a violation of the CTDPA, issue a notice of violation to the controller if the Attorney General determines that a cure is possible;

9

The controller will have sixty (60) days from the receipt of the notice to cure any violation.

IDC MarketScape

Securiti named a Leader in the IDC MarketScape for Data Privacy Compliance Software

Read the Report
Please enter a minimum of 3 characters to begin your search.

Videos

View More

January 20, 2025

Mitigating OWASP Top 10 for LLM Applications 2025

Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...

View More

January 15, 2025

DSPM vs. CSPM – What’s the Difference?

While the cloud has offered the world immense growth opportunities, it has also introduced unprecedented challenges and risks. Solutions like Cloud Security Posture Management...

View More

January 15, 2025

Top 6 DSPM Use Cases

With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...

View More

January 2, 2025

Colorado Privacy Act (CPA)

What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...

View More

December 24, 2024

Securiti for Copilot in SaaS

Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...

View More

November 1, 2024

Top 10 Considerations for Safely Using Unstructured Data with GenAI

A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....

View More

October 29, 2024

Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes

As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...

View More

August 12, 2024

Navigating CPRA: Key Insights for Businesses

What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...

View More

June 3, 2024

Navigating the Shift: Transitioning to PCI DSS v4.0

What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...

View More

January 29, 2024

Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)

AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...

Spotlight Talks

Spotlight 13:38

Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines

Sanofi Thumbnail
Watch Now View
Spotlight 10:35

There’s Been a Material Shift in the Data Center of Gravity

Watch Now View
Spotlight 14:21

AI Governance Is Much More than Technology Risk Mitigation

AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3

You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge

Watch Now View
Spotlight 47:42

Cybersecurity – Where Leaders are Buying, Building, and Partnering

Rehan Jalil
Watch Now View
Spotlight 27:29

Building Safe AI with Databricks and Gencore

Rehan Jalil
Watch Now View
Spotlight 46:02

Building Safe Enterprise AI: A Practical Roadmap

Watch Now View
Spotlight 13:32

Ensuring Solid Governance Is Like Squeezing Jello

Watch Now View
Spotlight 40:46

Securing Embedded AI: Accelerate SaaS AI Copilot Adoption Safely

Watch Now View
Spotlight 10:05

Unstructured Data: Analytics Goldmine or a Governance Minefield?

Viral Kamdar
Watch Now View

Latest

Pete Angstadt joins Securiti View More

June 1, 2025

Why I joined Securiti

I’m thrilled to be joining Securiti as they embark on their next phase of growth. Why did I decide to join? In short -...

AI System Observability: Go Beyond Model Governance View More

May 20, 2025

AI System Observability: Go Beyond Model Governance

Across industries, AI systems are no longer just tools acting on human prompts. The AI landscape is evolving rapidly, and AI systems are gaining...

Top Data Security Challenges & How to Solve Them View More

June 1, 2025

Top Data Security Challenges & How to Solve Them

Learn the top data security challenges organizations face today. Learn about the challenge and its solution. Enhance your data security posture today.

View More

May 29, 2025

How to Implement a Robust Data Security Framework

Data privacy regulations mandate strict data security measures. Learn how to implement a robust data security framework to ensure swift compliance.

Mastering Cookie Consent: Global Compliance & Customer Trust View More

May 28, 2025

Mastering Cookie Consent: Global Compliance & Customer Trust

Discover how to master cookie consent with strategies for global compliance and building customer trust while aligning with key data privacy regulations.

Why Data Access Is Your Weakest Link—And How DSPM Fixes It View More

May 28, 2025

Why Data Access Is Your Weakest Link—And How DSPM Fixes It

Learn how DSPM provides unified Data+AI Access governance, offering contextual data intelligence, automated controls, safe AI+data access, and consistent least-privilege enforcement.

From AI Risk to AI Readiness: Why Enterprises Need DSPM Now View More

June 3, 2025

From AI Risk to AI Readiness: Why Enterprises Need DSPM Now

Discover why shifting focus from AI risk to AI readiness is critical for enterprises. Learn how Data Security Posture Management (DSPM) empowers organizations to...

The European Health Data Space Regulation View More

May 25, 2025

The European Health Data Space Regulation: A Legislative Timeline and Implementation Roadmap

Download the infographic on the European Health Data Space Regulation, which features a clear timeline and roadmap highlighting key legislative milestones, implementation phases, and...

Gencore AI and Amazon Bedrock View More

January 7, 2025

Building Enterprise-Grade AI with Gencore AI and Amazon Bedrock

Learn how to build secure enterprise AI copilots with Amazon Bedrock models, protect AI interactions with LLM Firewalls, and apply OWASP Top 10 LLM...

DSPM Vendor Due Diligence View More

November 18, 2024

DSPM Vendor Due Diligence

DSPM’s Buyer Guide ebook is designed to help CISOs and their teams ask the right questions and consider the right capabilities when looking for...

What's
New