Securiti launches Gencore AI, a holistic solution to build Safe Enterprise AI with proprietary data - easily

View

Connecticut Data Privacy Act

Operationalize CTDPA Compliance with PrivacyOps Platform

Last Updated on November 8, 2023

Schedule Your
Personal Demo

Learn how you can leverage Securiti’s Data Command Center to address data security, privacy, governance, and compliance.

See a demo
Schedule your demo today

In the absence of a comprehensive federal data privacy law within the United States, states have taken it upon themselves to provide appropriate protection for their residents' data. In May 2022, Connecticut became the fifth state after California, Colorado, Virginia, and Utah to pass its own comprehensive data privacy regulation.

Senate Bill 6, known as Public Act No. 22-15 and "An Act Concerning Personal Data Privacy and Online Monitoring," was signed into law by Connecticut Governor Ned Lamont. The Connecticut Data Privacy Act (CTDPA), as it has come to be known since then, will come into effect on July 1, 2023, with additional obligations such as the requirement to recognize universal opt-out becoming effective on January 1, 2025.

The CTDPA shares several similarities with its sister regulations passed in Colorado, Virginia, Utah, and California. It applies to data controllers and processors who offer products and services to Connecticut residents and control or process the personal data of at least 100,000 consumers annually or derive over 25 percent of their gross revenue from the sale of personal data while controlling or processing the personal data of 25,000 or more consumers.

The Connecticut Attorney General has exclusive enforcement authority of CTDPA, with violations constituting unfair trade practices under the Connecticut Unfair Trade Practices Act (CUTPA).

The Solution

Securiti promises thorough compliance with the Connecticut Privacy Act thanks to its PI data discovery, DSR automation, documented accountability, and AI-process automation features, among others.

These data solutions and a plethora of similar solutions, backed up by state-of-the-art artificial intelligence and machine-learning-based algorithms, make Securiti an ideal option for organizations that want to achieve effective and efficient compliance with the CTDPA.

Connecticut Data Privacy Act Compliance

Request a demo today to learn how Securiti can aid you and your organization's compliance efforts.


 

Assess Readiness

Sections: 2, 6(a), 6(b), 10(f)

Automate and schedule regular internal assessments of various internal data-related activities and mechanisms to maintain a real-time update related to their effectiveness and identify potential gaps and blindspots, allowing for timely adjustments if necessary.

CTDPA assessment
CTDPA Data Subject Request Workbench

Automate Consumer Data Request Handling

Sections: 4, 5

Organizations can easily automate the process related to data access requests while being compliant with the law.

Secure Fulfillment of Data Access & Porting Requests

Sections: 4(a)(1), 4(a)(4)

Automate the fulfillment of any and all users' data access requests while maintaining real-time updates on the status of each request via the central dashboard.

CTDPA Data Access Request Management
CTDPA data rectify request

Automate Processing of Rectification Requests

Sections:4(a)(2)

Automate the fulfillment of any and all users' data rectification requests while maintaining real-time updates on the status of each request via the central dashboard.

Automate Erasure/Destroy/Anonymize Requests

Section: 4(a)(3)

Automate the fulfillment of any and all users' data deletion requests while maintaining real-time updates on the status of each request via the central dashboard.

CTDPA data erasure request
CTDPA Cookie Consent Configuration

Automate Opt-out/GPC Requests

Sections: 4(c)(4), 6(e)(1)(A)(i), 6(e)(1)(A)(ii), 6(e)(1)(B), 6(e)(2)

Automate the fulfillment of any and all users' opt-out requests while maintaining real-time updates on the status of each request via the central dashboard and honoring the browser preference settings enabled by the user.

Automate Data Protection Impact Assessment (DPIA)

Sections: 7(a)(3), 8

Automate the execution of a data protection impact assessment (DPIA) to ensure it is conducted at regular intervals, giving you ample time, data, and insights to take appropriate actions.

CTDPA Data Protection Impact Assessment
CTDPA Universal Consent Management

Monitor & Track Consent

Sections: 1(6), 6(a)(2), 6(a)(4), 6(a)(6), 6(a)(7)

Organizations can monitor users' consent for various data processing activities via the central dashboard. This ensures that all data collection complies with the data protection requirements while guaranteeing no illegal transfers, sharing, or selling of data not consented to by the user occurs.

Automate Records of Processing Activities

Section: 4(c)(5)(A)

Automate the recording of all internal processing activities to aid in future DPIA and regulatory documentation needs.

CTDPA Records of Processing
CTDPA breach response notification

Automate Data Breach Response Notifications

Sections: 7(a)(2), 9(e)

Connecticut General Statutes Section 36a-701b
Organizations can implement and automate every step of their data breach incident response plan to ensure a proactive approach is adopted, resulting in minimal damage.

Manage Vendor Risk

Sections: 6(d), 7, 10(d)

Organizations can easily track all their vendors' data processing activities to ensure their practices comply with the law.

CTDPA manage vendor risk
CTDPA Privacy Notice Management

Privacy Policy & Notice Management

Sections: 4(b), 6(c), 6(e)

Generate privacy policies that comply with the appropriate data protection laws in informing the users about the data collection practices of the organization while also automating any notice requirements.

Assess Data Protection Measures & Enable Appropriate Security Controls

Sections: 6(a)(3), 7(a)(2), 10(a)(9)

Assess all implemented internal data protection measures' effectiveness and make any relevant changes, additions, and adjustments necessary for the appropriate degree of protection.

CTDPA data protection assessment
ctdpa data mapping overview

Map Data to Discover & CatalogSensitive Personal Information

Sections: 1(27), 8(a)(4)

Automate all incoming and outgoing data transfers in real-time to ensure all transfers are compliant with the appropriate data protection requirements.

Automate Data Classification & Labeling

Sections: 1(13), 8(b), 9(a), 9(b), 9(e)

Automate the data classification and labeling process to get better insights related to all personal and sensitive data assets.

ctdpa data classification

Key Rights Under CTDPA

Here are the rights guaranteed to all Connecticut residents by the CTDPA:

Right to Access

All consumers have the right to know and confirm whether or not a controller is processing the consumer's personal data and accessing this personal data unless such confirmation or access would require the controller to reveal a trade secret.


Right to Correction

All consumers have the right to correct inaccuracies in their personal data that may have become outdated/incomplete/obsolete since its collection, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data.


Right to Deletion

All consumers have the right to request the deletion of all their data collected for the purposes of the processing.


Right to Copy

All consumers have the right to obtain a copy of the consumer's personal data processed by the controller in a portable and, to the extent technically feasible, readily usable format that can be used to transmit the data to another controller without any unnecessary hindrance.


Right to Opt-Out of the Processing

All consumers have the right to opt out of any processing of their data related to targeted advertising, sale of their personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

Facts To Know About the CTDPA

Here are something important facts to know about the CTDPA:

1

Non-profit organizations, higher education institutes, national securities associations, financial institutions subject to the Gramm–Leach–Bliley Act (GLBA), and state bodies, authorities, boards, bureaus, commissions, districts, and agencies are exempt from the CTDPA;

2

CTDPA does not apply to certain information such as protected health information, patient identification, information used for public health activities, personal data regulated by Family Educational Rights and Privacy Act, and data processed and controlled under Farm Credit Act, etc.;

3

A controller must respond to all consumer rights requests without undue delay but not later than forty-five (45) days after receiving the request;

4

The controller may request forty-five (45) additional days extension if reasonably necessary to respond to consumer rights requests;

5

A controller may charge the consumer a reasonable fee to cover the administrative costs of complying with consumer requests if they are manifestly unfounded, excessive, or repetitive;

6

All controllers are required to have a privacy policy on their website that includes the categories of personal data processed by the controller, the purpose for processing personal data, how consumers may exercise their consumer rights, the categories of personal data that the controller shares with third parties, the categories of third parties, if any, with which the controller shares personal data, and an active electronic mail address or other online mechanisms that the consumer may use to contact the controller;

7

All controllers must conduct and document a data protection assessment for each of the controller's processing activities that presents a heightened risk of harm to a consumer;

8

During the period beginning on July 1, 2023, and ending on December 31, 2024, the Attorney General shall, before initiating any action for a violation of the CTDPA, issue a notice of violation to the controller if the Attorney General determines that a cure is possible;

9

The controller will have sixty (60) days from the receipt of the notice to cure any violation.

IDC MarketScape

Securiti named a Leader in the IDC MarketScape for Data Privacy Compliance Software

Read the Report

What's
New