Connecticut Data Privacy Act
Operationalize CTDPA Compliance with PrivacyOps Platform
Last Updated on November 7, 2023
Privacy Center
Fully Functional In Minutes
Elegant Consumer Frontend, Fully Automated Backend, Privacy Regulation Intelligent Everywhere.
Email already in use
Looks like this email is already registered with an existing account.
Unexpected error occurred
Looks like there was an error completing your request, Please contact us here for further support.
Please do not close this window while we process your request
In the absence of a comprehensive federal data privacy law within the United States, states have taken it upon themselves to provide appropriate protection for their residents' data. In May 2022, Connecticut became the fifth state after California, Colorado, Virginia, and Utah to pass its own comprehensive data privacy regulation.
Senate Bill 6, known as Public Act No. 22-15 and "An Act Concerning Personal Data Privacy and Online Monitoring," was signed into law by Connecticut Governor Ned Lamont. The Connecticut Data Privacy Act (CTDPA), as it has come to be known since then, will come into effect on July 1, 2023, with additional obligations such as the requirement to recognize universal opt-out becoming effective on January 1, 2025.
The CTDPA shares several similarities with its sister regulations passed in Colorado, Virginia, Utah, and California. It applies to data controllers and processors who offer products and services to Connecticut residents and control or process the personal data of at least 100,000 consumers annually or derive over 25 percent of their gross revenue from the sale of personal data while controlling or processing the personal data of 25,000 or more consumers.
The Connecticut Attorney General has exclusive enforcement authority of CTDPA, with violations constituting unfair trade practices under the Connecticut Unfair Trade Practices Act (CUTPA).
The Solution
Securiti promises thorough compliance with the Connecticut Privacy Act thanks to its PI data discovery, DSR automation, documented accountability, and AI-process automation features, among others.
These data solutions and a plethora of similar solutions, backed up by state-of-the-art artificial intelligence and machine-learning-based algorithms, make Securiti an ideal option for organizations that want to achieve effective and efficient compliance with the CTDPA.
Request a demo today to learn how Securiti can aid you and your organization's compliance efforts.
Assess Readiness
Sections: 2, 6(a), 6(b), 10(f)
Automate and schedule regular internal assessments of various internal data-related activities and mechanisms to maintain a real-time update related to their effectiveness and identify potential gaps and blindspots, allowing for timely adjustments if necessary.
Automate Consumer Data Request Handling
Sections: 4, 5
Organizations can easily automate the process related to data access requests while being compliant with the law.
Secure Fulfillment of Data Access & Porting Requests
Sections: 4(a)(1), 4(a)(4)
Automate the fulfillment of any and all users' data access requests while maintaining real-time updates on the status of each request via the central dashboard.
Automate Processing of Rectification Requests
Section: 4(a)(2)
Automate the fulfillment of any and all users' data rectification requests while maintaining real-time updates on the status of each request via the central dashboard.
Automate Erasure/Destroy/Anonymize Requests
Section: 4(a)(3)
Automate the fulfillment of any and all users' data deletion requests while maintaining real-time updates on the status of each request via the central dashboard.
Automate Opt-out/GPC Requests
Sections: 4(c)(4), 6(e)(1)(A)(i), 6(e)(1)(A)(ii), 6(e)(1)(B), 6(e)(2)
Automate the fulfillment of any and all users' opt-out requests while maintaining real-time updates on the status of each request via the central dashboard and honoring the browser preference settings enabled by the user.
Automate Data Protection Impact Assessment (DPIA)
Sections: 7(a)(3), 8
Automate the execution of a data protection impact assessment (DPIA) to ensure it is conducted at regular intervals, giving you ample time, data, and insights to take appropriate actions.
Monitor & Track Consent
Sections: 1(6), 6(a)(2), 6(a)(4), 6(a)(6), 6(a)(7)
Organizations can monitor users' consent for various data processing activities via the central dashboard. This ensures that all data collection complies with the data protection requirements while guaranteeing no illegal transfers, sharing, or selling of data not consented to by the user occurs.
Automate Records of Processing Activities
Section: 4(c)(5)(A)
Automate the recording of all internal processing activities to aid in future DPIA and regulatory documentation needs.
Automate Data Breach Response Notifications
Sections: 7(a)(2), 9(e)
Connecticut General Statutes Section 36a-701b
Organizations can implement and automate every step of their data breach incident response plan to ensure a proactive approach is adopted, resulting in minimal damage.
Manage Vendor Risk
Sections: 6(d), 7, 10(d)
Organizations can easily track all their vendors' data processing activities to ensure their practices comply with the law.
Privacy Policy & Notice Management
Sections: 4(b), 6(c), 6(e)
Generate privacy policies that comply with the appropriate data protection laws in informing the users about the data collection practices of the organization while also automating any notice requirements.
Assess Data Protection Measures & Enable Appropriate Security Controls
Sections: 6(a)(3), 7(a)(2), 10(a)(9)
Assess all implemented internal data protection measures' effectiveness and make any relevant changes, additions, and adjustments necessary for the appropriate degree of protection.
Map Data to Discover & CatalogSensitive Personal Information
Sections: 1(27), 8(a)(4)
Automate all incoming and outgoing data transfers in real-time to ensure all transfers are compliant with the appropriate data protection requirements.
Automate Data Classification & Labeling
Sections: 1(13), 8(b), 9(a), 9(b), 9(e)
Automate the data classification and labeling process to get better insights related to all personal and sensitive data assets.
Key Rights Under CTDPA
Here are the rights guaranteed to all Connecticut residents by the CTDPA:
Right to Access
All consumers have the right to know and confirm whether or not a controller is processing the consumer's personal data and accessing this personal data unless such confirmation or access would require the controller to reveal a trade secret.
Right to Correction
All consumers have the right to correct inaccuracies in their personal data that may have become outdated/incomplete/obsolete since its collection, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data.
Right to Deletion
All consumers have the right to request the deletion of all their data collected for the purposes of the processing.
Right to Copy
All consumers have the right to obtain a copy of the consumer's personal data processed by the controller in a portable and, to the extent technically feasible, readily usable format that can be used to transmit the data to another controller without any unnecessary hindrance.
Right to Opt-Out of the Processing
All consumers have the right to opt out of any processing of their data related to targeted advertising, sale of their personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
Facts To Know About the CTDPA
Here are something important facts to know about the CTDPA:
Non-profit organizations, higher education institutes, national securities associations, financial institutions subject to the Gramm–Leach–Bliley Act (GLBA), and state bodies, authorities, boards, bureaus, commissions, districts, and agencies are exempt from the CTDPA;
CTDPA does not apply to certain information such as protected health information, patient identification, information used for public health activities, personal data regulated by Family Educational Rights and Privacy Act, and data processed and controlled under Farm Credit Act, etc.;
A controller must respond to all consumer rights requests without undue delay but not later than forty-five (45) days after receiving the request;
The controller may request forty-five (45) additional days extension if reasonably necessary to respond to consumer rights requests;
A controller may charge the consumer a reasonable fee to cover the administrative costs of complying with consumer requests if they are manifestly unfounded, excessive, or repetitive;
All controllers are required to have a privacy policy on their website that includes the categories of personal data processed by the controller, the purpose for processing personal data, how consumers may exercise their consumer rights, the categories of personal data that the controller shares with third parties, the categories of third parties, if any, with which the controller shares personal data, and an active electronic mail address or other online mechanisms that the consumer may use to contact the controller;
All controllers must conduct and document a data protection assessment for each of the controller's processing activities that presents a heightened risk of harm to a consumer;
During the period beginning on July 1, 2023, and ending on December 31, 2024, the Attorney General shall, before initiating any action for a violation of the CTDPA, issue a notice of violation to the controller if the Attorney General determines that a cure is possible;
The controller will have sixty (60) days from the receipt of the notice to cure any violation.
At Securiti, our mission is to enable enterprises to safely harness the incredible power of data and the cloud by controlling the complex security, privacy and compliance risks.
Copyright © 2023 Securiti · Sitemap · XML Sitemap
Newsletter
Resources
Get in touch
info@securiti.ai
Securiti, Inc.
300 Santana Row
Suite 450
San Jose, CA 95128
