Connecticut’s New Consumer Privacy Law: What Businesses Should Know

June 3, 2022

On May 10, 2022, Connecticut’s Governor signed An Act Concerning Personal Data Privacy and Online Monitoring into law (the “CTDPA”), officially making Connecticut the fifth and most recent U.S. state to enact a comprehensive consumer privacy bill. The CTDPA becomes effective July 1, 2023, and it incorporates the now-familiar framework for “controllers” and “processors” of personal data found in the European Union’s privacy law, the GDPR.

The CTDPA defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable individual.” It excludes “de-identified data or publicly available information.” It creates an expansive category of “sensitive data” which applies to data that reveals “racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status,” as well as genetic or biometric data, personal data collected from a known child, and precise geolocation data.

The law applies to individuals and entities that conduct business in the state of Connecticut or target products or services to Connecticut and either:

  1. Controls or processes the personal data of at least 100,000 Connecticut consumers (except if the data is processed solely for completing a payment transaction); or

  2. Controls or processes the personal data of at least 25,000 Connecticut consumers and derives more than twenty-five percent of their gross revenue from the sale of personal data.

The CTDPA grants consumers the rights of data access, correction, portability, and deletion. It further grants consumers the right to opt-out of the processing of their personal data for purposes of targeted advertising, the sale of personal data (with limited exceptions), or profiling in furtherance of solely automated decision-making that produces legal or similarly significant effects concerning the consumer.

“Sale of personal data” means “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.” There are several enumerated exceptions to the definition of sale, including, for example, disclosures by controllers to processors, disclosures related to providing products or services requested by consumer, as well as disclosures or transfers as an asset that is part of an actual or proposed merger, acquisition, bankruptcy, or other transaction.

Consistent with Colorado, Virginia, and Utah, the CTDPA does not include a private right of action. It instead vests sole enforcement authority with the Connecticut Attorney General. The Act includes a grace period, beginning on July 1, 2023, and ending on December 31, 2024, during which time organizations will be afforded notice and a 60-day opportunity to cure any alleged violations. Beginning January 1, 2025, the Attorney General has discretion to grant notice and an opportunity to cure. Violations of the law are considered a deceptive trade practice under the state Unfair and Deceptive Acts and Practices (UDAP) statute, and punishable by civil penalties of up to $5,000 plus actual and punitive damages and attorneys’ fees and costs.

Duties of Controllers

To comply with the Act, a controller shall:

  • limit the collection of personal data to what is “adequate, relevant and reasonably necessary” relative to the purposes of processing;

  • establish, implement, and maintain reasonable administrative, technical and physical data security practices;

  • obtain a consumer’s consent prior to processing that consumer’s sensitive data;

  • provide an effective mechanism to revoke the consumer’s consent;

  • cease processing the data within fifteen days of the receipt of a revocation of consent;

  • refrain from processing data of a without consent when the controller has actual knowledge that the consumer is between 13 and 16 years of age; and

  • clearly and conspicuously disclose processing, as well as how consumers may exercise their opt-out rights.

Controllers must further conduct and document data protection assessments for each of the controller’s processing activities that presents a heightened risk of harm to a consumer. Examples of such processing includes processing for targeted advertising purposes, the sale of personal data, the processing of sensitive data, and the processing of personal data for profiling purposes.

Duties of Processors

A processor must “adhere to the instructions of a controller” for processing, and shall assist the controller in meeting its obligations under the CTDPA. The processor and controller must execute a contract that:

  • clearly sets forth instructions for processing personal data, the nature and purpose of the processing, the type of data subject to processing, the duration of the processing, and the parties’ rights and obligations;

  • requires the processor to ensure each person processing personal data is subject to a duty of confidentiality with respect to the personal data;

  • requires deletion or return of all personal data by the processor at the direction of controller, unless retention of the data is otherwise required by law;

  • requires the processor to make available, upon the reasonable request of the controller, all information in its possession necessary to demonstrate the processor’s compliance with the obligations under the CTDPA;

  • permits the controller an opportunity to object prior to the processor engaging any subcontractor, and requires the processor and subcontractor to execute a written agreement to meet the obligations of the processor; and

  • requires the processor to allow, and cooperate with, reasonable assessments by either the controller or the controller’s designated assessor or an independent and qualified assessor.

Click here to view a downloadable PDF of the legal update.

This Data Security & Privacy Alert is intended to keep readers current on developments in the law.  It is not intended to be legal advice. If you have any questions, please contact Matthew Meade at 412.566.6983 or, or any other attorney at Eckert Seamans with whom you have been working.

Share This Post