Iubenda logo
Generér

Dokumentation

Indhold

Connecticut Data Privacy Act (CTDPA)

On May 10, 2022, Connecticut Governor Ned Lamont signed into law Senate Bill No. 6, An Act Concerning Personal Data Privacy and Online Monitoring, also known as the Connecticut Data Privacy Act (CTDPA), joingin California(CCPA), (CPA), Virginia (VCDPA), Utah (UCPA), and, Connecticut (CTDPA), with comprehensive data privacy laws

The CTDPA took effect on July 1, 2023 and will affect persons that do business in Connecticut or provide products/services to residents of Connecticut. In other words, your organization does not need to be located in Connecticut to be affected by the CTDPA. 

⏰ Short on time? Jump to what you need to do to prepare for the CTDPA →

Overview of the Connecticut Data Privacy Act

The CTDPA is a new comprehensive privacy law in Connecticut that was signed into law on May 10, 2022, and becomes effective on July 1, 2023. 

This law requires you to provide consumers with clear and meaningful privacy notices that include information on personal data processing, purposes, consumer rights, and third-party sharing, among other requirements. The law also requires you to obtain prior consent for the processing of sensitive data, the processing of personal data for targeted advertising or sale (whenever the consumer is at least 13 but younger than 16), and to provide consumers with opt-out links for targeted advertising or sale.

Consumers in Connecticut will have enhanced rights to, among others, access, correct and delete, their personal data under this law, and you must conduct data protection assessments and provide an easy way for consumers to withdraw their consent. 

The law also sets a deadline of January 1, 2025 for businesses to respect consumer opt-out preference signals.

The CTDPA is similar to other comprehensive privacy laws in other states, such as the Virginia Consumer Data Privacy Act (VCDPA), and focuses on protecting consumer data privacy and giving consumers control over their personal information.

🔎 Keep reading to learn more about the upcoming changes in Connecticut, or jump to what you need to do to prepare for the CTDPA → 

What is considered personal data under the CTDPA?

Under the Connecticut Data Privacy Act (CTDPA), “personal data” is defined as any information that is linked or reasonably linkable to an identified or identifiable individual. This includes any data that can be used to identify an individual, such as a name, address, phone number, email address or social security number. However, the definition of personal data does not include de-identified data or publicly available information.

Will you be affected by the CTDPA?

Whether your organization will be affected by the Connecticut Data Privacy Act (CTDPA) depends on whether it meets certain criteria. Specifically, the provisions of the Act apply to persons that conduct business in Connecticut or produce products or services that are targeted to Connecticut’s residents and that during the preceding calendar year:

  1. Controlled or processed personal data of at least 100,000 consumers (excluding personal data controlled or processed to exclusively complete a payment transaction); or
  2. Controlled or processed personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.

If your organization meets either of these criteria, then it will be subject to the provisions of the CTDPA. 

Privacy Policy under the CTDPA

Connecticut’s new privacy law requires that you provide consumers with a clear and meaningful privacy notice that is reasonably accessible. Here’s a checklist of what needs to be included in your privacy policy to comply with the new law:

  • Categories of Personal Data: Your privacy policy must include a list of the categories of personal data that you process.
  • Purposes for Processing: Your privacy policy must clearly state the purposes for processing personal data. This includes any reason why you collect and use personal data, such as to fulfill a contract or provide a service.
  • Consumer Rights: Your privacy policy must explain how consumers can exercise their rights under the law. This includes how a consumer can access, correct, delete, or restrict the processing of their personal data. You must also include information on how a consumer can appeal a decision related to their request.
  • Third-Party Sharing: If you share personal data with third parties, your privacy policy must specify the categories of personal data that you share. 
  • Third-Party Categories: Your privacy policy must also specify the categories of third parties with which you share personal data.
  • Contact Information: Your privacy policy must provide an active electronic mail address or other online mechanism that consumers can use to contact you with questions or concerns about their personal data.
  • Sale or Targeted Advertising: If you process personal data for the purposes of sale or targeted advertising, your privacy policy must clearly and conspicuously disclose this fact. You must also provide information on how consumers can exercise their right to opt out of such processing.

By following this checklist and including all the required information in your privacy policy, you can ensure that you comply with Connecticut’s new privacy law and provide consumers with the transparency and control they need to protect their personal data.

🚀 Did you know?

iubenda’s Privacy and Cookie Policy Generator allows you to add all currently required US state-level privacy disclosures in one simple click!

Simply click “Enable disclosures for Users residing in the United States” to activate the new US-specific clauses.

👉 Easily create your privacy policy for the upcoming CTDPA →

Consumer rights under the Connecticut Data Privacy Act

Under Connecticut’s new privacy law, consumers have several rights when it comes to their personal data. The following is a list of the consumer rights included in the law:

  1. Right to confirmation and access: Consumers have the right to confirm whether their personal data is being processed and to access that data, with some limited exceptions such as when such disclosure would reveal a trade secret.
  2. Right to correct inaccurate data: Consumers have the right to correct any inaccurate personal data.
  3. Right to delete personal data: Consumers have the right to request that their personal data be deleted.
  4. Right to data portability: Consumers have the right to request that their personal data be provided to them in a portable and easily accessible format, subject to technical feasibility and trade secret limitations.
  5. Right to opt out: Consumers have the right to opt out of the processing of their personal data for certain purposes, including:
    1. Targeted advertising
    2. Sale of personal data (with some limited exceptions)
    3. Profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
    4. /ol>

⚠️ If the personal data being processed belongs to a known child, the parent or legal guardian may exercise these consumer rights on behalf of the child.

You must provide your consumers with clear and accessible ways to exercise these rights. 
This means that you must have a mechanism in place for consumers to request access to, correction of, or deletion of their personal data. Additionally, you must provide consumers with a clear and accessible way to opt-out of the processing of their personal data for the purposes of targeted advertising, sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

Sensitive Data under the Connecticut Data Privacy Act

Sensitive data refers to personal data that requires extra protection due to its potential impact on an individual’s privacy and fundamental rights. The Connecticut law recognizes the following types of sensitive data:

    <
  • Data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship, or immigration status. 
  • Genetic or biometric data processed for the purpose of uniquely identifying an individual. 
  • Personal data collected from a known child.
  • Precise geolocation data.

Opt-in under the CTDPA

⚠️ You are required to obtain consumer’s prior consent for the processing of consumers:

  • sensitive data; and 
  • personal data for purposes of targeted advertising or sale, if the consumer is at least 13 but younger than 16.

Opt-out links and a universal mechanism for submitting opt-out requests are important features of the CTDPA. Specifically, the Act requires you to provide a “clear and conspicuous link” on your website for consumers to opt out of the sale or targeted advertising of their personal data. This requirement takes the CTDPA a step closer to the CPRA model with reference to the processing for sale and targeted advertising.

Effective January 1, 2025, you must also allow consumers to opt out of the processing of their personal data for targeted advertising or sale through an opt-out preference signal sent via a platform, technology, or mechanism, with the consumer’s consent. 

This mechanism must:

  • not unfairly disadvantage other controllers,
  • require an affirmative and unambiguous choice from the consumer, 
  • be easy to use, 
  • be as consistent as possible with other similar mechanisms required by federal or state laws or regulations, and 
  • enable the controller to determine whether the consumer is a resident of Connecticut and has made a legitimate opt-out request.

It is essential that you comply with these opt-out requirements to ensure consumers have the ability to control their personal data and protect their privacy. If your business hasn’t started doing so already, you must respect opt-out preference signals, by January 1, 2025.

How to prepare for the Connecticut Data Privacy Act

The Connecticut Data Privacy Act (CTDPA) is a comprehensive privacy law that will significantly impact the way businesses collect, process, and share personal data of Connecticut residents. As the CTDPA took effect on July 1, 2023, businesses operating in Connecticut must start preparing now to comply with the new law.

✅ To prepare for the CTDPA, take the following steps:
  1. Review and update your privacy policy and website notice to ensure they are in compliance with the CTDPA’s requirements.
  2. Ensure that you have implemented reasonable security measures to protect personal data from unauthorized access, use, disclosure, or destruction.
  3. Establish and document processes for handling consumer requests.
  4. Obtain prior consent from consumers for processing sensitive personal data, and for processing personal datafor targeted advertising or sale.
  5. Provide a clear and conspicuous opt-out link on your website for consumers to opt out of targeted advertisingor sale of their personal data.
  6. By January 1, 2025, ensure that you have established an opt-out preference signal mechanism to allow consumers to opt out of the processing of their personal data for targeted advertising or sale.

Mitigate risks and demonstrate commitment to protecting your consumers’ privacy

Take action now