On April 28, 2022, the Connecticut House of Representatives joined the Connecticut Senate in passing the Connecticut Data Privacy Act (CTDPA), which now heads to Governor Ned Lamont for signature. Governor Lamont is expected to sign the bill (Senate Bill 6), making Connecticut the fifth state to pass a consumer privacy law.
CTDPA would apply to businesses that:
Conduct business in Connecticut or produce products or services targeted to Connecticut residents and
Either (1) control or process the personal data of at least 100,000 residents annually or (2) derive over 25% of its gross revenue from the “sale” of personal data and control or process the personal data of at least 25,000 residents annually.
As with other state laws, CTDPA contains broad exceptions for certain entities and data categories, including government entities, nonprofits, higher education institutions, national securities associations and information and entities regulated by both the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act. It also exempts personal data collected about employees and business contacts.
CTDPA, which would take effect on July 1, 2023, includes many of the same rights, obligations and exceptions that have become common in other consumer privacy laws and proposals:
The “personal data” protected by CTDPA includes information that is linked or reasonably linkable to an identified or identifiable individual. “Personal data” does not include de-identified data or publicly available information.
CTDPA requires opt-in consent for the collection and processing of “sensitive” information, which includes information revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship or immigration status, genetic or biometric data, children’s data and precise geolocation data.
CTDPA would provide consumers with the familiar rights of notice, access, portability, correction and deletion. Certain rights, however, are qualified by reasonable business-use exemptions such as detecting fraud and complying with a company’s legal obligations, while others (like the right to delete) are broader than we have seen in other states.
Like other laws, CTDPA would allow consumers to opt out of the use of their information for certain purposes, including targeted advertising, the sale of personal data and automated profiling decisions that “produce legal or similarly significant effects concerning the consumer.” Beginning in 2025, consumers may exercise their right to opt out by using a global opt-out device setting.
CTDPA requires businesses to obtain opt-in consent from children under the age of 16 before selling their personal data or using it for targeted advertising. Businesses that comply with the verifiable consent requirements of the Children’s Online Privacy Protection Act would be deemed compliant with the parental consent obligations contained in CTDPA.
Consumers will have the right to appeal a denial of a consumer request, which mimics the rights to appeal provided under Colorado and Virginia laws.
CTDPA would be exclusively enforced through actions by the Connecticut Attorney General. Until December 31, 2024, there is a 60-day cure period for alleged violations. Beginning January 1, 2025, a cure period is granted at the discretion of the Connecticut Attorney General.