Connecticut’s new consumer privacy law imposes enhanced privacy disclosures and assessment requirements on businesses, and provides consumer rights similar to those in Europe’s GDPR, the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (ColoPA), and the Utah Consumer Privacy Act (UCPA).

Scheduled to take effect on July 1, 2023, the “Act Concerning Personal Data Privacy and Online Monitoring” (the Connecticut Data Privacy Act or CTDPA) largely aligns with Virginia, Colorado, and Utah (but deviates from California) by excluding a private right of action and providing an entity-level exemption for businesses regulated by the Gramm Leach Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA).

Businesses already complying with these state privacy laws (and/or the GDPR) should be well-positioned for compliance with the CTDPA requirements, including Connecticut’s requirement to: (1) obtain “freely given, specific, informed and unambiguous” consent to process certain sensitive personal information; and (2) prepare data privacy assessments for certain processing, as discussed below.

Jurisdiction

Like the other enhanced privacy laws, the CTDPA has extraterritorial reach, applying to in-state businesses as well as out-of-state businesses that produce products or services that are targeted to residents of Connecticut and which during the preceding calendar year:

  • controlled or processed the personal data of not less than 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  • controlled or processed the personal data of not less than 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.

Notably, like the ColoPA, there is no annual revenue threshold, unlike the CPRA and UCPA, which means even smaller businesses will fall within the scope of the CTDPA. In addition, the CTDPA will apply to businesses that derive just 25% (as opposed to 50% under the UCPA, CPRA, and VCDPA) of their revenue from the sale of personal data.

Exemptions

Similar to the UCPA, ColoPA, and VCDPA, the CTDPA exempts entities regulated by the GLBA. In addition, similar to UCPA and VCDPA, the CTDPA exempts covered entities and business associates regulated by HIPAA. Like all other enhanced state privacy laws, the CTDPA exempts specific data subject to GLBA, HIPAA, and the Fair Credit Reporting Act (FCRA).

Put another way, most financial institutions and healthcare institutions will not have to worry about Connecticut’s new privacy law, but they will still have to comply with California’s privacy law for data that does not fall under GLBA or HIPAA, including cookie and employee data.

Like the ColoPA, VCDPA, and UCPA, the CTDPA does not apply to individuals acting in a commercial or employment context. The CCPA currently excludes employment and B2B information, but that exclusion is set to expire on January 1, 2023 as the CPRA goes into effect.

Additionally, businesses that comply with parental consent requirements of the Children’s Online Privacy Protection Act (COPPA) will be deemed compliant with any obligations to obtain parental consent under the CTDPA.

Privacy disclosures

As with the other states, the CTDPA requires controllers (individuals or entities that determine the purpose and means of processing personal data) to provide consumers with a privacy notice. The notice must include the following elements:

  • categories of personal data processed by a controller;
  • purpose(s) for processing personal data;
  • how consumers can exercise their rights, including how they can appeal a controller’s decision;
  • categories of personal data, if any, that the controller shares with third parties;
  • the categories of third parties, if any, with which the controller shares personal data; and
  • an active email address or other online mechanisms the consumer can use to contact the controller.

Consumer rights

Consumers, defined as residents of Connecticut, have comparable rights to those with other enhanced state privacy laws, including the:

  • Right to access (the right to confirm whether a controller is processing their personal data and the right to access such personal data);
  • Right to correct inaccuracies in personal data (note that the CPRA includes this right effective January 1, 2023 but the UCPA does not include it);
  • Right to delete personal data provided by, or obtained about, the consumer;
  • Right to portability (the right to obtain a copy of personal data processed by a controller, in a portable and readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means); and the
  • Right to opt-out of the processing of personal data for the purposes of (1) targeted advertising; (2) the sale of personal data; and (3) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer (note that the UCPA does not contain this right).

Controllers are also prohibited from discriminating against consumers for exercising their rights.

Consent to process sensitive data

Connecticut, like Colorado and Virginia, prohibits the processing of sensitive data without obtaining the consumer’s “freely given, specific, informed and unambiguous” consent. Consent may include a written statement, including by electronic means, or any other unambiguous affirmative action; but it does not include: (1) acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information; (2) hovering over, muting, pausing or closing a given piece of content; or (3) agreements obtained through the use of dark patterns.

In addition, controllers must not process sensitive data of children unless it is processed in compliance with COPPA.

Sensitive data includes: (1) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; (2) genetic or biometric data; (3) children’s personal data; and (4) precise geolocation data.

The CPRA, ColoPA, VCDPA, and UCPA all have similar definitions of sensitive data. However, the CPRA has a broader definition of “sensitive personal information,” including additional data elements such as a consumer’s social security number; the contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication; and a consumer’s account log-in with any required password.

Note that under the CPRA, consumers can direct businesses to limit the use of their sensitive personal information and businesses must notify consumers of any additional uses (essentially an opt-out). Similarly, under the UCPA, businesses simply must notify consumers of the use of sensitive personal data, and provide an opt-out right.

Sale of data, targeted advertising, profiling & opt-out

If a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must:

  • clearly and conspicuously disclose such processing as well as the manner in which a consumer can opt-out of such processing;
  • provide a clear and conspicuous link on its website allowing consumers to opt-out; and
  • no later than January 1, 2025, allow consumers to opt-out through an opt-out preference signal sent, with the consumer’s consent, by a platform/technology/mechanism to the controller indicating the consumer’s intent to opt-out.

The CTDPA opts for the broader definition of sale as included within the CCPA and ColoPA, considering an exchange for “other valuable consideration” to also constitute a sale, unlike in Virginia and Utah which requires monetary consideration.

With respect to children between the ages of 13 and 16, controllers are prohibited from selling their personal data or processing their personal data for targeted advertising without parental consent.

The CPRA, ColoPA, and VCDPA also permit consumers to opt-out of the sale of their data and the processing of their data for targeted advertising or profiling. The UCPA permits consumers to opt-out of the sale of their data and targeted advertising but does not include the concept of profiling.

Notably, similar to the CPRA, the CTDPA requires a business to provide a link on its website allowing consumers to exercise these rights.

Data protection assessments

For each of their processing activities that present a heightened risk of harm to consumers, controllers must conduct and document a data protection assessment. Processing that presents a heightened risk of harm includes:

  • processing personal data for targeted advertising;
  • sale of personal data;
  • processing personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of (1) unfair or deceptive treatment of, or unlawful disparate impact on, consumers (2) financial, physical, or reputational injury to consumers (3) a physical or other intrusion upon the private affairs of consumers or (4) other substantial injury to consumers; and
  • processing of sensitive data.

Profiling is defined as any form of automated processing performed on personal data to evaluate, analyze or predict personal aspects related to an identified or identifiable individual’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

The data protection assessments need to identify and weigh the benefits that may flow, “directly and indirectly,” from the processing to the controller, the consumer, other stakeholders and the public against the “potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks.”

The ColoPA and VCDPA also require data protection assessments for certain processing. Under the CPRA, the CA Attorney General (AG) is charged with issuing regulations requiring businesses that engage in high-risk processing to submit “risk assessments” to the California Privacy Protection Agency on a regular basis. Notably, however, the UCPA does not require data protection assessments.

Data processing agreements

Similar to the requirements of the other four states and Article 28(3) of the GDPR, the CTDPA requires that controllers and processors enter into a contract governing the processing of personal data by the processor. The contract must include instructions for processing data, the nature and purpose of the processing, the type of data being processed, the duration of the processing, and the rights and obligations of both parties. The contract must also include specific requirements for the processor, including:

  1. keeping data confidential;
  2. at the controller’s direction, deleting or returning all data at the end of the services unless prohibited by law;
  3. providing the controller with information regarding the processor’s compliance with the law;
  4. after providing the controller an opportunity to object, engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the obligations of the processor; and
  5. allowing, and cooperating with, reasonable assessments by the controller, or the processor can arrange for a qualified and independent assessor to conduct an assessment of its compliance with the CTDPA.

Additionally, processors must follow the instructions of the controller and assist the controller in meeting its obligations under the law.

Generally, the ColoPA, VCDPA, and UCPA require the same provisions within data processing agreements as those enumerated in the CTDPA. However, the UCPA does not require processors to delete or return data; provide information regarding compliance; or allow, cooperate with, or conduct assessments.

While the CPRA shares some similarities with the other states, it has several unique requirements related to such agreements (although many of them are essentially duplicative of other requirements). For example, among other unique requirements, the contract must prohibit the contractor from: (1) selling or sharing personal information; (2) retaining, using, or disclosing personal information for any purpose other than for the business purpose specified in the contract; (3) retaining, using, or disclosing the information outside of the direct business relationship between the contractor and the business; and (4) combining the personal information that the contractor receives with other personal information it receives or collects, subject to some regulatory exceptions.

Data security requirements

All of the state data privacy laws include requirements around data security. Under the CTDPA, controllers must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue.

Right to appeal

Connecticut consumers have the right to appeal a controller’s decision regarding their rights. If a controller decides that it will not take action with regard to a consumer request, within 45 days of receiving the request, the controller must inform the consumer of its decision, and explain why and how the consumer can appeal.

Controllers must establish a process for consumers to appeal. The appeal process should be similar to the process for submitting requests and included in the privacy notice. Within 60 days of receiving an appeal, controllers shall inform the consumer, in writing, of any action taken or not taken and the associated reasoning. If an appeal is denied, the controller shall provide the consumer with an online mechanism, if available, or other methods through which the consumer can submit a complaint to the Connecticut Attorney General (AG).

The ColoPA and VCDPA grant a similar right to appeal.

Enforcement

As with the other enhanced state privacy laws, with the notable exception of the CCPA/CPRA which provides a limited private right of action in the data breach context, there is no private right of action under the CTDPA.

The Connecticut AG has exclusive authority to enforce violations of law. Between July 1, 2023, and December 31, 2024, before initiating an enforcement action against a controller, the AG will send the controller a notice of violation and provide a 60-day cure period. If the controller is unable to cure the violation, the AG may bring an action.

Beginning on January 1, 2025, the AG may consider a number of factors, enumerated in the law, when determining whether to allow the chance to cure a violation. Such factors include the number of violations, the size and complexity of the entity, the nature and extent of the processing activities, the substantial likelihood of injury to the public, the safety of persons or property, and whether such alleged violation was likely caused by human or technical error.

Conclusion

State convergence around enhanced privacy disclosures and rights continues to grow, and we should expect more states to follow suit. In light of these US and global trends, businesses should consider capturing the efficiencies and relative administrative ease of implementing unified, multi-jurisdictional privacy notices in light of current, impending and even emerging privacy laws.