Connecticut Data Privacy Act (CTDPA)

    Overview

    The Connecticut Data Privacy Act (CTDPA)  is a state law focused on protecting the privacy of personal data of Connecticut residents and regulating how businesses handle such information. Enacted in May 2022, and effective July 1, 2023, it aims to enhance consumer rights and ensure transparency and accountability in data practices and aligns with privacy laws in states like California and Utah.

     

     

    Regulation Summary

    Timeline
    • May 10, 2022: CTDPA signed into law by Governor Ned Lamont.
    • July 1, 2023: CTDPA became enforceable.
    • January 1, 2025: Requirements for opt-out preference signals become effective.
    What Businesses Are Affected
    • Businesses conducting operations in Connecticut or targeting Connecticut residents.
    • Thresholds for Applicability:
      • Control or process the personal data of 100,000 or more consumers annually.
      • Control or process the personal data of 25,000 or more consumers and derive 25% or more of gross revenue from data sales.
    Exemptions
    • Government entities, nonprofit organizations, and higher education institutions.
    • Entities regulated by HIPAA, GLBA, COPPA, and other federal laws.
    • Personal data used for employment-related or publicly available purposes.
    Responsibilities for Businesses
    • Data Minimization: Collect only data necessary for disclosed purposes.
    • Transparency: Provide privacy notices detailing data collection, use, and sharing practices.
    • Opt-Out Mechanisms: Allow consumers to refuse targeted advertising, data sales, or profiling.
    • Sensitive Data Consent: Obtain explicit consent before processing sensitive personal data.
    • Data Security: Implement safeguards proportional to the volume and sensitivity of personal data.
    Specific Responsibilities for Website Owners
    • Establish a designated request address for consumer rights inquiries.
    • Respond to verified consumer requests within 45 days, extendable by another 45 days if necessary.
    • Display clear and accessible privacy notices.
    Additional Requirements
    • Data Protection Assessments: Required for activities such as targeted advertising, data sales, and profiling.
    • Opt-Out Preference Signals: By January 1, 2025, businesses must honor opt-out signals sent via browser settings or similar technologies.
    Data Subject Rights
    • Access: Confirm data processing and obtain copies of personal data.
    • Correction: Rectify inaccuracies in personal data.
    • Deletion: Request deletion of personal data.
    • Portability: Receive data in a machine-readable format.
    • Opt-Out: Refuse targeted advertising, data sales, or profiling.
    Enforcement
    • Enforced by the Connecticut Attorney General.
    • Cure Period: 60 days to address violations until January 1, 2025.
    • Penalties: Violations constitute unfair trade practices under Connecticut law, with fines of up to $5,000 per violation.
    • No private right of action.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you..

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596