On May 10, 2022, Connecticut’s Senate Bill 6 titled “An Act Concerning Personal Data Privacy and Online Monitoring” (CTDPA) was signed by Governor Ned Lamont, making Connecticut the fifth state to enact its own comprehensive consumer privacy law, after California, Colorado, Utah and Virginia.[1]
Does CTDPA Cover My Organization?
CTDPA, which takes effect on July 1, 2023, applies to individuals and entities that conduct business in the state of Connecticut or produce products or services targeted to Connecticut residents, if they control or process personal data of at least (i) 100,000 Connecticut consumers or (ii) 25,000 Connecticut consumers, if they derive more than 25% of their gross revenue from the sale of personal data. Unlike in California, CTDPA does not automatically cover businesses with revenues above a certain threshold.
Exempt entities include (i) state and local governments; (ii) nonprofits; (iii) higher education institutions; (iv) registered national securities associations; (v) financial institutions and data subject to the Gramm-Leach-Bliley Act; and (vi) Health Insurance Portability and Accountability Act (HIPAA) covered entities and business associates. Exemptions also exist for 16 data categories, including protected health information under HIPAA, information subject to the Fair Credit Reporting Act, de-identified data and employee and job applicant data. Further, CTDPA excludes payment transaction data, publicly available data and data from individuals “acting in a commercial or employment context.”
Does My Organization Already Comply?
If your organization complies with the California Consumer Privacy Act (CCPA) and the EU or UK General Data Protection Regulation (GDPR) and is prepared for compliance with the California Privacy Rights Act (CPRA) and the Virginia and Colorado privacy statutes, it already substantially complies with CTDPA, because your organization should already:
- Make multiple disclosures about how and why it processes and discloses personal data;
- Have a process set up to allow consumers to exercise their “opt out” rights in certain circumstances (including personal data “sales” and targeted advertising) and display contact information for submitting consumer requests in its privacy policy;
- Use reasonable data security practices;
- Not collect or process personal data unnecessarily, discriminate against consumers for exercising their legal data rights, or process “sensitive data”[2] without opt-in consent;
- Conduct data protection assessments when processing sensitive data, selling data, or conducting targeted advertising or profiling in certain circumstances;
- Include necessary data privacy terms in all relevant vendor contracts; and
- Have contracts with all of its processors that lay out the parties’ obligations with respect to personal data.[3]
What Else Is To Be Done?
CTDPA requires opt-in consent to sell or process for targeted advertising the personal data of individuals who are 13-16 years old, which is similar to the CPRA, which requires similar consents for consumers under 16. (For persons under 13, CTDPA requires personal data to be processed in compliance with the Children’s Online Privacy Protection Act (COPPA)). For CTPDA-covered organizations, your website privacy policy must also alert Connecticut residents as to their CTDPA rights.
Remedies
Violating CTDPA is considered an unfair trade practice under the Connecticut Unfair Trade Practices Act (CUTPA), but there is no private right of action. The Connecticut Attorney General (AG) may seek equitable remedies under CUTPA and/or damages up to $5,000 per willful violation. Until December 31, 2024, there is a mandatory 60-day cure period before the AG can take action, and after such date, the cure period is at the
AG’s discretion.
[1] This memorandum is a high-level summary of the new law. For detailed questions, please consult one of the authors.
[2] E.g., data relating to race, ethnic origin, religion, health, sexual orientation, citizenship or immigration status, genetic or biometric data, geolocation data or data relating to children.
[3] These required provisions are substantially similar to those cited in Virginia and Colorado’s forthcoming consumer privacy laws.