The momentum of states passing their own privacy laws is showing no signs of slowing down. The Connecticut legislature recently passed the Connecticut Data Privacy Act (CTDPA), which was then signed into law by Governor Ned Lamont. A trend that began with Europe’s Virginia’s Consumer Data Protection Act (CDPA), offering a similar set of rights to consumers and applying to businesses in much the same manner. With an effective data of July 1, 2023, it's a good idea to start getting familiar with its requirements. Here’s a quick rundown on the new law.

Who Must Comply with the Connecticut Data Privacy Act?

Borrowing terminology from the GDPR, most of the CDPA’s rules apply to “controllers.” A controller is a person or legal entity that determines the purpose and means of processing consumers’ personal data. Contrast this with a “processor,” which is an entity that processes personal data on a controller’s behalf. For example, consider an online retail business that uses a marketing email vendor to send promotions to its customers. The retail business is a controller because it collects consumers’ email addresses and determines when and how to send emails to them; the email vendor is a processor because it is only using those email addresses on the retailer’s orders.

However, not all controllers are required to comply with the CDPA. First they must meet these minimum criteria:

1. Conduct business in Connecticut or produce products or services that are targeted to state residents
2. At least one of the following applies:
   • Control the personal data of at least 100,000 state residents in a calendar year, OR
   • Control the personal data of at least 25,000 state residents in a calendar year AND derive more than 25% of gross annual revenue from the sale of personal data
 

The first requirement applies pretty widely. Having a physical location in Connecticut clearly meets this condition, but so does merely selling goods online to people in Connecticut. For most businesses it is the second requirement, specifically the 100,000-consumer threshold, that is the critical test.

Many businesses assume the 100,000-consumer threshold doesn’t apply to them, but don’t be so quick to dismiss it. If your business has a website, it almost certainly processes personal data (e.g., IP addresses, cookies, etc.) from each one of its visitors. If you are getting just 8,400 unique visitors from Connecticut per month, that puts you over the 100,000 mark.

The CTDPA also contains a number of entity-level and data-level exemptions. For example, governmental agencies, nonprofit organizations, financial institutions, and institutions of higher education are completely exempted from having to comply. Similarly, data that is already regulated by the Health Insurance Portability and Accountability Act (HIPAA) and the Fair Credit Reporting Act (FCRA) is also exempted.

Who Is Protected and What Rights Do They Have?

The CTDPA is designed to protect “consumers,” which means individuals who are Connecticut residents. The statute specifically states that “consumer” does not include an individual acting in a commercial or employment context, so employees and B2B contacts are permanently exempted from the CTDPA. For consumers acting in their personal capacity, the CTDPA grants them a series of data privacy rights. These rights are:

• Right of Access - Consumers have a right to confirm whether a controller is processing personal data about them and to access that data.

• Right to Correct Inaccuracies - If controllers possess inaccurate personal data about a consumer, the consumer has a right to correct the inaccuracies.

• Right to Delete - Consumers can request the deletion of their personal data, subject to some exceptions.

• Right to Portability - Consumers have the right to obtain a copy of their data in a portable and readily usable format so that it may be transmitted to another controller.

• Right to Opt Out - At any time, consumers can opt out of the processing of their personal data for the purposes of (1) targeted advertising, (2) the sale of personal data, and (3) automated decision making that produces legal or similarly significant effects for the consumer

Privacy Notice

As with other state privacy laws, a major part of complying with the CTDPA involves posting privacy disclosures on a business’s website (and anywhere else it collects personal data). These disclosures must include the following information:

• The categories of personal data collected
• The purposes for processing person data
• How consumers may exercise their privacy rights, and how to appeal a controller’s decision regarding privacy requests
• The categories of personal data shared with third parties
• The categories of third parties with which the controller shares data
• An email address or other online mechanism for contacting the controller
• If the controller sells personal data or uses it for targeted advertising, it must also disclose that fact