July 24, 2024
Connecticut
Connecticut's Privacy Law: Does It Apply to Your Business?
Another state privacy law is taking effect in 2023. Does the Connecticut Data Privacy Act apply to your business?
table of contents

As 2023 approaches and a new round of data privacy laws are slated to take effect, business leaders are scrambling to determine which laws apply to their companies and how to juggle multi-state compliance. The Connecticut Data Privacy Act (CDPA) is one of those laws, going into effect on July 1, 2023.

To anyone familiar with Virginia’s Consumer Data Protection Act, the criteria for determining whether the CDPA applies should look familiar as they are more or less identical. Here’s a quick rundown on how to figure out if the Connecticut Data Privacy Act applies to your business.

The CDPA’s Criteria

As with the Virginia privacy law, most of the CDPA’s rules apply to “controllers”—i.e., for-profit businesses that “determine the purpose and means of processing personal data.”

Basically, if it’s your website (or store), you are the controller of any data that is processed in connection with that site.

Any controller that has a physical presence in Connecticut, or sells its products or services online to state residents, must comply with the CDPA if at least one of the following applies:

  1. Control the personal data of at least 100,000 state residents in a calendar year, OR
  2. Control the personal data of at least 25,000 state residents in a calendar year AND derive more than 25% of gross annual revenue from the sale of personal data

For most businesses, it will be the 100,000-consumer threshold that applies to them. If your business has a website, it is controlling the personal data (e.g., IP addresses, cookies, etc.) of each one of its visitors. If you are getting just 8,400 unique visitors from Connecticut per month, that puts you over the 100,000 mark.

Exemptions

The CTDPA also contains a number of exemptions at the entity level, and for specific types of personal data. These exemptions include:

  • Nonprofit organizations
  • Government agencies
  • Financial institutions
  • Institutions of higher education
  • Data regulated by the Health Insurance Portability and Accountability Act (HIPAA)
  • Data regulated by the Fair Credit Reporting Act (FCRA)

Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.

previous chapter
next chapter

Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.

Privacy laws are here.
Are you ready?

Say goodbye to privacy headaches and hello to easy compliance with TrueVault.
Launch your Privacy Plan
Sign up Today. Get compliant tomorrow.

The Complete Privacy Platform

TrueVault is not a law firm and its services are not a substitute for obtaining legal advice from a qualified licensed attorney.
© 2024 TrueVault, Inc.
Resources
AboutPlansResource CenterContactCareers
Latest Articles
Cookies & Privacy Compliance
How to Create a Data Retention Policy
When Do the New State Privacy Laws Go into Effect?
Global Privacy Control: A New Requirement for Compliance
TrueVault is not a law firm and its services are not a substitute for obtaining legal advice from a qualified licensed attorney.
© 2024 TrueVault, Inc.