July 24, 2024
Connecticut Adds New Privacy Rules for Health Data
By adding a host of new protections for health data, Connecticut has continued to play an outsized role in privacy regulation. Learn more at TrueVault.
Connecticut’s Data Privacy Act (CTDPA) went into effect in July 2023, and since that time the state has shown considerable interest in both enforcing and updating the law. Not all of the CTDPA’s requirements went into effect right away, however.
On January 1, 2025, two important changes came to CTDPA compliance. First, the law’s mandatory rule for a 60-day cure period expired, meaning state officials can now proceed directly to enforcement without offering businesses a chance to fix any violations. Second, businesses are now required to respect opt-out preference signals (OOPS) sent by consumers’ web browsers.
To this effect, Attorney General William Tong published a press release reminding businesses of this new obligation.
From a consumer perspective, the ability to opt out of targeted advertising and/or the sale of their personal information is one of the most important privacy rights. It gives them direct, tangible control over how their data is used, and helps rein in marketing practices that many find objectionable.
Privacy laws already oblige businesses to provide consumers with an easy way to opt out via conspicuous links and web forms. The point of an OOPS is to make it even easier by automating the process.
Here’s how it works: A consumer’s browser sends a signal to every website they visit, indicating that they want to opt out; the website receives the signal and automatically performs a browser-based opt-out (usually accomplished by cookie).
The currently accepted OOPS standard is Global Privacy Control (GPC). GPC can be enabled in the settings of some browsers, such as Firefox or Brave, but the browsers used by the vast majority of consumers—i.e., Chrome, Safari, and Edge—require the installation of an extension in order to enable GPC.
A growing number of states require businesses to respect opt-out signals. In order to comply with that rule, businesses must:
TrueVault simplifies this entire process for businesses. Our comprehensive privacy platform helps you identify which data disclosures are considered targeted advertising or selling, provides easy mechanisms for accomplishing opt-outs, and includes support for Global Privacy Control. Onboard your business in as little as a few hours, drag and drop our code onto your site, and you’re ready to go!
Talk to one of our experts to see how TrueVault can help you launch your privacy program.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
