Competing privacy laws require companies to create state- and region-specific privacy policies. This can become confusing. If you do business in Connecticut and meet an applicability threshold, you need to adhere to the enhanced privacy protections granted under Connecticut privacy law. The Connecticut Data Privacy Act (CTDPA) helps consumers keep control over their private information.
What is the Connecticut Data Privacy Act?
The CTDPA is the newest state consumer privacy law, joining four other states in offering enhanced consumer protection. Those familiar with California’s, Virginia’s, Colorado’s, and Utah’s consumer privacy laws will notice some similarities. The CTDPA is most similar to Virginia’s consumer-oriented privacy law.
The Act applies to data controllers and processors. A controller is “an individual who, or legal entity that, alone or jointly with others determines the purposes and means of processing personal data,” while a processor is “an individual who, or legal entity that, processes personal data on behalf of a controller.”
If you conduct business or produce products and services targeted to Connecticut residents, you may be subject to the Act. The CTDPA applies to businesses, who, in the preceding year:
- Controlled or processed the data of 100,000 or more Connecticut consumers annually, with an exception for personal data solely dedicated to completing a transaction; or
- Earned over 25 percent of gross revenue from the sale of personal data, or controlled and processed personal data from 25,000 or more Connecticut consumers.
The CTDPA does not have a revenue threshold, making it more similar to Virginia and Colorado privacy laws. The main difference is that the gross revenue threshold is half that of the VCDPA and UCPA—making it more likely that your business will be subject to Connecticut laws.
There are certain exemptions. For example, state and local government entities, higher education and certain entities defined under the Health Insurance Portability and Accountability Act do not need to comply with these requirements. There are also data-based exemptions, including personal data regulated under the Fair Credit Reporting Act and the Family Educational Rights and Privacy Act, among others. It’s important to determine whether your company or some of the data you process falls under one of these exemptions.
Remember that the CTDPA requires consumers to opt in and consent to the collection or processing of sensitive data. That includes data which discloses:
- Racial and ethnic origin
- Religious beliefs
- Mental or physical health conditions or diagnoses
- Sexual activities
- Sexual orientation
- Citizenship and immigration status
- Genetic or biometric data used to identify an individual
- Data from minors
- Precise geolocation data (which is defined as within ⅓ of a mile)
The consent must be “freely given, specific, informed, and unambiguous.”
What does the Connecticut Data Privacy Act protect?
The data regulated by the CTDPA is defined as “any information that is linked or reasonably linkable to an identified or identifiable individual.” This does not include publicly available information.
The CTDPA defines a “consumer” as a Connecticut resident, who is not acting in a commercial or employment context. In other words, information collected through business and employment relationships are not covered under Connecticut privacy law per the CTDPA.
When will the CTDPA become effective?
The CTDPA will go into effect on July 1, 2023. This gives affected companies some time to create Connecticut-specific data compliance privacy policies.
It’s important to note that not all companies are subject to the CTDPA. However, if your company is scaling up or otherwise moving to Connecticut, you may want to establish compliant policies now.
How to comply with the Connecticut Data Privacy Act (CTDPA)
To comply with the CTDPA, a business must:
- Decide whether the CTDPA applies to your business: If eligible under the law, your company will need to comply with the CTDPA. Click here to take a free applicability quiz.
- Create consent management tools: Consumers must be able to give informed consent.
- Create a privacy request tool: You’ll also need to create a way for consumers to protect their privacy and/or opt out of data collection.
- Create an appeal tool: Consumers must be able to appeal your decision if you deny their privacy request.
- Conduct data protection assessments: Finally, much like the VCDPA, companies must conduct a data protection assessment anytime they collect sensitive data or engage in other high-risk processing behaviors, such as targeted advertising.
These measures will protect consumer data as well as ensure your company doesn’t run afoul of the law.
Connecticut privacy law compliance can be daunting, especially for small businesses. Luckily, SixFifty makes it easy to ensure your company has compliant policies in every region. To learn more about our privacy tools, reach out and schedule a demo today!