Connecticut’s new privacy law: Everything you need to know

What is Connecticut’s data privacy law?

On May 10, 2022, Connecticut passed An Act Concerning Personal Data Privacy and Online Monitoring. It gives Connecticut residents control over their sensitive consumer data, including the right to know what personal data businesses collect, the right to request they delete that data, the right to correct inaccuracies, and the right to restrict how businesses use the information. The law goes into effect July 1, 2023, though a universal opt-out — similar to Colorado’s — comes into effect on July 1, 2025.

Who enforces the Connecticut privacy law?

Like Virginia’s privacy law, the CTDPA will solely be enforced by the state’s attorney general. The law includes no private right to action. Thus far, only California grants consumers that right.

Who does the CTDPA cover?

Connecticut’s data privacy law adopts a moderately broad scope, similar to Virginia and Colorado. The law applies to businesses that do business in Connecticut or with Connecticuters if during the last year they:

• Controlled or processed the personal data of 100,000+ consumers, though this excludes personal data controlled or processed only to complete a payment transaction
• Or, controlled or processed the personal data of 25,000+ consumers and made over 25% of gross revenue from selling personal data

While data used solely for payment processing is excluded from the 100,000 consumer standard, it is not excluded from the 25,000 consumer standard. A company that processes the data of 25,000 consumers and makes more than 25% of revenue from selling personal data will have to comply, even if they only sold the data of a few thousand consumers.

Like California and Colorado, Connecticut’s law takes a broad interpretation of data sales. It defines sale as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.” That is, if you exchange personal data for goods or services, it’s important to calculate the value of that data compared to the rest of your gross revenue to see if the law applies to you.

The CTDPA’s scope sits right in the middle of the five state data privacy laws to date. Virginia and Colorado have similar scope, differing only in the percentage of revenue sales required to trigger the second condition (i.e. 25,000 consumers and a percentage of gross revenue sales.) In Virginia, a business will have to comply if they derive 50% of gross revenue and control or process the data of 25,000 consumers. In Colorado, on the other hand, a business that has the data of 25,000 consumers must comply if they sell any personal data at all.

California has the broadest scope, with a revenue threshold that includes any business making more than $25 million that does business in the state or with state residents. Finally, Utah has the narrowest scope, automatically excluding any business making under $25 million, regardless of their data practices.

Connecticut privacy law exemptions

Like every other state privacy law except Colorado, Connecticut exempts nonprofits. It also exempts government institutions, higher education, organizations registered under the Securities Exchange Act, financial institutions subject to the GLBA, and HIPAA covered entities and business associates.

Additionally, Connecticut exempts a variety of data, including:

• Healthcare data, such as HIPAA PHI, community and population health information, and research data
• Credit reporting information under the Fair Credit Reporting Act
• Personal data regulated by the Driver’s Privacy Protection Act of 1994
• Personal data regulated by the Family Educational Rights and Privacy Act
• Personal data regulated by the Farm Credit Act
• Information about contractors and employees
• Emergency contact information
• Information used to administer benefits
• Data about airline price, route, or service under the Airline Deregulation Act

Data under the Connecticut privacy law

What does CTDPA consider personal data?

The Connecticut privacy protection policy holds a very standard definition of personal data. According to the CTDPA, personal data is information that:

• Is linked or can be linked to an identifiable person; and
• Is not de-identified data or publicly available information.

Of the five privacy law states, only California protects data used in business relationships, such as employment records. Connecticut, like Virginia, Utah and Colorado, only protects consumer data.

How does the Connecticut data privacy law define “sensitive data?”

Under Connecticut privacy law, sensitive data includes any personal information that reveals:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health condition or diagnoses
• Sex life or sexual orientation
• Citizenship or immigration status
• Genetic or biometric data processed for the purpose of identify an individual
• Personal data from a known child
• Precise geolocation

The Connecticut law requires businesses to always obtain consumer consent before processing sensitive data. In the case of children under 13, businesses must obtain verifiable parental consent before processing data, as required by COPPA.

Like Utah and Colorado, Connecticut does not consider government identity information sensitive data. So far, only California and Virginia include government ID under this category.

Overall, Connecticut, Virginia, Utah and Colorado have a very similar view of what sensitive data is. California has a somewhat broader view than the other privacy law states. In addition to government identity information, it categorizes login ID, password, union membership and philosophical beliefs as sensitive data.

Interestingly, although Utah doesn’t consider children’s data to be “sensitive data,” both Utah and Connecticut require essentially the same protections, using COPPA as the standard. In terms of children’s data protection, California is again the outlier, providing enhanced protection for children up to the age of 16, and banning businesses from asking children for consent for 12 months after being rejected.

What consumer rights does the Connecticut privacy bill provide?

Like Colorado and Virginia privacy law, the CTDPA grants consumers six basic rights:

• Access
• Correction
• Delete
• Data portability
• Opt out
• Appeal

This differs from California, which has no right to appeal, and Utah, which has no right to correct data inaccuracies.

Right to access

Consumers have the right to know whether you’re processing their personal information and what information you’re processing, unless providing confirmation or access “would require the controller to reveal a trade secret.” This exception is unique to Connecticut privacy law.

Right to correction

Consumers have the right to correct inaccuracies in their personal information.

Right to delete

Consumers have the right to have their personal data deleted. Unlike Utah, which only covers data provided to you by the consumer, Connecticut covers all personal data, regardless of the source. However, the CTDPA does not go as far as California, which requires you to delete data shared with third parties.

Right to data portability

Connecticuters have the right to receive a copy of their personal data. It should be provided in a format that’s easy and convenient for the consumer to read or share. However, businesses are not required to fulfill this requirement if it means revealing a trade secret.

Right to opt out

Consumers have the right to opt out of having their data sold or processed for targeted advertising. They can also opt out of profiling if:

• The profiling is “solely automated” — i.e. performed entirely by an algorithm
• The profiling decision produces “legal or similarly significant effects”

Connecticut, Virginia, and Colorado use similar opt out standards. California’s profiling rules are waiting on rulemaking by the California Consumer Protection Authority, which has faced repeated delays. Utah is unique in having no right to opt out of profiling.

Right to appeal

Under the CTDPA, you can deny a consumer’s data request under some circumstances. For example, if fulfilling a data access request would reveal a trade secret.

However, if your business does deny a request, the consumer has the right to appeal the decision. You should provide a conspicuous and straightforward way to appeal, similar to the initial data request process. If the appeal is denied, you’ll need to give the consumer an online method to file a complaint with the attorney general. So far, only California and Utah have no right to appeal. However, California gives residents the right to initiate an enforcement action.

What are my obligations under Connecticut privacy law?

Post and maintain clear privacy notices

Like other privacy law states, Connecticut requires you to post clear, accessible privacy notices explaining your data practices and consumer rights. It should cover:

• What types of data you collect and process
• What purposes the data serves
• What categories of third parties you share personal data with
• How consumers can exercise their data rights

Your privacy notice should include an easy, secure, and reliable online tool for consumers to make data requests, such as an online form or monitored email. You will also need a way to confirm the consumer’s identity, so that you don’t share private data with the wrong party.

Get user consent

If you sell personal data to third parties or process it for targeted advertising, you need to “clearly and conspicuously” disclose that fact, and give consumers a simple way to opt out.

Process data requests quickly

So far, all privacy law states require you to respond to consumer requests within 45 days. In Connecticut, like in California, Utah, Virginia and Colorado, you can request an additional 45 days when “reasonably necessary,” but you have to let the consumer know you’re taking an extension (and explain why you need it) within the first 45 days.

California has one exception to this rule. When a Californian opts out of a data sale, you must confirm it within 15 days of the request. Otherwise, all five states have the same timetable for the initial data request.

If a consumer appeals, you have 60 days to review their appeal and respond in writing. Let them know what actions you’ve taken (or not taken) on their appeal, and explain your reasons. If you deny the appeal, give them a simple way to contact the attorney general online in case they’d like to make a complaint.

The appeal timetable varies from state to state. Virginia also has a 60-day appeal time limit. Colorado has a 45-day appeal time limit, but controllers may extend the limit by another 60 days when necessary. Neither Utah nor California require an appeal process.

Keep in mind that Connecticut requires you to respond to one request per consumer per year, free of charge. If consumers make requests that are “manifestly unfounded, excessive, or repetitive,” you may charge a reasonable fee to offset the cost of complying, or simply reject the request.

Connecticut also explicitly requires you to authenticate the user’s identity. If you can’t authenticate a request, let the consumer know that you’re unable to, and request whatever additional information you need to authenticate them.

Opt-out requests work a little differently under the CTDPA. You’re not required to authenticate opt-out requests, but you may deny them if you have a “good faith, reasonable and documented belief” that they are fraudulent. If you deny an opt-out, send a notice to the requester letting them know you won’t comply and explaining your reasons for believing the request is fraudulent.

Provide a universal opt-out tool

Both Connecticut and Colorado have a universal opt-out requirement. Colorado’s requirement begins on January 1, 2024, while the CTDPA opt-out rule goes into effect a year later. This universal opt out will allow consumers to decline any data processing or sale. Connecticut privacy law states the universal opt-out must:

• Require consumers to make “an affirmative, freely given and unambiguous choice to opt out of any processing” of personal data
• Not “unfairly disadvantage” other data controllers
• Be easy to use
• Be as consistent as possible with opt-out platforms mandated by other states or federal laws
• Enable you to determine if a consumer actually lives in Connecticut and has made a legitimate request

Because of the timetables of both states, you should begin by focusing on Colorado’s opt-out requirement, using a tool that will satisfy both state rules.

Only use data for the purpose you’ve declared

Connecticut forbids controllers from processing personal data “for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes.” In other words, tell users what you intend to do with their data, and only use it for that purpose.

Limit data collection

Connecticut requires you to only collect personal data that is “adequate, relevant, and reasonably necessary” for your use case. This requirement, known as “data minimization,” is part of most privacy laws, including every privacy law state but Utah. It’s not just about compliance, though. Even when the law doesn’t require it, data minimization helps protect your business. The less sensitive data you collect, the less damage to your company, partners, and customers, should you suffer a security breach.

Use data protection impact assessments to mitigate risks

Any time a data processing activity creates a “heightened risk of harm” to consumers, you must conduct a data protection impact assessment. Under Connecticut privacy law, this includes:

• Processing personal data for targeted advertising
• Selling personal data
• Processing sensitive data

You also need to use DPIAs when you’re conducting profiling, if the profiling activity has a risk of:

• Treating consumers in an unfair or deceptive way
• Creating an “unlawful or disparate impact” on consumers
• Harming a Connecticuter’s finances or reputation
• Causing physical harm
• Intruding on an individual’s private affairs, solitude, or seclusion
• Causing any other “substantial injury.”

Keep your data protection impact assessments on file — while the CTDPA exempts DPIAs from public disclosure, it also gives the attorney general the right to review them for compliance.

Secure your data

Like other state privacy laws, the CTDPA requires controllers to protect their data, using “reasonable administrative, technical and physical data security practices.” Put strong security controls in place to make sure personal data stays private. 

Put clear and explicit data processing contracts in place

Whether you’re a data controller or processor, you need to have a contract before exchanging any private data. The contract should include:

• Instructions for processing data
• The nature and purpose of the data processing
• The type of data being processed
• The duration of the data processing agreement
• The rights and obligations of both the controller and the processor

The processor also has special obligations, including:

• Imposing a duty of confidentiality on everyone processing personal data
• Having a contract with any subcontractors
• Deleting or returning all personal data at the end of service if the controller requests
• Demonstrating compliance if the controller requests
• Cooperating with any “reasonable assessments” by the controller

What are the rules for Connecticut data breaches?

Data breaches are covered by Connecticut General Statutes § 36a-701b. This law defines personal data more broadly than the CTDPA. It covers the breach of any data that contains the first and last name of a citizen (or the first initial and last name) combined with:

• Government ID number (e.g. Social Security, taxpayer identification number, or driver’s license number)
• Credit or debit card number
• Financial account number combined with an access code or password
• Medical information, diagnosis, or history
• Health insurance number
• Biometric data, such as voice print or fingerprint
• User name combined with account credentials

If any of this data has been breached (or you believe it may have been breached) you must notify the Connecticut attorney general, along with the data breach victim as quickly as possible, and within 60 days.

You’ll also be required to provide free identity theft prevention and (if needed) mitigation services for 24 months. This should include instructions for how to enroll in the services, and information on how to put a credit freeze in place.

The statute provides three basic options for contacting people affected by the breach:

• Written notice
• Telephone
• Electronic notice (if the consumer has consented to using electronic communication)

You can also provide a “substitute notice” in certain cases. If it would cost more than $250,000 to provide notice, there are more than 500,000 people you need to contact, or you simply don’t have contact information, you can use the following contact methods:

• Email
• Conspicuous posting on a website maintained by the breach victim
• Notification of “major state-wide media,” including newspapers, TV, and radio stations

If the victim’s login credentials were breached and you can verify the victim still has control of the account, you may prompt them to recover their account and update their credentials and security questions.However, if the victim may have lost control of the account, you must use another method to contact them.

How is the Connecticut data privacy law enforced?

The Connecticut privacy law is exclusively enforced by the attorney general. From July 1, 2023 until the end of 2024, the attorney general’s office will issue a notice of violation if they believe you’ve broken the CTDPA and “a cure is possible” — i.e. that the violation can be fixed. You’ll then have 60 days to fix that violation. If you don’t, the attorney general can bring an action. Companies can face a fine of up to $5,000 per violation, in addition to restitution, disgorgement, or injunctive relief.

Beginning on January 1, 2025, enforcement may get tougher. On that data, the attorney general can determine whether to give you the opportunity to cure the violation or not, considering factors like:

• The number of violations
• The cause of the violation or violations
• The size and complexity of your company
• Your processing activities
• What “Injury to the public” the violation may have caused
• Safety issues caused by the violation

Creating a unified compliance strategy

With the passing of the CTDPA, businesses now have to comply with five separate state privacy laws — with more on the way. TerraTrue can help you create an automated compliance strategy, meeting state privacy laws, the GDPR, and other compliance regulations with a single, intuitive workflow.

Contact us today for a free demo, and learn how simple regulatory compliance can be.