Understanding Connecticut’s Data Privacy Act

05.08.2023
Small Business

The following article was provided by Whittlesey. It is posted here with permission.


On May 10, 2022, Connecticut enacted SB 6, titled An Act Regarding Personal Data Privacy and Internet Surveillance. 

This legislation is also commonly referred to as the Connecticut Data Privacy Act or CTDPA. 

Navigating this act and other state privacy laws can be overwhelming for businesses.

This guide will provide an overview of CTDPA’s applicability, requirements, enforcement, and how advisors can help your business achieve compliance.

Applicability

CTDPA applies to businesses that operate within Connecticut or provide products and services to residents as long as they meet certain criteria. 

These criteria include managing or processing personal data for a specific number of consumers or deriving a designated percentage of gross revenue from the sale of personal data. 

Notably, there is no annual revenue threshold for the act’s applicability.

CTDPA applies to businesses that operate within Connecticut or provide products and services to residents as long as they meet certain criteria. 

Additionally, CTDPA applies to service providers, known as “processors,” who maintain or offer services involving personal data on behalf of the covered businesses. 

CTDPA also extends to individuals or legal entities, called “controllers,” who collect and process personal data. 

Controllers are responsible for addressing consumer inquiries regarding the collection and processing of their personal data.

Exemptions and Coverage

Excluded entities include state and local governments, nonprofits, higher education institutions, certain national securities associations, financial institutions, and covered entities under specific acts, such as the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act.

CTDPA covers the personal data of Connecticut residents acting individually but not in commercial or employment contexts. 

De-identified data, publicly available information, and specific categories of personal data are exempt, while aggregated data is not. 

The law also covers children under the legal age of 18, and controllers must follow all regulations concerning children’s online privacy established according to the Children’s Online Privacy Protection Act.

Consumer Rights 

The act provides consumers with the right to:

  • Access personal data
  • Correct inaccuracies
  • Delete personal data
  • Obtain a portable copy of their personal data, and
  • Opt out of processing for targeted advertising, sale of personal data, or profiling that results in solely automated decisions with significant consequences.

Businesses must adhere to data security measures, minimization, and purpose limitation principles. 

They must also obtain consent before processing sensitive data, provide an accessible privacy notice, and fulfill other obligations.

Compliance

To comply with CTDPA, businesses should take the following actions:

  • Determine if the law applies to their operations
  • Implement appropriate data security measures
  • Restrict data collection/processing to necessary information only
  • Obtain consent for managing sensitive data
  • Develop secure processes for addressing consumer requests
  • Establish data processing agreements
  • Conduct data protection assessments
  • Create mechanisms for revoking consent
  • Draft a comprehensive privacy notice
  • Avoid discrimination against consumers who exercise their rights under CTDPA

Enforcement

The Connecticut Attorney General is responsible for enforcing CTDPA. 

Violations can result in penalties up to $5,000 per willful violation under the Connecticut Unfair Trade Practices Act, restitution, disgorgement, and injunctive relief. 

Consumers do not have a private right of action.

However, up until Dec. 31, 2024, should the attorney general determine that a controller could remedy a violation prior to initiating a lawsuit, then notice must be given to the controller, and they have up to 60 days to correct the violation (called “the right to cure”).


About the author: Chris Wisneski is an IT security and assurance services manager in Whittlesey’s Hartford office. He has more than 20 years of information technology experience with a specialty in cybersecurity. 

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay Connected with CBIA News Digests

The latest news and information delivered directly to your inbox.

CBIA IS FIGHTING TO MAKE CONNECTICUT A TOP STATE FOR BUSINESS, JOBS, AND ECONOMIC GROWTH. A BETTER BUSINESS CLIMATE MEANS A BRIGHTER FUTURE FOR EVERYONE.