On May 10, 2022, Governor Ned Lamont signed into legislation Connecticut’s Act Concerning Personal Data Privacy and Online Monitoring, making Connecticut the fifth state to enact complete state privacy laws. The legislation, also called the Connecticut Data Privacy Act (“CTDPA”), will go into impact on July 1, 2023.
This legislation consists of most of the similar rights and obligations as the patron privacy legal guidelines handed in California (the California Consumer Privacy Act of 2018 and subsequent California Privacy Rights Act), Colorado (the Colorado Privacy Act), Utah (the Utah Consumer Privacy Act) and Virginia (the Virginia Consumer Data Protection Act). The Connecticut legislation is most carefully modeled on the Colorado Privacy Act and the Virginia Consumer Data Protection Act however consists of some notable variations.
Scope of the CTDPA
The new Connecticut legislation will apply to authorized entities conducting enterprise in Connecticut or delivering services or products focused to Connecticut residents that both (1) management or course of the non-public data of 100,000 or extra customers throughout a yr, excluding private data managed or processed solely for the aim of finishing fee transactions; or (2) management or course of the non-public data of 25,000 or extra customers and derive greater than 25 p.c of their gross income from the sale of private data. There is not any annual income threshold for the Act to use.
“Consumers” are outlined as Connecticut residents and explicitly exclude people performing in a business or employment context. “Personal data” is outlined to imply info that’s linked or moderately linkable to an recognized or identifiable particular person. Like Virginia and Colorado, the Connecticut legislation’s necessities won’t prolong to de-identified data or publicly accessible info. The definition of the “sale” of private data is much like the broad definition utilized in California and Colorado’s legal guidelines and consists of the change of data for financial or different useful consideration.
Consumers’ Rights Under the CTDPA
The 5 main client rights denoted within the CTDPA are the suitable to entry, proper to delete, proper to appropriate, proper to data portability, and proper to choose out. These rights are summarized as follows:
- Right to Access: The proper to substantiate whether or not a controller is processing the patron’s private data and to entry that data. In distinction to the Virginia legislation, controllers will not be required to supply affirmation or entry if doing so would require the controller to disclose a commerce secret;
- Right to Delete: Allows customers to delete the data that was supplied to or in any other case obtained by a controller;
- Right to Correct: Allows customers to appropriate any inaccuracies of their private data;
- Right to Data Portability: Allows customers to acquire a duplicate of private data processed by the controller in a conveyable format that permits the patron to transmit their data to a different controller, topic to the identical commerce secret exemption supplied in the suitable to entry; and
- Right to Opt Out: As in Virginia and Colorado, customers have the flexibility to choose out of data processing used for the needs of focused promoting, the sale of private data, or profiling in furtherance of selections that produce “legal or similarly significant effects” in regards to the particular person.
Similar to California, Virginia, and Colorado’s legal guidelines, the CTDPA features a provision limiting the gathering of data to data that’s “adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed.” A controller could not course of private data for functions which are neither moderately essential to nor suitable with the disclosed functions for which such private data is processed, as disclosed to the patron.
Consent Requirements Under the CTDPA
Controllers should receive opt-in consent from the patron to gather or course of delicate private data. This consists of data referring to race, faith, psychological or bodily well being analysis, intercourse life, sexual orientation, citizenship or immigration standing; genetic or biometric data processed for the aim of uniquely figuring out a person; private data collected from a identified little one; and exact geolocation.
Opt-in consent can be required to course of a client’s private data for focused promoting functions or to promote the patron’s data if the controller is aware of and willfully disregards that the patron is between 13 and 16 years previous.
Additional CTDPA Requirements
- Providing clear and conspicuous hyperlinks that permit customers to choose out of processing. In addition, starting January 1, 2025, controllers should acknowledge common opt-out desire alerts that point out the patron’s intent to choose out of focused promoting and gross sales. This requirement additionally seems within the Colorado legislation and requires a user-friendly mechanism that permits customers to freely and unambiguously select to choose out of the non-public data processing. A mere default setting will likely be inadequate. Unlike Colorado, controllers will not be required to confirm opt-out requests, theoretically making it simpler for customers to choose out;
- Responding to client requests inside 45 days;
- Establishing a privacy coverage. The privacy discover should disclose the classes of private data processed, the aim of the processing, how a client can train their rights and enchantment, the classes of private data shared with third events, the classes of third events with whom the controller shares private data, a technique for contacting the controller, whether or not private data is bought to 3rd events and find out how to choose out, and whether or not private data is used for focused promoting and find out how to choose out;
- Conducting data safety assessments for actions reminiscent of utilizing data for focused promoting, promoting private data, processing private data for the aim of profiling the place the profiling presents a fairly foreseeable threat of considerable harm to customers, and processing delicate data;
- Implementing “reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data”; and
- Implementing a data processing settlement for any processing actions undertaken by a processor on an organization’s behalf. The settlement should embrace directions for processing data, the character and function of processing, the kind of data topic to processing, the length of processing, and the rights and obligations of each events.
As for enforcement, like Virginia, Colorado, and Utah, Connecticut’s legislation won’t present a non-public proper of motion to customers, with the Connecticut Attorney General, having unique enforcement authority. Before initiating an motion, the legal professional normal should notify the controller of the violation and permit the controller 60 days to treatment the violation, which is double the 30-day treatment interval supplied underneath the Virginia, California, and Utah legal guidelines. However, this proper to treatment will terminate on January 1, 2023, after which the legal professional normal can have discretion as as to whether to permit a controller a possibility to treatment. A violation of the legislation will likely be thought-about an unfair commerce observe underneath the Connecticut Unfair Trade Practices Act and entities might probably face civil penalties of as much as $5,000 per willful violation.
Exemptions Under the CTDPA
Similar to the Virginia legislation, the CTDPA consists of each entity-level and data-level exemptions. The following sorts of entities are exempted: (1) state and native governments, (2) any monetary establishment or data topic to the Gramm-Leach-Bliley Act, (3) a lined entity or enterprise topic to HIPAA, (4) nationwide securities associations registered underneath the Securities Exchange Act of 1934, (5) a nonprofit group, and (6) an establishment of upper schooling. There are sixteen classes of data stage exemptions, together with particular info regulated by HIPAA, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Airline Deregulation Act, in addition to particular worker and job applicant data.