What is the Connecticut Data Privacy Act (CTDPA)?
The Connecticut Data Privacy Act (CTDPA) is a national data privacy law in the United States providing Connecticut residents with various rights over their personal data – such as the option to opt-out of targeted advertising, the sale of personal data, and automated profiling. The CTDPA also provides certain obligations for data controllers and processors, such as requiring privacy notices.
Who does the Connecticut Data Privacy Act apply to?
The CTDPA applies to businesses and organizations that conduct business in Connecticut and annually collect, use, or share personal information of:
- 100,000 or more Connecticut residents
- Derive over 25% of their gross revenue from the sale of personal information and process the personal information of at least 25,000 Connecticut residents
What is worth noting, the CTDPA provides exceptions to its scope of applicability. For example, it excludes personal data processed in the commercial or employment context or protected health information.
Duties of data controllers
The CTDPA mandates controllers to follow specific rules when handling consumers’ personal data. Controllers must:
- Limit the collection of personal data to only what is necessary and relevant to the purpose for which it is processed.
- Refrain from using consumers’ personal data for purposes that are not compatible or necessary without obtaining their consent.
- Maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
- Refrain from processing sensitive data without consent.
- Refrain from processing personal data that violates state and federal laws prohibiting discrimination against consumers.
- Provide consumers with an effective mechanism to revoke their consent and cease data processing.
- Not process data for targeted advertising or sell it to third parties without the consumer’s consent.
- Not discriminate against consumers for exercising their rights.
- Provide clear and meaningful privacy notices.
- Provide a clear and conspicuous link on their website to enable consumers to opt out of targeted advertising or the sale of their personal data.
What are the consumer rights under the Connecticut Data Privacy Act?
Under the CTDPA, consumers have the right to:
- Confirm whether their personal data is being processed by a controller and access that data, except if doing so would reveal a trade secret.
- Correct any inaccuracies in their personal data, considering the nature of the data and its processing purposes.
- Delete personal data provided by or obtained about the consumer.
- Obtain a copy of their personal data processed by the controller, in a portable and usable format, allowing them to transmit such personal data to another controller without difficulty, provided that revealing trade secrets is not required.
- Opt out of the processing of their personal data for targeted advertising, the sale of personal data (with some exceptions), and profiling that produces significant automated decisions affecting the consumer’s legal rights.
Comparison to other state data privacy laws
The Connecticut Data Privacy Act (CDPA) shares many similarities with other state privacy laws, including those in California, Virginia, Colorado, and Utah. However, the CTDPA shares the most significant similarities with the Virginia Consumer Data Protection Act and the Colorado Privacy Act, which focus more on the consumer. The CTDPA also shares many commonalities with the California Consumer Privacy Act and the California Privacy Rights Act.
How does the CTDPA define personal and sensitive data?
The CTDPA defines personal data as:
[…] any information that is linked or reasonably linkable to an identified or identifiable individual. “Personal data” does not include de-identified data or publicly available information.
The CTDPA defines sensitive data as:
[…] personal data that includes (A) data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status, (B) the processing of genetic or biometric data for the purpose of uniquely identifying an individual, (C) personal data collected from a known child, or (D) precise geolocation data.
What is a data protection assessment?
Data protection assessments should evaluate the benefits that may arise from the processing, for the controller, consumer, other stakeholders, and the public, and balance them against the potential risks to the consumer’s rights, considering safeguards that can be applied by the controller.
Who is a controller?
A controller is an individual or legal entity that processes personal data, either alone or jointly with others, and determines the purpose and means of such processing.