Privacy Protection Patchwork, Part IV: How the Connecticut Data Privacy Act Could Impact Your Business
The number of states enacting comprehensive privacy laws is growing, adding to the existing complex patchwork of privacy, security, and data breach notification laws that keep legal and compliance personnel on their toes. Businesses should start preparing to comply with these laws, many of which become effective in 2023.
This five-part series highlights key provisions in a few of the new comprehensive privacy laws. Each week we will examine laws in a new state – Virginia, Colorado, Utah, Connecticut, and California – and provide recommendations on what steps businesses should consider taking now to comply. This post – the fourth in our series – explores how the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, also known as the Connecticut Data Privacy Act (CTDPA) could impact your business.
Stay tuned every week as we highlight key takeaways from these new laws. We anticipate that this series will continue to grow as states enact or revise consumer privacy laws.
The Connecticut Data Privacy Act
The CTDPA became the fifth comprehensive state consumer privacy law when it was signed into law by Connecticut Governor Ned Lamont on May 10, 2022. The CTDPA will become effective on July 1, 2023.
1. Applicability Threshold
The CTDPA applies to businesses and individuals that conduct business in Connecticut or offer products or services that are targeted to Connecticut residents and meet one or more of the following criteria during the preceding calendar year:
- Controlled or processed the personal data of at least 100,000 consumers (excluding for the purpose of completing a payment transaction); or
- Controlled or processed the personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.
The CTDPA exempts six types of entities from the law, including state and local governments, nonprofit organizations, higher education institutions, national securities associations registered under the Securities Exchange Act of 1934, financial institutions subject to the Gramm-Leach-Bliley Act, and covered entities and business associates as defined by the Health Insurance Portability and Accountability Act (HIPAA).
Certain data types are also exempt from the law, including employee and job applicant data, as well as certain information regulated by HIPAA, the Fair Credit Reporting Act, Gramm-Leach-Bliley Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Airline Deregulation Act. Not all data regulated by these laws are carved out, so businesses should analyze whether the data they process fall within one of these exemptions.
2. Summary of Consumer Rights
The CTDPA grants new rights to Connecticut residents, including the right to:
- access their personal data held by the entity;
- correct personal data held by the entity;
- delete personal data held by the entity;
- obtain a copy of personal data held by the entity in a portable format; and
- opt out of processing for the purposes of targeted advertising, sale of personal data, or profiling in furtherance of automated decision-making that produces legal or similarly significant effects concerning the consumer.
The CTDPA requires controllers (businesses that determine the purpose and means for processing data) to provide a secure and reliable means for consumers to exercise these new rights, which must be described in the controller’s privacy notice. Entities must respond to these requests within 45 days from receipt, barring the need for an extension due to complexity or the number of requests. CTDPA provides for an additional 45 days if an extension is needed and if the controller informs the consumer of the need for the extension within the original 45-day period.
3. Data Use and Retention
The CTDPA limits collection and use of personal data to such data that are adequate, relevant, and reasonably necessary for the purposes for which the data are being processed. Entities should carefully assess their data collection and use practices to comply with these limitations. Controllers must also establish and maintain reasonable administrative, technical, and physical safeguards to protect personal data.
Controllers must also execute contracts that include clear instructions for processing personal data and the type of data subject to processing. The data processing agreements should address confidentiality requirements and must allow the controller to audit the processor’s compliance with the CTDPA.
For each processing activity that presents a heightened risk of harm to a consumer, including targeted advertising and sale of personal data, controllers must conduct and document a data protection assessment. These assessments must weigh the benefits of such processing against the risks to the consumer and must be made available to the Connecticut Attorney General when requested as part of an investigation.
Controllers must provide clear and accessible privacy notices that include the categories of data they process, the purpose of processing the data, how consumers may contact the business to exercise a right or appeal the controller’s decision with regard to a request, the categories of personal data that controllers share with third parties, and the categories of third parties with whom the controller shares personal data. The privacy notice must also include an email address or other online means of contacting the controller.
Controllers that process sensitive personal data must obtain consent from the consumer prior to processing their sensitive data. Sensitive personal data include data that reveal racial or ethnic origins, religious beliefs, mental or physical health conditions or diagnosis, precise geolocation data, and other categories. Businesses should carefully assess the categories of data they process to determine whether they process sensitive personal data and implement procedures to obtain consent prior to any relevant processing activities.
5. State Enforcement
Until January 1, 2025, the Connecticut Attorney General will notify entities of a violation and provide 60 days in which to cure the violation and inform the Attorney General of the cure in writing. Entities that fail to cure violations may be fined up to $5,000 per willful violation. After January 1, 2025, the Attorney General will have discretion to grant an opportunity to cure, but it will not be required. The CTDPA does not create a private right of action.
Businesses that will be subject to the CTDPA should carefully review their privacy compliance programs now and update their policies and procedures if necessary to comply with the requirements of this new law. For example, businesses subject to the CTDPA should have policies and procedures in place to receive and respond to consumer requests to exercise their rights under the law. Businesses should consider conducting an inventory of personal and sensitive data so they can process consumer requests within the statutory time periods and obtain consent prior to processing, where required. Businesses should also review privacy notices and update contracts with vendors to address contracting requirements.
For more information about the CTDPA, or for assistance with your privacy compliance program, please contact the authors of this post or reach out to the entire Compliance Advisory team at PrivacyCompliance@lewisbrisbois.com. You can also subscribe to this blog to receive email alerts when new posts in this series are published. View all installments in this series here.