Colorado and Connecticut Privacy Laws: What You Need to Know

The year 2023 has seen a significant increase in the number of US states that passed data privacy laws, but it is also the year when two such privacy laws become effective, on the same day, July 1st.

The Connecticut Data Privacy Act (CTDPA), or Senate Bill 6: An Act Concerning Personal Data Privacy and Online Monitoring and the Colorado Privacy Act (CPA), known also as Senate Bill 21, will be enforced as of July, meaning all covered entities will have to quickly acquaint themselves with their requirements if they haven't done so already.

As part of our dedication to customers and users alike, we have covered these laws in the Privacy regulations section of our website, which can be found here for CTDPA, and here for CPA, and in the below we look at some of the main points, and how they relate to the CCPA, which is a benchmark legislation that most entities comply with by now:

Scope

Definitions

CTDPA

• defines personal information, which it calls ‘personal data,’ as “any information that is linked or reasonably linkable to an identified or identifiable individual” but excludes from this definition both de-identified data and information made publicly available.
• ‘sensitive data’ is “personal data that includes data on
  • racial or ethnic origin,
  • religious beliefs,
  • mental or physical health condition or diagnosis,
  • sex life, sexual orientation or citizenship or immigration status;
  • the processing of genetic or biometric data for the purpose of uniquely identifying an individual;
  • personal data collected from a known child;
  • precise geolocation data.”
• sale means ‘sale of personal data’ as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.”

CPA

• defines personal information as personal data, meaning “information that is linked or reasonably linkable to an identified or identifiable individual” but does not include “de-identified or publicly available information”.
• sensitive data is defined as “personal data revealing:
  • racial or ethnic origin,
  • religious beliefs,
  • a mental or physical health condition or diagnosis,
  • sex life or sexual orientation,
  • citizenship or citizenship status,
  • genetic or biometric data that may be processed for the purpose of uniquely identifying an individual,
  • personal data from a known child.”
• sale means “the exchange of personal data for monetary or other valuable consideration by a controller to a third party.”

CCPA

• defines personal information as any information that identifies, relates to, describes, or could be linked to a consumer or household and includes data such as name, email, date of birth and even IP address.
  • Sensitive personal information is information that reveals sensitive details such as:
  • precise geolocation,
  • social security number, driver’s license number, state identification card number or passport number,
  • racial or ethnic origin;
  • log-in credentials for various accounts, credit/debit card numbers alongside any access code needed to access accounts;
  • genetic information;
  • the contents of mail, e-mail or text messages, unless otherwise intended as part of the communication between the business and the website visitor.
• sale means "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration."

Consumer rights

Enforcement

CTDPA

• The Attorney General is the sole enforcing authority.
• There is no private right of action under CTDPA.
• Cure period for violations: 60 days
• Penalties: up to $5,000 per wilful violation.

CPA

• The provisions are enforced by both the state Attorney General and the District Attorneys.
• There is no private right of action under CPA.
• Cure period for violations: 60 days
• Penalties: between $2,000 and $20,000 per violation.

CCPA

• The Attorney General is the sole enforcing authority.
• There is a private right of action under CCPA.
• Cure period for violations: 30 days
• Penalties: up to $2,500 for every unintentional violation and $7,500 for every intentional violation.