The year 2023 has seen a significant increase in the number of US states that passed data privacy laws, but it is also the year when two such privacy laws become effective, on the same day, July 1st.
The Connecticut Data Privacy Act (CTDPA), or Senate Bill 6: An Act Concerning Personal Data Privacy and Online Monitoring and the Colorado Privacy Act (CPA), known also as Senate Bill 21, will be enforced as of July, meaning all covered entities will have to quickly acquaint themselves with their requirements if they haven't done so already.
As part of our dedication to customers and users alike, we have covered these laws in the Privacy regulations section of our website, which can be found here for CTDPA, and here for CPA, and in the below we look at some of the main points, and how they relate to the CCPA, which is a benchmark legislation that most entities comply with by now:
Scope
CTDPA |
CPA |
CCPA |
Applies to entities that conduct business in the state of Connecticut or that offer products/services targeted to residents of the state of Connecticut and during the previous calendar year
- have controlled or processed the personal data of at least 100,000 consumers, excepting the personal data of consumers controller or processed solely for the purpose of completing a payment transaction;
- have controlled or processed the personal data of at least 25,000 consumers and have derived more than 25% of their gross revenue from personal data selling.
|
Applies to any controller that “conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado and either
- Controls or processes the personal data of 100,000 consumers or more during a calendar year, or
- Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.”
|
Applies to entities that conduct business in the State of California or target residents of the state, and that satisfy one or more of the following thresholds:
- Earn annual revenues of more than $25 million;
- Collect and process personal information of at least 100,000 consumers, households or devices; or
- Derive at least 50% of their annual revenues from selling or sharing consumers’ personal information.
|
Definitions
CTDPA |
CPA |
CCPA |
- defines personal information, which it calls ‘personal data,’ as “any information that is linked or reasonably linkable to an identified or identifiable individual” but excludes from this definition both de-identified data and information made publicly available.
- ‘sensitive data’ is “personal data that includes data on
- racial or ethnic origin,
- religious beliefs,
- mental or physical health condition or diagnosis,
- sex life, sexual orientation or citizenship or immigration status;
- the processing of genetic or biometric data for the purpose of uniquely identifying an individual;
- personal data collected from a known child;
- precise geolocation data.”
- sale means ‘sale of personal data’ as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.”
|
|
- defines personal information as any information that identifies, relates to, describes, or could be linked to a consumer or household and includes data such as name, email, date of birth and even IP address.
- Sensitive personal information is information that reveals sensitive details such as:
- precise geolocation,
- social security number, driver’s license number, state identification card number or passport number,
- racial or ethnic origin;
- log-in credentials for various accounts, credit/debit card numbers alongside any access code needed to access accounts;
- genetic information;
- the contents of mail, e-mail or text messages, unless otherwise intended as part of the communication between the business and the website visitor.
- sale means "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration."
|
Consumer rights
CTDPA |
CPA |
CCPA |
- Right to data portability
- Right opt out of the processing of the personal data for purposes of
- targeted advertising,
- the sale of personal data, or
- profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
|
- Right to access
- Right to correct
- Right to delete
- Right to data portability
- Right to Opt Out: opt out of the processing of personal data concerning the consumer for purposes of:
- targeted advertising;
- the sale of personal data, or
- profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.”
|
- Right to Know
- Right to Delete
- Right to Opt Out of Sale
- Right to Non-Discrimination
- Right to Correct
- Right to Limit Use and Disclosure of Sensitive Personal Information.
|
Enforcement
CTDPA |
CPA |
CCPA |
- The Attorney General is the sole enforcing authority.
- There is no private right of action under CTDPA.
- Cure period for violations: 60 days
- Penalties: up to $5,000 per wilful violation.
|
- The provisions are enforced by both the state Attorney General and the District Attorneys.
- There is no private right of action under CPA.
- Cure period for violations: 60 days
- Penalties: between $2,000 and $20,000 per violation.
|
- The Attorney General is the sole enforcing authority.
- There is a private right of action under CCPA.
- Cure period for violations: 30 days
- Penalties: up to $2,500 for every unintentional violation and $7,500 for every intentional violation.
|