Colorado and Connecticut Privacy Laws: What You Need to Know

Applies to entities that conduct business in the state of Connecticut or that offer products/services targeted to residents of the state of Connecticut and during the previous calendar year

• have controlled or processed the personal data of at least 100,000 consumers, excepting the personal data of consumers controller or processed solely for the purpose of completing a payment transaction;
• have controlled or processed the personal data of at least 25,000 consumers and have derived more than 25% of their gross revenue from personal data selling.

Applies to any controller that “conducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado and either

• Controls or processes the personal data of 100,000 consumers or more during a calendar year, or
• Derives revenue or receives a discount on the price of goods or services from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.”

Applies to entities that conduct business in the State of California or target residents of the state, and that satisfy one or more of the following thresholds:

• Earn annual revenues of more than $25 million;
• Collect and process personal information of at least 100,000 consumers, households or devices; or
• Derive at least 50% of their annual revenues from selling or sharing consumers’ personal information.

• defines personal information, which it calls ‘personal data,’ as “any information that is linked or reasonably linkable to an identified or identifiable individual” but excludes from this definition both de-identified data and information made publicly available.
• ‘sensitive data’ is “personal data that includes data on
  • racial or ethnic origin,
  • religious beliefs,
  • mental or physical health condition or diagnosis,
  • sex life, sexual orientation or citizenship or immigration status;
  • the processing of genetic or biometric data for the purpose of uniquely identifying an individual;
  • personal data collected from a known child;
  • precise geolocation data.”
    
• sale means ‘sale of personal data’ as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.”

• defines personal information as personal data, meaning “information that is linked or reasonably linkable to an identified or identifiable individual” but does not include “de-identified or publicly available information”. 

• sensitive data is defined as “personal data revealing: 

  • racial or ethnic origin, 
  • religious beliefs, 
  • a mental or physical health condition or diagnosis, 
  • sex life or sexual orientation, 
  • citizenship or citizenship status,
  • genetic or biometric data that may be processed for the purpose of uniquely identifying an individual,
  • personal data from a known child.”
    
• sale means “the exchange of personal data for monetary or other valuable consideration by a controller to a third party.”

• defines personal information as any information that identifies, relates to, describes, or could be linked to a consumer or household and includes data such as name, email, date of birth and even IP address.
• Sensitive personal information is information that reveals sensitive details such as: 
  • precise geolocation, 
  • social security number, driver’s license number, state identification card number or passport number, 
  • racial or ethnic origin;
  • log-in credentials for various accounts, credit/debit card numbers alongside any access code needed to access accounts;
  • genetic information;
  • the contents of mail, e-mail or text messages, unless otherwise intended as part of the communication between the business and the website visitor.
• sale means "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for monetary or other valuable consideration."

• Right to access

• Right to correct

• Right to delete

• Right to data portability

• Right opt out of the processing of the personal data for purposes of
• targeted advertising, 
• the sale of personal data, or 
• profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

• Right to access
• Right to correct
• Right to delete
• Right to data portability
• Right to Opt Out: opt out of the processing of personal data concerning the consumer for purposes of:
• targeted advertising;
• the sale of personal data, or
• profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer.”

•  Right to Know
• Right to Delete
• Right to Opt Out of Sale
• Right to Non-Discrimination

• Right to Correct
• Right to Limit Use and Disclosure of Sensitive Personal Information.

• The Attorney General is the sole enforcing authority.
• There is no private right of action under CTDPA.
• Cure period for violations: 60 days
• Penalties: up to $5,000 per wilful violation.

• The provisions are enforced by both  the state  Attorney General and the District Attorneys.
• There is no private right of action under CPA.
• Cure period for violations: 60 days
• Penalties: between $2,000 and $20,000 per violation.

•  The Attorney General is the sole enforcing authority.
• There is a private right of action under CCPA.
• Cure period for violations: 30 days
• Penalties: up to $2,500 for every unintentional violation and $7,500 for every intentional violation.