What is CTDPA?
The Connecticut Data Privacy Act (CTDPA), or Senate Bill 6: An Act Concerning Personal Data Privacy and Online Monitoring is Connecticut’s consumer privacy law, signed into law on May 10th, 2022, and set to become effective as of July 1st, 2023, same as the Colorado Privacy Act (CPA). In passing this law, Connecticut joined the ranks of US states with a data privacy law, alongside states such as California or Utah. It bears many similarities to the data privacy laws of Colorado or Virginia, but also has some differences.
What is Personal Information and what are other key
The CTDPA defines personal information, which it calls ‘personal data,’ as “any information that is linked or reasonably linkable to an identified or identifiable individual” but excludes from this definition both de-identified data and information made publicly available. At the same time, it provides a definition for what it calls ‘sensitive data,’ namely “personal data that includes data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status; the processing of genetic or biometric data for the purpose of uniquely identifying an individual; personal data collected from a known child; or precise geolocation data.”
Children are seen as any individual under the age of 13, which relies on the same definition as the COPPA and a data subject is here called a ‘consumer,’ same as with the other US privacy laws, and defined as “an individual who is a resident of this state [Connecticut].” at the same time, the definition of consumer includes exceptions such as “an individual acting in a commercial or employment context or as an employee, owner, director, officer or contractor of a company, partnership, sole proprietorship, nonprofit or government agency whose communications or transactions with the controller occur solely within the context of that individual's role with the company, partnership, sole proprietorship, nonprofit or government agency.”
CTDPA defines several types of data of consumers which are covered by the text of the law. One such example is ‘biometric data’ which is “data generated by automatic measurements of an individual's biological characteristics, such as a fingerprint, a voiceprint, eye retinas, irises or other unique biological patterns or characteristics that are used to identify a specific individual” but does not include “a digital or physical photograph, an audio or video recording, or any data generated from a digital or physical photograph, or an audio or video recording, unless such data is generated to identify a specific individual.” When it comes to ‘precise geolocation data’ the CTDPA takes this to mean “information derived from technology, including, but not limited to, global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the specific location of an individual with precision and accuracy within a radius of one thousand seven hundred fifty feet” but excludes “the content of communications or any data generated by or connected to advanced utility metering infrastructure systems or equipment for use by a utility.” Last but not least, the law distinguishes between ‘de-identified data,’ defined as “data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, or a device linked to such individual” and ‘pseudonymous data’ which is “personal data that cannot be attributed to a specific individual without the use of additional information, provided such additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable individual.”
Under the CTDPA a controller is “an individual who, or legal entity that, alone or jointly with others determines the purpose and means of processing personal data” and a ‘processor’ is “an individual who, or legal entity that processes personal data on behalf of a controller,” so no differences between this and other data privacy laws.
One final definition that is noteworthy is that of ‘sale of personal data’ as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.” This excludes several categories of data such as
- “the disclosure of personal data to a processor that processes the personal data on behalf of the controller;
- the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
- the disclosure or transfer of personal data to an affiliate of the controller;
- the disclosure of personal data where the consumer directs the controller to disclose the personal data or intentionally uses the controller to interact with a third party;
- the disclosure of personal data that the consumer
- (i) intentionally made available to the general public via a channel of mass media, and
- (ii) did not restrict to a specific audience; or
- the disclosure or transfer of personal data to a third party as an asset that is part of a merger, acquisition, bankruptcy or other transaction, or a proposed merger, acquisition, bankruptcy or other transaction, in which the third party assumes control of all or part of the controller's assets.”
This definition, unlike Virginia or Utah law, includes ‘other valuable consideration’ and not just monetary consideration. In this regard, it resembles California’s CCPA or Colorado’s CPA, both of which offer similar definitions of what they consider as the sale of personal data.
Who has to comply with CTDPA?
CTDPA is similar in scope to Virginia and Colorado in that it applies to entities that conduct business in the state of Connecticut or that offer products/services targeted to residents of the state of Connecticut and during the previous calendar year
- have controlled or processed the personal data of at least 100,000 consumers, excepting the personal data of consumers controller or processed solely for the purpose of completing a payment transaction;
- have controlled or processed the personal data of at least 25,000 consumers and have derived more than 25% of their gross revenue from personal data selling.
However, unlike Virginia, where the threshold is 50% of gross revenues, and Colorado, where any revenue or discount qualifies an entity, Connecticut finds itself somewhere in the middle. Additionally, it is noteworthy that this law explicitly excludes the personal data that is processed for the purpose of payment transactions, meaning that if you process debit or credit cards for the purpose of completing a sale you are not subject to the law’s requirements.
Who is excluded from CTDPA compliance?
According to Sections 3 (a) and (b) in the text of the law, several types of entities and of data are exempted from compliance. Namely, there are 6 entities and 16 types of data that are exempted.
Types of exempt entities:
- State entities and local governments;
- Nonprofit organizations;
- Higher education institutions;
- National security associations covered under the Securities Exchange Act of 1934;
- Financial institution or data that is subject to the Gramm-Leach-Bliley Act;
- Covered entities or business associates, as defined by HIPAA.
Types of data that are exempt include data such as:
- data regulated by HIPAA, FCRA, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Airline Deregulation Act;
- employment related data; and
- personal data processing for personal or household activities.
How can I keep my organization CTDPA compliant?
As a controller you have a series of obligations under the CTDPA, as follows:
- You have to “limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer.”
- Unless exceptions apply, you must not process data “for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which such personal data is processed” unless you have obtained the consumer’s consent.
- When it comes to the security of the data, you have to “establish, implement and maintain reasonable administrative, technical and physical data security practices to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue.”
- Unless you have obtained consent from the consumer, you are not allowed to process sensitive data concerning said consumer. In the case of processing of personal data of a known child, this must be done in accordance with the COPPA.
- You must not process personal data “in violation of the laws of this state and federal laws that prohibit unlawful discrimination against consumers” and cannot “discriminate against a consumer for exercising any of the consumer rights contained in [the law], including denying goods or services, charging different prices or rates for goods or services or providing a different level of quality of goods or services to the consumer.”
- You have to provide consumers that wish to withdraw their consent with “an effective mechanism [...] that is at least as easy as the mechanism by which the consumer provided the consumer's consent and, upon revocation of such consent, cease to process the data as soon as practicable, but not later than fifteen days after the receipt of such request.”
- You have an obligation to “not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer's personal data without the consumer's consent” where you have the knowledge but choose to disregard this, that the consumer “is at least thirteen years of age but younger than sixteen years of age.”
In addition to the above, you are required to take several steps in order to ensure compliance with the CTDPA:
- You have to provide consumers “with a reasonably accessible, clear and meaningful privacy notice” that includes the categories of personal data processed, the purposes, the means for exercising consumer rights, the categories of personal data shared with third parties (if any), the categories of third parties with whom you share personal data (if any), and “an active electronic mail address or other online mechanism that the consumer may use” to contact you.
- If you sell personal data to third parties or process personal data with the purpose of targeted advertising, you are required to disclose this clearly along with the mechanism through which consumers can opt out of this. The opt out mechanism, in the form of a “clear and conspicuous link” does not have a label as of yet but it bears much of a resemblance to the “Do Not Sell or Share My Personal Information” link required by the CCPA/CPRA.
- As a data controller you are required to have a contract between yourself and the data processor. This contract “shall govern the processor's data processing procedures with respect to processing performed on [your] behalf” and will “be binding and clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing and the rights and obligations of both parties.”
- As a controller, you are required to conduct and document data protection assessments for every one of your processing activities that have a high risk of harm to consumers such as:
- The processing of personal data for the purposes of targeted advertising.
- The sale of personal data
- The processing of personal data for the purposes of profiling, where such profiling presents a reasonably foreseeable risk of unfair or deceptive treatment of, or unlawful disparate impact on, consumers; financial, physical or reputational injury to consumers; a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where such intrusion would be offensive to a reasonable person, or other substantial injury to consumers.
- The processing of sensitive data.
What data access rights does CTDPA grant?
There are five data subject access rights that the CTDPA grants to consumers, namely:
- Right to access
- Right to correct
- Right to delete
- Right to data portability
- Right opt out of the processing of the personal data for purposes of
- targeted advertising,
- the sale of personal data, or
- profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
How to address data subject access requests under CTDPA?
Under the CTDPA, there are several things you need to take into account in regards to consumers rights and the way they can exercise these:
- you have to provide consumers with “secure and reliable means” for them to exercise their rights;
- once a data subject access request has been submitted, you are required to respond to it “without undue delay, but not later than forty-five days after receipt of the request.” You may however extend this period “when reasonably necessary, considering the complexity and number of the consumer's requests, provided the controller informs the consumer of any such extension within the initial forty-five-day response period and of the reason for the extension.”
- If you decide to decline the request, you have an obligation to inform the consumer no later than 45 days after receiving the request of your decision to decline and of the way in which they can appeal your decision.
- When providing consumers with their data in response to a request for access, you have to do so “free of charge, once per consumer during any twelve-month period.” However, you may charge the consumer “a reasonable fee to cover the administrative costs of complying with the request” if the requests are “manifestly unfounded, excessive or repetitive,” of you may refuse the request altogether, but it is your responsibility to demonstrate that the request was manifestly unfounded, excessive or repetitive.
- If you are unable to authenticate a request, you are not required to comply with it, and can ask the consumer to provide additional information in order for you to be able to authenticate their request. This does not apply where opt out requests are concerned, but for such requests, if you have “a good faith, reasonable and documented belief that such request is fraudulent” then you may deny the request but you must inform the consumer of this and that you will not comply with the request.
- For requests that you have denied, you have to establish a process for consumers to appeal your decision within a reasonable period of time after receiving your decision. According to the law, the appeal process has to be “conspicuously available and similar to the process for submitting requests to initiate action,” and you are required, no later than 60 days after receiving an appeal, to “inform the consumer in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions.” Additionally, if the appeal is denied, you have to provide the consumer “with an online mechanism, if available, or other method through which the consumer may contact the Attorney General to submit a complaint.”
Enforcement and penalties
CTDPA does not offer a private right of action for consumers, similar to Utah, Colorado, or Virginia, and appoints the Attorney General as the sole enforcing authority for this law.
Between the effective date of July 1, 2023 and December 31, 2024, in the event of a violation, the Attorney General will issue a notice to the controller who is in violation, allowing for a cure period of 60 days.
If following the cure period, the controller remains in violation of the CTDPA, the Attorney General will be able to decide on a course of action.
The penalties for violations rely on the Connecticut Unfair Trade Practices Act, under which a violation is considered to be an unfair trade practice, and is punishable by a penalty up to $5,000 per willful violation. In addition to civil penalties, the Attorney General can also seek injunctive relief, restitution, and demand to return part of the revenue obtained by violation of the Act.
Data Subject Rights - GDPR vs. CTDPA
- Right to access data
- Right to correct inaccurate data
- Right to the portability of data
- Right to delete personal information
- Right to information about how entities are sharing your data
- Right to restrict processing
- Right to object to processing
- Right to object to automated processing
- The Right to Access
- The Right to Correct
- The Right to Delete
- The Right to Data Portability
- The Right to Opt Out of Processing of Personal Data (for purposes of targeted advertising, selling or profiling)
How can Clym help?
- All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
- Seamless integration into your website;
- Adaptability to your users’ location and applicable regulation;
- Custom branding;
- Ready Compliance: Covering 30+ data privacy regulations;
- Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customize their individual experience.