On May 10, 2022, Governor Ned Lamont signed Senate Bill 6: An Act Concerning Personal Data Privacy and Online Monitoring (also known as The Connecticut Data Privacy Act or “CTDPA”), making Connecticut one of the first states to pass a comprehensive consumer privacy law.
The following are answers to Frequently Asked Questions regarding consumers’ rights and businesses’ obligations under the CTDPA. Please note that this does not constitute legal advice or an opinion from the Attorney General.
The CTDPA takes effect on July 1, 2023.The CTDPA gives Connecticut residents certain rights over their personal data and establishes responsibilities and privacy protection standards for data controllers that process personal data. It protects a Connecticut resident acting in an individual or household context, such as browsing the Internet or making a purchase at a store. It does not protect an individual acting in an employment context, such as applying for a job.
However, the CTDPA applies to all Consumer Health Data Controllers who do business in Connecticut, regardless of their size or the nature of their data processing activities (see below section regarding Consumer Health Data Controllers).
The CTDPA also applies to service providers (called “processors”) that maintain or provide services involving personal data on behalf of covered businesses.
A controller is defined as an individual or legal entity that, independently or jointly with others, collects and processes personal data and is responsible for responding to consumer requests about the collection and processing of personal data.
The key distinction between a controller and a processor is their decision-making authority over personal data. Under the CTDPA, a processor may only process data at the request and under the direction of a controller. The processor is contractually bound by the controller’s instructions as to what the processor must and may do with personal data.
If a processor were to begin exercising decision-making authority with respect to the purposes and means of personal data processing, it would become a controller with respect to that processing and subject to the obligations imposed on controllers under the CTDPA.
A Consumer Health Data Controller is a controller that, alone or jointly with others, determines the purpose and means of processing Consumer Health Data.
The CTDPA applies to all Consumer Health Data Controllers who conduct business in CT or who produce products or services targeted to Connecticut residents. Unlike other types of controllers, there are no revenue or processing thresholds that a Consumer Health Data Controller must meet for the law to apply.
No. The non-profit exemption does not apply to Consumer Health Data Controllers.Personal data is any information that can be linked to an identifiable individual, excluding publicly available information. Some examples of personal data include: a home address, a driver’s license or state identification number, passport information, a financial account number, login credentials, and payment card information.
Under the CTDPA, a controller needs a consumer’s consent to process sensitive data.
Processing refers to any action a business may take with respect to personal data, including collecting, using, storing, selling, sharing, analyzing, or modifying the data.
The CTDPA also does not apply to certain types of personal data maintained in compliance with other laws, such as the GLBA, HIPAA, the Fair Credit Reporting Act, and the Family Educational Rights and Privacy Act, as well as personal data processed for certain specified purposes. For a complete list, see Section 3(b) of the CTDPA.
A consumer may directly contact the controller—through the channel(s) described in the controller’s required privacy notice—and request that it confirm whether it processes the consumer’s personal data.
A controller’s privacy notice must clearly describe how consumers may exercise their rights under the CTDPA. Among other methods, a controller must provide an easily accessible link on its website through which consumers can opt-out of targeted advertising or the sale of their personal data. Soon, consumers will also be able to opt-out through universal opt-out mechanisms.
Universal opt-out mechanisms are designed to afford consumers the ability to communicate a request to opt-out of the processing of their personal data across multiple websites at once, rather than having to make individual opt-out requests through each controller’s website. Under the CTDPA, universal opt-out mechanisms must be recognized by controllers as valid consumer requests beginning January 1, 2025.
Yes, a consumer can opt-out of the sale of personal data to third parties. A consumer can also designate a third party to opt-out on his or her behalf.
Yes. If a child’s personal data is being processed by a controller, the child’s parent or legal guardian may exercise rights on the child’s behalf. Controllers must follow all regulations concerning children’s online privacy established pursuant to the Children’s Online Privacy Protection Act (“COPPA”), including parental consent requirements. In addition, the CTDPA requires controllers to obtain opt-in consent before selling a consumer’s personal data, or processing personal data for the purposes of targeted advertising, when the consumer is under 16 years old.
For more exceptions, see Section 10 of the CTDPA.
Yes. The CTDPA grants consumers the right to appeal a controller’s decision denying a consumer rights request. A controller has 60 days after receipt of an appeal to write back to the consumer, explaining any actions it has taken and reasons for refusing a consumer request. If the appeal is denied, the controller must give the consumer information to contact the Attorney General should the consumer wish to file a complaint.
A consumer can request information from a controller free once every 12 months. Under certain circumstances beyond the annual request, the controller may charge an administrative fee.
A controller must respond to a consumer’s requests no later than 45 days after receipt of the request. Under certain conditions, the controller may extend the response period by 45 days.
The Attorney General has exclusive authority to enforce violations of the Act. No, the CTDPA does not include a private cause of action.Yes. If the Attorney General determines that a controller could remedy a violation of the CTDPA, the Attorney General must give the controller notice of the violation before initiating a lawsuit. The controller then has 60 days to remedy the violation (called “the right to cure”). If, however, the Attorney General determines that it would not be possible for the controller to remedy the violation, no such notice or remedial opportunity is required. The right to cure sunsets on December 31, 2024.
Entities or individuals that violate the CTDPA may face civil penalties up to $5,000 per violation, pursuant to the Connecticut Unfair Trade Practices Act. In addition to civil penalties, the Attorney General can also seek injunctive relief, restitution, and/or disgorgement.
United States FULL
Connecticut FULL