And Then There Were Five: Connecticut Passes Comprehensive Consumer Privacy Law
Yesterday, Governor Ned Lamont signed into law the Connecticut Data Privacy Act (“CTDPA”). Connecticut is now the fifth U.S. state to enact a comprehensive privacy law, following the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”), Virginia’s Consumer Data Protection Act (“VCDPA”), Colorado’s Privacy Act (“ColoPA”), and Utah’s Consumer Privacy Act (“UCPA”). The CPRA and VCDPA will go into effect on January 1, 2023. The ColoPA and CTDPA will go into effect on July 1, 2023 and the UCPA will follow on December 31, 2023.
What is the CTDPA?
The CTDPA is a cross-industry privacy law that provides certain privacy rights to Connecticut residents over their personal data. “Personal data” is defined broadly to include any data that is “linked or reasonably linkable” to an individual, but excludes publicly available and de-identitifed data. Additional compliance requirements apply to more narrowly defined categories of “sensitive data.”
Similar to the EU’s General Data Protection Regulation (“GDPR”), the CTDPA utilizes a controller/processor distinction and imposes specific duties on the controllers and processors of consumer personal data. A “controller" is defined as a person doing business in the state who determines the purposes and means by which personal data is processed. A “processor” is defined as a person who processes personal data on behalf of a controller.
Who is in Scope of the CTDPA?
The CTDPA applies to controllers and processors that:
- Conduct business in Connecticut or produce products or services targeted to Connecticut residents;
and, during the preceding calendar year, either:
- Controlled or processed the personal data of at least 100,000 Connecticut residents; or
- Controlled or processed the personal data of at least 25,000 Connecticut residents and derived more than 25% of their annual gross revenue from selling personal data.
Exemptions to the CTDPA include state and local government entities, non-profits, higher education institutions, financial institutions and information covered under the Gramm-Leach-Bliley Act (“GLBA”), entities and information covered under the Health Insurance Portability and Accountability Act of 1996 (“HIPPA”), information covered under the Family Educational Rights and Privacy Act (“FERPA”), and information collected in an employment or business-to-business context.
What Are the Responsibilities of Controllers and Processors?
The duties of controllers include:
- Limiting the collection of personal data to only what is directly relevant and necessary to accomplish a specified purpose;
- Providing consumers with a mechanism for revoking consent that is at least as easy as the mechanism for providing consent;
- Performing a data protection assessment for processing activities that present a heightened risk of harm to consumers.
- Specifying the express purpose for which data is collected and processed and refraining from processing data for unnecessary purposes or for purposes that are incompatible with the purposes to which the consumer consented;
- Implementing reasonable measures to secure personal data;
- Providing consumers with the right to access, delete, correct, export and opt out of the sale of their personal data or targeted advertising;
- Publishing a privacy notice that describes how the controller complies with the above requirements; and
- Performing a data protection assessment for processing activities that present a heightened risk of harm to consumers.
Processors are required to assist the controller with meeting the above obligations, adhere to controller processing instructions, and agree to specific contractual terms governing any processing performed on behalf of the controller.
How Will the CTDPA Be Enforced?
The Connecticut Attorney General (“AG”) has exclusive authority to enforce the CTDPA. The bill provides for an enforcement grace period through December 31, 2024, meaning that between July 1, 2023, and December 31, 2024, the AG must provide entities with notice of alleged violations and an opportunity to cure any such violations within the 60-day period following delivery of such notice.
What Actions Should be Taken Now?
The passage of the CTDPA adds to a growing list of state regulatory requirements. While the CTDPA will not take effect until 2023, businesses preparing for the CPRA, VCDPA, ColoPA, and/or UCPA can streamline their compliance efforts by assessing the applicability and requirements of the CTDPA in conjunction with these other privacy laws. If you have any questions about how the CTDPA will affect your organization or for assistance with any other privacy issues your business is facing, contact a member of Maynard’s Cybersecurity and Privacy Team.
This Client Alert is for informational purposes only and should not be construed as legal advice. The information in this Client Alert is not intended to create and does not create an attorney-client relationship.
About Maynard Nexsen
Maynard Nexsen is a full-service law firm with more than 550 attorneys in 24 offices from coast to coast across the United States. Maynard Nexsen formed in 2023 when two successful, client-centered firms combined to form a powerful national team. Maynard Nexsen’s list of clients spans a wide range of industry sectors and includes both public and private companies.