Guide to Connecticut Data Privacy Act (CTDPA)

The CTDPA, also known as the “Act Concerning Personal Data Privacy and Online Monitoring,” is the fifth state privacy legislation in the United States.

Official text: Senate Bill No. 6

Effective date: July 1, 2023

What is the Connecticut Data Privacy Act (CTDPA)? 

Connecticut Data Privacy Act (CTDPA) is a state privacy act in the US mandating businesses to implement reasonable measures to safeguard the personal data of Connecticut residents/individuals (consumers).

In its essence, the CTDPA shares many resemblances with privacy laws in other states such as California, VCDPA, Colorado Privacy Act, and Utah, all of which entail provisions for consumer privacy. The Act exhibits a consumer-centric focus and aligns closely with the California Privacy Rights Act (CPRA).

The CTDPA grants specific rights to Connecticut individuals concerning their personal data and sets forth obligations and privacy standards for data organizations handling such data. 

The Connecticut Attorney General’s Office enforces the CTDPA. 

The CTDPA applies to organizations that conduct business in Connecticut or that provide products or services to Connecticut individuals and in the previous calendar year controlled or processed the personal data of:

• at least 100,000 consumers or
• 25,000 or more consumers and derived over 25% of their gross revenue from selling personal data.

The Act also applies to service providers that handle personal data for covered businesses.

The CTDPA does not apply to:

• Government agencies
• Nonprofits
• Financial companies under GLBA
• Registered securities associations
• Health organizations under HIPAA
• Higher education institutions

Personal data under the CTDPA is defined broadly to include any information that can identify or reasonably be linked to a specific individual. The key aspects of what constitutes personal data include:

• Protected health information as defined under HIPAA regulations
• Pseudonymous data that could potentially identify an individual when combined with additional separate information
• Sensitive data includes information revealing racial or ethnic origin, religious beliefs, mental or physical health conditions or diagnoses, sexual orientation, citizenship or immigration status, precise location, or any data collected from a minor (known child)

However, certain types of data are excluded from the definition of personal data:

• De-identified information with no remaining links that could identify a specific individual
• Publicly available information that has been legally shared through government records or public media platforms, assuming the consumer intentionally made that information public
• Personal data used solely to process payment transactions
• Communications content or utility usage data used only for delivering metered services
• Personal data handled under laws like HIPAA, FCRA, and FERPA

• Data minimization: Organizations must limit personal data collection to what is necessary and adequate for the disclosed processing purposes.
• Purpose limitation: Data cannot be processed for any additional purposes that are incompatible with the original purposes without obtaining consumer consent.
• Security requirements: Organizations must establish reasonable administrative, technical, and physical safeguards to protect the confidentiality, integrity, and accessibility of personal data.
• Consent requirements: Explicit consumer consent must be obtained before processing sensitive categories of personal data. 

• Non-discrimination: Organizations cannot discriminate against consumers for exercising their CTDPA rights, such as by denying services or benefits.
• Consent revoke option: Consumers must be provided an effective mechanism to revoke consent that is as accessible as the mechanism to provide consent initially.
• Privacy Notice: The privacy notice must disclose information like data collection purposes, consumer rights information, and data sharing details, and provide an easy way for consumers to contact the organization. Disclosures are required if selling data or processing it for targeted advertising, along with opt-out methods.

• Minors (13-16 years): organizations cannot process minor’s data for targeted advertising or sell data without consent if the organization is aware the consumer is under 16 years old.
• Risk assessments: organizations must conduct assessments for high-risk data processing activities like targeted advertising, sale of data, certain profiling activities, and processing sensitive data. Assessments must weigh expected benefits against potential privacy risks.

The Connecticut Data Privacy Act grants individuals specific rights regarding their personal data collected by companies. These include:

• Right to know: Individuals can request confirmation that a company collects their personal data.
• Right to access: Individuals can request to access copies of their personal data.
• Right to rectify: If individuals discover inaccuracies in the data a company holds about them, they can request corrections.
• Right to delete: individuals can ask companies to erase their personal data, including data obtained from third-party sources.
• Right to data portability: Upon request, individuals can receive their data from a company in a readily usable format to transfer to another entity.
• Right to opt-out: individuals can opt out of targeted advertising, sale of personal data to third parties, and automated profiling that significantly impacts legal rights or otherwise causes harm.

An organization’s privacy notice must clearly explain how consumers can exercise their CTDPA rights, including an accessible website link for opting out of targeted advertising or data sales. An organization is required to address consumer requests within 45 days of receiving them. In specific situations, the organization can extend the response period by an additional 45 days.

The Connecticut Data Privacy Act (CTDPA) has specific requirements for obtaining consumer consent:

Opt-in consent

• organizations must obtain opt-in consent from consumers before processing sensitive categories of personal data. This is considered an unambiguous affirmative agreement through clear means.
• For children’s data, consent mechanisms must be compliant with the parental consent verification requirements under the Children’s Online Privacy Protection Act (COPAA).
• The law prohibits using dark pattern interfaces that subvert or impair user autonomy when obtaining any form of consent.

Opt-out consent

• Individuals have the right to easily opt out of allowing the use of their data for targeted advertising, sale of personal data to third parties, and profiling for automated decision systems with legal or similarly significant effects.
• Organizations must establish easy mechanisms for consumers to submit opt-out requests, including user-friendly platforms and tools enabling choice signals to be sent from browser settings or privacy controls.
• Organizations should provide a clear and conspicuous link on their website for the consumer to opt out of data collection.
• Consumers can also designate authorized agents to opt out on their behalf through various technical means.

Universal opt-out systems let consumers easily tell multiple websites to stop using their personal information, instead of needing to opt-out on each site separately. According to the CTDPA, starting January 1, 2025, organizations must acknowledge these universal opt-out requests as valid.

Entities or individuals that violate the Connecticut Data Privacy Act may face enforcement action and civil penalties brought by the Attorney General, who has exclusive enforcement authority. Potential enforcement actions include:

• Civil penalties up to $5,000 per violation under the Connecticut Unfair Trade Practices Act
• Injunctive relief
• Restitution for impacted individuals
• Disgorgement of profits obtained through the violation

​​The CTDPA grants organizations a 60-day cure period to remedy potential violations after receiving the notice from the Attorney General. This right is only valid till December 31, 2024. Exceptions exist if violations are deemed incurable.

• Ensure accessible Privacy Policy/Notice for clear consumer information on data processing, sharing, and rights
• Review and update your Privacy Policy or Notice every 12 months
• Collect only necessary personal data for specific purposes
• Obtain explicit consent for processing sensitive data
• Allow consumers to opt out of their data collection
• Implement a universal opt-out mechanism by January 1, 2025
• Obtain parental consent for collecting personal data of minors
• Quickly address consumer requests under the CTDPA
• Conduct assessments for high-risk data processing
• Implement reasonable security measures for personal data
• Avoid discriminating against consumers and unlawful data practices

What is the full form of CTDPA?

The full form of CTDPA is the “Connecticut Data Privacy Act.”

What is the CT data privacy law 2023?

The Connecticut Data Privacy Act (CTDPA) is a comprehensive data privacy law that went into effect on July 1, 2023. The law grants Connecticut individuals a number of rights regarding their personal data, including the right to access, correct, delete, and opt out of the sale of their personal data. The law also imposes certain obligations on businesses that collect and process the personal data of Connecticut individuals.

Who does the Connecticut Privacy Act apply to?

The Connecticut Data Privacy Act (CTDPA) applies to businesses that either conduct business in Connecticut or produce products or services targeted to Connecticut individuals. Businesses that meet the following criteria are subject to the CTDPA:

• Processes the personal data of 100,000 or more consumers, excluding solely to complete a payment transaction.

• Processes the personal data of at least 25,000 consumers and derives more than 25% of gross revenue from the sale of personal data.