After California, Virginia, Colorado and Utah, Connecticut is the fifth of the fifty U.S. states to introduce a comprehensive consumer data privacy law. On 28 April 2022 the Connecticut House of Representatives passed the Connecticut Data Protection Act (CTDPA) as Bill No. 6, also called “An Act Concerning Personal Data Privacy and Online Monitoring”, which entered into force on 1 July 2023. In this article, we will show you who the CTDPA applies to and what the most important provisions are.
Applicability of the CTDPA
Whether the CTDPA applies to you is determined by certain threshold requirements. The law only applies to entities which conduct business in Connecticut, or produce products or services that target Connecticut residents, and which during the preceding calendar year, either controlled or processed:
- personal data of a minimum of 100,000 consumers (excluding personal data that is controlled or processed solely for the purpose of completing payment transactions), or
- personal data of a minimum of 25,000 consumers, and derived over 25 % of their gross revenue from selling personal data.
Compared to the Californian Consumer Privacy Act (CCPA) these thresholds contain no limitation of applicability to SMEs, and are significantly lower than the thresholds for applicability imposed by the CCPA, which has been in force since 1 January 2020.
The CTDPA is also not applicable to certain entities, e.g. certain state authorities, non-profit organisations, higher education institutions, national securities associations registered under the Securities Exchange Act and financial institutions, or data subject to Title V of the Gramm-Leach-Bliley Act.
Controller obligations under the CTDPA
The CTDPA obligates data controllers to fulfil certain basic data protection principles, such as data minimisation and the purpose limitation. Therefore, the collection of data has to be limited to the extent, “adequate, relevant and necessary” for the purposes of the data processing, and personal data must not be processed for purposes that are neither reasonably necessary, nor compatible with the disclosed purposes, unless the consumer has consented to it.
In addition, there must be a certain degree of transparency with regard to data processing. For this purpose, the consumer is granted the right to a, “reasonably accessible, clear and meaningful privacy notice”, which must include:
- the categories of processed personal data;
- the purposes of the processing;
- the categories of personal data shared with third parties and the categories of those third parties;
- the way in which consumers can exercise their rights and appeal decisions of the controller regarding consumer requests;
- an electronic way to contact the controller, meaning either an active e-mail address or another online mechanism.
Data controllers also have to ensure data security by implementing appropriate physical, technical and administrative safeguards. Moreover, for processing activities that present, “a heightened risk of harm” the data controller has to conduct data protection assessments. This is especially necessary in case of the processing for targeted advertising or profiling, the sale of personal data, or the processing of sensitive data.
Opt-in and opt-out requirements
In order to process sensitive data, the consumer’s consent has to be obtained. Sensitive data is defined by the CTDPA as,
- “data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation or citizenship or immigration status”,
- genetic or biometric data that is processed to uniquely identify an individual,
- “personal data collected from a known child” or
- “precise geolocation data”.
The consent option must be designed as an opt-in.
Moreover, consumers must have the possibility to opt-out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data (unless an exception applies), or, “profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.” Such decisions are those that result in the controller providing or denying, “financial or lending services, housing, insurance, education enrolment or opportunity, criminal justice, employment opportunities, health care services or access to essential goods or services.”
Thereby, the act addresses the fact that automated decision making that is based on past data, tends to perpetuate human biases and inequalities in former decision making and, therefore, can lead to consumers being excluded from essential goods and services based on past discriminatory patterns.
Consumer rights under the CTDPA
The CTDPA grants consumers, meaning residents of the states whose data is being processed and who are not acting in an employment or commercial context, a set of rights:
- to confirm whether a controller is processing their personal data;
- to obtain access to such data;
- to be provided with a copy of their personal data in a portable and readily usable format;
- to correct any inaccuracies contained therein; and
- to delete personal data provided by them or received about them.
If the consumer decides to exercise any of their rights under the CTDPA, controllers must not discriminate against the respective consumer by, “denying goods or services, charging different prices or rates for goods or services or providing a different level of quality of goods or services to the consumer.”
Enforcement and penalties
The enforcement of the provisions will be the responsibility of the Attorney General. In the period until the 31 December 2024 the Attorney General should initially notify the respective data controller of the violation, if he deems that it can be corrected. From the date of this notification, the controller should have sixty days to correct the violation. If the controller fails to do so, the Attorney General may bring an action under the CTDPA.
From 1 January 2025 the Attorney General will have discretion whether to provide the data controller or processor with an opportunity to cure the violation, considering the following criteria:
- number of committed violations;
- size and complexity of the data controller or processor;
- nature and extent of the processing activities of the data controller or processor;
- substantial likelihood of injury to the public;
- safety of individuals or property; and
- whether the alleged violations were likely caused by technical or human error.
A violation of the CTDPA constitutes an unfair trade practice under the Connecticut Unfair Trade Practices Act, which provides for penalties up to $ 5,000 per wilful violation.
The CTDPA does not provide for the possibility of private enforcement.
Similarities and differences compared to the GDPR
Compared to the GDPR, the CTDPA is narrower in scope. While the GDPR applies to anyone processing personal data by automated means or by non-automated means, if the personal data is or is intended to be part of a filing system, the CTDPA only applies to business entities that meet the above-mentioned thresholds. Moreover, the CTDPA contains significantly broader exceptions with respect to its material scope.
While the CTDPA establishes similar data protection principles and data subject rights, there is one major systemic difference compared to the GDPR. While the GDPR requires that any processing of personal data is based on a legal basis under Art. 6 GDPR, the CTDPA only sets heightened requirements for the processing of specific data or for specific processing purposes. The consumer’s consent (as an opt-in) is only necessary for the processing of sensitive data. Moreover, the consumer needs to have the option to opt-out of the processing for certain purposes, like targeted advertising or the sale of their data.
Non-sensitive data that is used for other purposes can therefore, be processed without the consumer’s consent (and without the option to opt-out), as long as the processing and its purposes are disclosed to the consumer and the data processing is limited to these purposes. By contrast, the GDPR requires a legal basis (e.g. consent) for any processing of personal data.
The CTDPA is an important step to a better protection of consumer data. If your company is conducting business in Connecticut, or is producing products or services addressed to the residents of the state and you are thereby processing data of a certain amount of residents in Connecticut; you should familiarise yourself with the rules of the regulation and ensure that you comply with them.