Connecticut- the fifth state to adopt the Data Privacy Law

Introduction

Connecticut became the fifth state in the United States to adopt the data privacy law after California, Utah, Colorado, and Virginia. Connecticut Governor Ned Lamont signed in an agreement ‘An Act Concerning Personal Data Privacy and Online Monitoring’, after the bill that was in progress in April in the General Assembly. It is how the law came into action in 2022. According to Lisa Sotto’s statement (Hunton Andrew Kurth’s managing partner, and chair of the global privacy and cybersecurity practice), she feels that “There’s no better time for the federal government to step in and pass an overarching pre-emptive privacy law. Because data does not respect state boundaries and businesses often need to process personal data of residents in multiple states, it is inefficient and ultimately less protective of privacy to have varying privacy laws in the U.S.” The following blog will help you understand more about the Connecticut law, its application, provisions for consumers and controllers, entities exempted from it, and the fine.

What is the Connecticut Data Privacy Law and when was it established?

On May 4, 2022, the officials passed the data privacy bill that eventually became a law to protect the privacy of the residents of Connecticut. It was also known as “The Act of Concerning Personal Data Privacy and Online Monitoring” (CTDPA). It became law without requiring the signature of the government. It will take effect on July 1, 2023, so all the organizations have over 14 months left to meet the specific standards and compliance requirements.

Where does Connecticut Data Privacy Law apply?

Connecticut law is quite similar to the data privacy laws that have been passed in  Colorado, Utah, California, and Virginia. International Association of Privacy Professionals stated that “It draws heavily from the Colorado Privacy Act and the Virginia Consumer Data Protection Act- with many of the provisions either mirroring or falling somewhere between the Colorado and Virginia laws – but contains a few notable distinctions that should be factored into an entity’s compliance efforts.”

The CTDPA applies to all the individuals and organizations of Connecticut who:

1. Have businesses based in Connecticut
2. Businesses or organizations that offer their services or products to the Connecticut residents.
3. During the preceding calendar year, either-

(a) controlled or processed the personal data of at least 100,000 consumers (excluding for the purpose of completing a payment transaction), or 

(b) controlled or processed the personal data of at least 25,000 consumers and derived more than 25% of their gross revenue from the sale of personal data.’

What are the provisions of the Connecticut Data Privacy Law for consumers?

The Connecticut privacy law allows the residents to withdraw from sales,  advertising, and profiling. Companies and organizations need to comply with this law and should provide the option of opting out of sales and advertising-related data to their consumers. In this law, the consumer has the right to :

• to know whether or not the controller has processed their data and they should have the right access such data.
• Correct any errors in their personal data.
• Delete the personal data of the consumer.
• Get a copy of their personal data from the controller.
• Opt-out of sharing their personal data related to target advertising, sale of their data, and profiling.

What are the provisions of the Connecticut Data Privacy Law for controllers?

Some of the provisions of the Connecticut Data Privacy Law for controllers are:

• A controller should only collect personal data of the consumers that are suitable or relevant for processing. Consumers should be aware of it.
• They are not allowed to process sensitive data without the consent of their consumers.
• Should not process data in ‘violation of federal and state anti-discrimination laws.’
• Should allow their consumers to revoke consent and stop processing their data within 15 days of receiving the revocation request.
• Should not process the personal data of consumers for target advertising or sales without the consumer’s consent.

Who is exempted from this law?

The Connecticut law states that certain entities and organizations are exempted from the law. They are as follows:

• Local State Government;
• Non-profit organizations;
• National securities associations that come under the Securities Exchange Act of 1934.
• Financial institutions and data subjects are registered under Gramm-Leach-Bliley Act.
• Entities and businesses that fall under the Health Insurance Portability and Accountability Act.

What is the penalty if this law is not followed?

According to this new law, all entities and businesses are required to protect the personal data of the consumers. Not following it can lead to strict action such as it can result in a fine of up to $500 per personal data that is misused. Furthermore, these fines can reach up to $500,000, if any of the information is disclosed improperly.

Summarization of Connecticut Data Privacy Law

• Connecticut is the fifth state to enact a data privacy law.
• It is also known as ‘The Act of Concerning Personal Data Privacy and Online Monitoring’ or the ‘Connecticut Data Privacy Act (CDPA)’. 
• Governor Ned Lamont passed this law on May 4, 2022.
• It will come into effect on July 1, 2023. All organizations have 14 months left to meet the specific standards set by the state.
• The Connecticut Data Privacy Law follows the similar patterns of the privacy laws of Utah, Colorado, California, and Virginia.
• This law allows consumers to refrain from sharing their personal and sensitive personal data for matters related to target advertising, selling, and profiling.
• Local state governments, non-profit organizations, and similar entities are exempted from this law.
• Refusing to follow this law can result in a fine of up to $500 per personal data that is misused. These fines can reach up to $500,000 if any of the information is misused or disclosed improperly.