Connecticut Data Privacy Act
The Connecticut Data Privacy Act (CTDPA) is a comprehensive privacy legislation enacted by the Connecticut General Assembly. Effective from July 1, 2023, the CTDPA aims to enhance residents’ control over their personal data and imposes obligations on businesses to establish robust privacy programs.
Which businesses need to comply with CTDPA?
The CTDPA applies to organizations that conduct business in Connecticut or produce products or services for Connecticut residents and that control or process the personal data of at least 100,000 consumers, or 25,000 or more consumers and derive more than 25% of their gross revenues from the sale of personal information. It also applies to service providers (called “processors”) that maintain or provide services involving personal data on behalf of covered entities.
What is the CTDPA about?
- Consumer Rights: The Act grants consumers several rights, including the right to access, correct, delete, and obtain copies of their personal data. Consumers also have the right to opt out of targeted advertising, profiling, and the sale of their personal data.
- Sensitive data: Certain categories of data, such as racial or ethnic origin and biometric data, cannot be processed without the consumer’s explicit consent.
- Data processing and security obligations: Companies are required to limit data processing to what is necessary for the purposes disclosed in their privacy notices and to implement reasonable security measures to protect personal data.
- Conduct Data Protection Assessments: Companies should conduct assessments before processing personal data in ways that pose a heightened risk of harm to consumers. This includes processing personal data for the purposes of targeted advertising, sales or profiling, and processing sensitive data.
Impact for Businesses
Failure to comply with the CTDPA carries severe penalties, exposing organizations to hefty fines ($5 million annually or 3% of global revenue) and reputational damage. Given the increased focus on data protection, organizations should start to re-evaluate their privacy protocols immediately.